This article was co-authored by Ella Kelly, Trainee Solicitor.
Ireland’s National Police and Security Service has commenced the final phase of its ‘proof of concept’ for body worn cameras. This development reflects wider concerns around threatening behaviour against the Garda but also others working in the retail and security sectors.
The Data Protection Commission (DPC) published Guidance on the use of Body Worn Cameras or Action Cameras in January 2020. This provides advice on the use of body worn cameras and the General Data Protection Regulation (GDPR) concerns that arise from wearing them. As these devices essentially turn the wearer into a mobile surveillance system, the user will have to meet a high threshold to ensure compliance with data protection legislation. Where audio is captured as well as footage, this increases the data protection concerns.
Factors that will be considered when considering whether the use of body worn cameras follows data protection legislation:
- The use of body worn cameras must by be lawful and fair.
- The use of the body worn cameras must be transparent.
- They should record the minimum amount of personal data for their stated purpose.
- Recordings should be stored securely and retained only for the minimum amount of time necessary.
Lawful and fair
To ensure the use of body worn cameras is lawful and fair, one should be able to show that they are necessary to pursue a ‘legitimate interest.’
To rely on a legitimate interest, an organisation must consider the necessity of wearing body worn cameras and balance this against the fundamental rights of individuals whose data will be captured.
Transparency
All individuals being filmed must be made aware.
Minimum amount of data
Only the minimum amount of data should be recorded as is necessary for the stated purpose of using the body worn cameras. The DPC recommends that risk assessments be carried out to determine how to use the bodycams in a way that meets this requirement.
Security and retention of recordings
Footage must be securely stored to prevent theft, loss and unlawful processing. The DPC states that security measures should include cybersecurity, physical and organisational security measures to protect personal data and avoid data breaches.
The recordings should be retained for the minimum amount of time required for their stated purpose.
Guidance for use of bodycams in the retail and security context
- An organisation must show the use of body worn cameras is actually necessary and proportionate to achieve a ‘legitimate purpose’. For example, a security services company using them for the safety of their staff and the general public when dealing with aggressive individuals. In the context of retail defamation claims, which are often in the context of suspected theft, a security guard is making enquiries as to the payment of goods and services. This is a legitimate purpose.
- The wearer of the camera should wear a badge stating that they are in operation and making the identity of the organisation known. Often cameras are worn on a harness around the body which is brightly coloured so as to make them conspicuous and easily observed. Public signage or visible notices advising individuals of the operation with clear information and links for further details may also be utilised.
- Body worn cameras should only be turned on when necessary and it should be verbally communicated that the camera is being turned on. These communications must be made to all individuals whose personal data could be captured.
- A body worn camera wearer will often be the first port of call for affected data subjects, and therefore they should be suitably trained on how to respond to queries or data subject requests. Individuals have the right to access of, rectification of, and in certain cases the erasure of any recordings that contain their personal data.
- If any access request for personal data is made, the organisation is obliged to:
- Confirm whether such data exists;
- Provide a copy along with other information free of charge; and
- Respond without undue delay, within 1 month of the request.
- Organisations should carry out risk assessments to determine how and when to use body worn cameras for their stated purpose, whilst capturing as little personal data as possible. It is highly advised that organisations conduct a Data Protection Impact Assessment. While not mandatory, they are a useful tool for ensuring compliance with data protection law. Where cameras are utilised an organisation should update their Electronic Privacy Notice and Data Protection Policy.
- Footage should be securely stored with cybersecurity and physical and organisational security measures in place. The data should be stored safely with limited access permissions.
- Footage should only be retained for the minimum amount of time necessary. For example, footage that does not capture any incident should not be retained. If footage does capture an incident such as an assault it may be retained for longer, once in compliance with data protection laws. It is not permissible to retