Data Protection and CCTV

 

 

The use of CCTV systems has greatly expanded in recent years. So has the sophistication of such systems. Systems now on the market have the capacity to recognise faces. They may also be capable of recording both images and sounds.

The expanded use of CCTV systems has society-wide implications. Unless such systems are used with proper care and consideration, they can give rise to concern that the individual’s “private space” is being unreasonably invaded.

Recognisable images captured by CCTV systems are personal data“. They are therefore subject to the provisions of the Data Protection Acts. A data controller needs to be able to justify the obtaining and use of personal data by means of a CCTV system. A system used to control the perimeter of a building for security purposes will usually be easy to justify. The use of CCTV systems in other circumstances – for example, to constantly monitor employees, customers or students – can be more difficult to justify and could involve a breach of the Data Protection Acts

 

Proportionality – is a CCTV system justified?

Section 2(1)(c)(iii) of the Acts require that data are “adequate, relevant and not excessive” for the purpose for which they are collected. This means that an organisation must be able to demonstrate that the serious step involved in installing a system that collects personal data on a continuous basis is justified. Before proceeding with such a system, it should also be certain that it can meet its obligations to provide data subjects, on request, with copies of images captured by the system.

Proportionality – what will the system be used for?

If a data controller is satisfied that it can justify installing a CCTV system, it must consider what it will be used for and if these uses are reasonable in the circumstances.

Security of premises or other property is probably the most common use of a CCTV system. Such a system will typically be intended to capture images of intruders or of individuals damaging property or removing goods without authorisation. Such uses are more likely to meet the test of proportionality.

Other uses may fail the test of proportionality. For example, using a CCTV system to constantly monitor employees is highly intrusive and would need to be justified by reference to special circumstances. If the monitoring is for health and safety reasons, a data controller would need to demonstrate that the installation of CCTV was proportionate in addressing health and safety issues that had arisen prior to the installation of the system.

 

Proportionality – what images will be captured?

The location of cameras is a key consideration. Use of CCTV to monitor areas where individuals would have a reasonable expectation of privacy would be difficult to justify. Toilets and rest rooms are an obvious example. To justify use in such an area, a data controller would have to demonstrate that a pattern of security breaches had occurred in the area prior to the installation of the system such as would warrant constant electronic surveillance. Where such use can be justified, the CCTV cameras should never be capable of capturing images from cubicles or urinal areas.

Cameras placed so as to record external areas should be positioned in such a way as to prevent or minimise recording of passers-by or of another person’s private property.

Proportionality – Recommendations

Under this principle, this Office would expect that a data controller would have carried out detailed assessments as to how the use of such equipment meets with these requirements and would have the following steps carried out and documented:

  • A Risk Assessment
  • A Privacy Impact Assessment
  • A  Specific Data Protection policy drawn up for use of the devices in a limited and defined set of circumstances only (this policy should include documented data retention and disposal policy for the footage)
  • Documentary evidence of previous incidents giving rise to security/health and safety concerns
  • Clear signage indicating image recording in operation.

 

 

Transparency

Section 2D of the Acts requires that certain essential information is supplied to a data subject before any personal data are recorded.

A written CCTV policy must be in place and should include the following information;

  • the identity of the data controller;
  • the purposes for which data are processed;
  • any third parties to whom the data may be supplied.
  • How to make an access request (see “Access Requests” section below)
  • Retention period for CCTV (see “Storage and Retention” section below)
  • Security arrangements for CCTV (see “Storage and Retention” section below)

Notification of CCTV usage can usually be achieved by placing easily- read and well-lit signs in prominent positions. A sign at all entrances will normally suffice. 

 

If the identity of the data controller and the usual purpose for processing – security – is obvious, all that need be placed on the sign is a statement that CCTV is in operation as well as a contact (such as a phone number) for persons wishing to discuss this processing. This contact can be for either the security company operating the cameras or the owner of the premises.

If the purpose or purposes is not obvious, there is a duty on the data controller to make this clear. A CCTV camera in a premises is often assumed to be used for security purposes. Use for monitoring staff performance or conduct is not an obvious purpose and staff must be informed before any data are recorded for this purpose. Similarly, if the purpose of CCTV is also for health and safety reasons, this should be clearly stated and made known.

Storage and retention.

Section 2(1)(c)(iv) of the Data Protection Acts states that data “shall not be kept for longer than is necessary for” the purposes for which they were obtained. A data controller needs to be able to justify this retention period. For a normal security system, it would be difficult to justify retention beyond a month, except where the images identify an issue – such as a break-in or theft – and is retained specifically in the context of an investigation of that issue.

The storage medium should be stored in a secure environment with a log of access kept. Access should be restricted to authorised personnel.

 

Supply of CCTV Images to An Garda Síochána

With regard to requests from An Garda Síochána to download footage, the ODPC recommends that requests for copies of CCTV footage should only be acceded to where a formal written (or fax) request is provided to the data controller stating that An Garda Síochána is investigating a criminal matter. For practical purposes, and to expedite a request speedily in urgent situations, a verbal request may be sufficient to allow for the release of the footage sought. However, any such verbal request must be followed up with a formal written request. It is recommended that a log of all An Garda Síochána requests is maintained by data controllers and processors.

As outlined in the audit report of An Garda Síochána conducted by the Office of the Data Protection Commissioner

 

“The Office considers that, given that CCTV is obtained using a specific permissive clause of the Acts, requests for downloads of CCTV footage made by An Garda Síochána to third parties should be followed up in writing at all times. Any such requests should be on An Garda Síochána headed paper, quote the details of the CCTV footage required and should also cite the legal basis for the request i.e. Section 8(b) of the Acts. ” (p.76)

 

There is a distinction between a request by An Garda Síochána to view CCTV footage and to download copies of CCTV footage. In general, An Garda Síochána making a request to simply view footage on the premises of a data controller or processor would not raise any specific concerns from a data protection perspective.

 

Access Requests

Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage. To exercise that right, a person must make an application in writing. The data controller may charge up to €6.35 for responding to such a request and must respond within 40 days.

When making an access request for CCTV footage, the requester should provide the data controller with a reasonable indication of the timeframe of the recording being sought – i.e. they should provide details of the approximate time and the specific date(s) on which their image was recorded. For example, it would not suffice for a requester to make a very general request saying that they want a copy of all CCTV footage held on them. Instead, it is necessary to specify that they are seeking a copy of all CCTV footage in relation to them which was recorded on a specific date between certain hours at a named location. Obviously, if the recording no longer exists on the date on which the data controller receives the access request, it will not be possible to get access to a copy. Requesters should be aware that CCTV footage is usually deleted within one month of being recorded.

For the data controller’s part, the obligation in responding to the access request is to provide a copy of the requester’s personal information. This normally involves providing a copy of the footage in video format. In circumstances where the footage is technically incapable of being copied to another device, or in other exceptional circumstances, it is acceptable to provide stills as an alternative to video footage. Where stills are supplied, it would be necessary to supply a still for every second of the recording in which the requester’s image appears in order to comply with the obligation to supply a copy of all personal data held.

Where images of parties other than the requesting data subject appear on the CCTV footage the onus lies on the data controller to pixelate or otherwise redact or darken out the images of those other parties before supplying a copy of the footage or stills from the footage to the requestor. Alternatively, the data controller may seek the consent of those other parties whose images appear in the footage to release an unedited copy containing their images to the requester

Where a data controller chooses to use technology to process personal data, such as a CCTV system to capture and record images of living individuals, they are obliged to shoulder the data protection obligations which the law places on them for such data processing. In the matter of access requests for CCTV footage, data controllers are obliged to comply fully with such requests. Claims by a data controller that they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. In short, where a data controller uses a CCTV system to process personal data, its takes on and is obliged to comply with all associated data protection obligations.

 

Covert surveillance.

The use of recording mechanisms to obtain data without an individual’s knowledge is generally unlawful. Covert surveillance is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies that a written specific policy be put in place detailing the purpose, justification, procedure, measures and safeguards that will be implemented with the final objective being, an actual involvement of An Garda Síochána or other prosecution authorities for potential criminal investigation or civil legal proceedings being issued, arising as a consequence of an alleged committal of a criminal offence(s).

Covert surveillance must be focused and of short duration. Only specific (and relevant) individuals/locations should be recorded. If no evidence is obtained within a reasonable period, the surveillance should cease.

If the surveillance is intended to prevent crime, overt cameras may be considered to be a more appropriate measure, and less invasive of individual privacy.

Responsibilities of security companies.

Security companies that place and operate cameras on behalf of clients are considered to be “Data Processors”. As data processors, they operate under the instruction of data controllers (their clients). Sections 2(2) and 2C of the Data Protection Acts place a number of obligations on data processors.

These include having appropriate security measures in place to prevent unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all unlawful forms of processing. This obligation can be met by having appropriate access controls to image storage or having robust encryption where remote access to live recording is permitted.

Staff of the security company must be made aware of their obligations relating to the security of data.

Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.

Furthermore, section 16 of the Data Protection Acts 1988 & 2003 requires that certain data processors must have an entry in the public register maintained by the Data Protection Commissioner. For further information, please refer to our Guidance notes on Registration. Those parties who are required to be registered and process data whilst not registered are committing a criminal offence and may face prosecution by this office. (This provision may only apply where the data controller can identify the persons whose images are captured.) 

 

Domestic use of CCTV systems.

The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Acts. This exemption would generally apply to the use of CCTVs in a domestic environment. However, the exemption may not apply if the occupant works from home. [ Where the exemption does apply, a person who objects to the use of a CCTV system – for example, a neighbour who objects to images of her/his property being recorded – may be able to take a civil legal action based on the Constitutional and Common Law right to privacy.] It should be noted that recording of a public space, even partially, or when recording is directed outwards from the private setting, it may not be regarded as a ‘personal or household’ activity for the purposes of the Data Protection Acts, and this may have immediate and particular interest to drone operators and data controllers.

Reference: ECJ Ruling on household exemption  C-212/13 – Ryneš

 

Community CCTV Schemes

Section 38 of the Garda Síochána Act 2005, provides for the installation of CCTV systems for public security purposes under the authority of the Garda Commissioner.

 

Some Case Studies relevant to this topic:

The following Case Studies, which have appeared in Annual reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.

CASE STUDY 3/07– Inappropriate use of CCTV footage by Leisure Club
CASE STUDY 6/07– Data Controller breaches Data Protection Law in regard to covert use of CCTV footage
CASE STUDY 11/06– Failure to comply with an Access Request for CCTV footage
CASE STUDY 8/05– CCTV cameras on the Luas line

 

source https://www.dataprotection.ie/docs/Data-Protection-CCTV/m/242.htm

Chief Fire Officer calls for more resources to carry out fire safety inspections, in wake of Grenfell tragedy

 

Dublin’s Chief Fire Officer has called for more resources for local authorities to carry out fire safety inspections, in wake of the Grenfell tower tragedy in London.

Patrick Fleming said that the resources are needed to prevent such tragedies that left 79 people dead.

Lord Mayor Mícheál Mac Donncha welcomed the call saying that on-site inspections are needed.

“The Grenfell tragedy in London has again highlighted the need for absolute vigilance in fire prevention and fire safety. I welcome the call by Chief Fire Officer Patrick Fleming for more resources for local authorities to carry out building control inspections.”

He added that the current system was introduced in the wake of the evacuation of the Priory Hall apartment complex.

“That near tragedy showed the failure of the self-certification system. While new regulations have seen some improvement this problem will become more acute as building and development continues.

“In this regard I welcome the fact that plans are being implemented in Dublin City Council to introduce a system of onsite inspections during construction for fire safety issues (Part B of the Building Regulations)”.

Earlier this week, calls were made to remove Grenfell Tower- type cladding from the headquarters of Cork County Council.

Independent.ie understands that Cork County councillors were emailed to notify them that the cladding was installed around the exterior of the second floor of County Hall, the floor that contains the main council chamber.

However, they were assured that the cladding currently imposes no increased risk of danger.

In an email seen by Independent.ie, councillors were told “the Council’s Facilities Manager and Chief Fire Officer have reviewed the matter and having regard to the limited extent of the use of the panel, the nature of the use of the building and the fire safety measures installed, the use of the panelling meets all fire safety requirements and does not pose any increased risk to the users of the building.”

Cork County Council has since commissioned a report investigating the nature of its installation, and says further action will be taken should the investigation raise any concerns.

The cladding was installed during a €62m refurbishment of the 17-storey County Hall which was finished in 2006.

Despite reassurances from the council, Fine Gael councillor Derry Canty says that the cladding should still be removed as soon as possible.

“I think the best thing for everybody is to remove it,” Cllr. Canty said.

“If it’s there, it’s left there and everyone is just worrying about it.

“We’re only in there for meetings but you have staff sitting in there all day. I believe this should be done post-haste, let’s get on with it.”

However, one Independent councillor, Marcia D’Alton, said she has no concerns about continuing to meet in the building, insisting that she has confidence in the fire safety measures being taken.

“Honestly, I’ve don’t have any concerns. We have been ensured the building has been incredibly well kitted out with sprinklers and the necessary fire precautions,” Cllr. D’Alton said.

“I know the extent to which the building has been electronically modified. It is an incredibly well finished building so I genuinely believe the council when they say the precautions being made are adequate.”

Cork County Council says it currently has a number of comprehensive fire safety measures installed, including sprinkler protection, automatic smoke ventilation, detection and an electronic alarm system.

Source – http://www.independent.ie/irish-news/chief-fire-officer-calls-for-more-resources-to-carry-out-fire-safety-inspections-in-wake-of-grenfell-tragedy-35875284.html

 

Dublin’s chief fire officer says more resources needed to carry out inspections

 

DUBLIN FIRE BRIGADE’S Chief Fire Officer has said that local authorities are best placed to carry out building control inspections in the wake of the Grenfell fire but resources aren’t available to do it.

Speaking to RTÉ’s Morning Ireland, Patrick Fleming said local authorities need more resources to carry out the inspections:

Well I think every local authority has a building control section, and fire services as well, and the local authority system is probably the best situated service in order to provide that.

“However it does need the resources to do that and that is where there may be some issues,” he concluded.

Responding to Fleming’s point on the same programme the Minister for Housing Eoghan Murphy outlined his department’s reaction to the deadly London blaze, which claimed at least 79 lives earlier this month.

“The first responsibility that I think we have here is to ensure that there are fire safety measures in place in all multi-storey buildings.

“We moved very quickly to liaise with the building control authorities, to liaise with the fire authorities to ensure that they were doing this inspection work.

“By the 19th of July we’ll have reports back from the local authorities on their inspection of multi-storey units.

“By that point as well all local authorities will have inspected cladding on buildings over 18 metres.

These are important first steps that we need to take to make sure that people are safe where they live.

Fire safety 

Murphy confirmed in a statement earlier this morning that he had ordered the coordination of a high-level task force to lead the re-appraisal of fire safety in Ireland.

The Minister has ordered a series of measures to be completed by the task force in the weeks ahead to ensure that all available precautionary measures are taken to prevent a similar fire happening here.

“While preliminary work shows that there are no situations in Ireland directly comparable to Grenfell Tower,” Murphy said, “We must learn the lessons and take appropriate and balanced action to minimise the possibility of a large-scale fire occurring in Ireland.”

Taking action

The National Directorate for Fire and Emergency Management is charged with coordinating the task force.

This body reported on the national audit of fire safety in Traveller accommodation in the wake of the Carrickmines fire in 2015, which killed five adults, five children and one unborn baby.

The directorate will work with building standards and social housing divisions at the Housing Department, in addition to the chief fire officer in Dublin.

A review of how each local authority’s fire service is prepared to deal with a large-scale incident is underway.

Landlords are also being notified of their obligations in terms of fire safety requirements.

Further measures

As well as the measures already taken, Murphy has ordered a number of other steps to be taken in the weeks ahead to ensure the country is doing everything it can to avoid a similar fire here.

These include the publication of a guide on undertaking fire safety assessments and a renewed focus on the preparedness of local authorities for a large-scale emergency.

Murphy will also update his cabinet colleagues on the post-Grenfell situation in Ireland, and meet with local authority chief fire officers in the coming weeks to review current plans for fire safety initiatives.

He closed the statement outlining the measures by urging every householder in Ireland to “ensure that the most effective and straightforward measure for safeguarding families from fire – smoke alarms – are installed and fully functional in every home and are tested regularly”.

“Systematic re-check”

Last week, Leo Varadkar’s government lost its first vote since he became Taoiseach, when a Green Party motion on building standards – made more pertinent by the Grenfell blaze – passed through the Dáil.

Yesterday, calls were made to extend fire safety checks beyond multi-floor social housing units following the discovery that the same cladding used in Grenfell Tower was used in the headquarters of Cork County Council.

The council confirmed that a similar aluminium material used in Grenfell Tower is currently installed around the exterior of the council chamber within the main foyer of the building.

The cladding was installed during a €62 million refurbishment of the Council Hall which was completed in 2006.

Reacting to the news, Green Party deputy leader Catherine Martin TD said that Minister Murphy “must order a systematic re-check of fire safety in buildings”.

“It’s extremely worrying that the flammable cladding, believed to have contributed to the spread of the awful fire in Grenfell Tower, was installed here in Ireland,” she said.

Independent TD Tommy Broughan also raised worries that the unsafe cladding used in the UK may have been used here too.

He said: “The same restrictions apply in Ireland that you can’t use non-compliant material yet it has been used in the UK and we need to know now if it has also been used in Ireland.”

Source – http://www.thejournal.ie/grenfell-tower-ireland-3466980-Jun2017/?utm_source=shortlink

 

Police say death toll in Grenfell Tower fire ‘around 80 people’

 

The death toll from the Grenfell Tower fire is believed to be around 80 people, the vast majority of whom were from just 23 flats, British police have said.

Metropolitan Police Detective Superintendent Fiona McCormack said contact had been made with at least one person from 106 of the 129 flats in the building.

From those flats, 18 people are dead or assumed dead, while the remaining victims were thought to have been in the flats which had not been heard from.

Ms McCormack confirmed more than 60 organisations were helping police with their investigation.

Efforts to establish who was missing in the wake of the fire were focused on talking to friends, families and neighbours of those in Grenfell Tower, Ms McCormack said.

She said: “On the first day of our work we were provided with a list by the tenant management organisation of who they had recorded living at Grenfell Tower.

“We quickly identified by the end of the first day that this list was not accurate.”

She added: “What we know is that it would be impossible for anyone to produce a list to show exactly who was at Grenfell Tower that night, that includes the people who were living there or who were visiting.”

The 23 flats which were said to have no survivors were spread between the 11th floor and the 23rd.

A handful of flats were still too unstable for police to carry out further investigation, she said.

Police have examined “every imaginable source” of information about who was in the building, “from government agencies to fast food companies”, Ms McCormack added.

She said that a couple who were missing and assumed dead had actually been on holiday at the time of the blaze.

Councils warned about cladding weeks before London fire

Every London council was warned by Britain’s fire service that cladding on high-rise buildings could be dangerous just weeks before the tragedy.

In a letter sent to all 33 local authorities and housing providers in the capital in May, the London Fire Brigade urged them to consider if panels could be flammable.

The safety advice came in the wake of a fire at Shepherd’s Court in Hammersmith, west London, in August 2016, where cladding was found to have aided its spread.

The letter said: “In the case of this fire, we believe such panels were a contributory factor to the external fire spread.”

Flammable cladding is suspected to have accelerated the scale of the west London blaze on 14 June.

In the correspondence, a “number of cases” were said to be found where fire protection on external facades “did not comply” with building regulations.

 

 

The disclosure comes as British Prime Minister Theresa May confirmed 120 tower blocks have failed fire safety tests and face having their cladding removed.

Suggestions were made in the letter, signed by assistant commissioner Dan Daly, that contractors might have believed wrongly that separate safety certificates for glazing also extended to cladding.

The letter said: “In the light of fires that have occurred, I would urge you to consider carefully your arrangements for specifying, monitoring and approving all aspects of future replacement and improvement to building facades and construction of new buildings for which you are responsible.

“Contracts for the provision and installation of replacement elements of building facades, including insulation, replacement double glazing and associated spandrel and in-fill panels must ensure compliance with all parts of Part B if they are to secure public safety and minimise fire losses.

“I would therefore strongly urge that you consider this issue as part of the risk assessment process for premises under your control.

“I suggest that you make sure all relevant information about any replacement window and facade schemes is fully available to fire risk assessors.

“Where no reliable information is available for a given property, it is our general expectation that a strategy to assess the risk and where necessary implement short, medium and long term actions to address the risk.

“This assessment will need to take account of other fire safety measures already in place in the building as well as potential mitigation measures to ensure that any potential fire spread does not pose a risk to health and safety.”

The Royal Borough of Kensington and Chelsea, where Grenfell Tower is located, would have received a copy of the letter, LFB said.

Kensington and Chelsea Council said this afternoon: “We know there are many questions relating to fire safety standards.

“The council is committed to cooperating fully with both the public inquiry and the criminal investigation.

“We do not think it is right to make comments relevant to the inquiry or subject to the investigation until this issue has been discussed with the police and the solicitors to the public inquiry once they have been appointed.

“The council does not want to prejudice the fair conduct of the public inquiry in any way. We will update you as soon as those discussions have taken place.”

 

 

 

Mrs May announced in Parliament this afternoon that the number of tower blocks in Britain found to have combustible cladding after failing fire safety tests has grown to 120.

Mrs May said flammable cladding was found in the high-rise blocks across 37 local authority areas in England in tests carried out in the wake of the Grenfell Tower disaster.

She said 100% of the cladding samples tested have been found to be combustible and urged local authorities and housing associations to “get on” with fire safety checks without waiting for test results.

At Prime Minister’s Questions, Mrs May said 282 good quality temporary properties have been identified for victims of the Grenfell Tower disaster, 132 families have had their needs assessed, and 65 offers of temporary accommodation have been made.

The government has provided nearly £1.25 million in discretionary payments and will be giving an extra £1m to a local group of charities, trusts and foundations “which have been doing such important work”, Mrs May said.

The PM said she expects to name a judge for the public inquiry into the disaster “soon”.

Labour leader Jeremy Corbyn asked for a “categorical” answer on whether cladding with a combustible core, such as polyethylene, is legal for high-rise buildings, and if that used on Grenfell Tower was legal.

Mrs May replied: “The situation is, in relation to the cladding, that the building regulations identify the cladding which is compatible with the building regulations and that which is non-compliant with those building regulations.

“My understanding is that this particular cladding was not compliant with the building regulations.

“This raises wider issues, as the House will recognise, and it is important that we are careful in how we talk about this because there is a criminal investigation taking place and it’s important that we allow the police to do that criminal investigation and take the decisions that they need to take.”

 

 

Source – https://www.rte.ie/news/2017/0628/886196-london-fire/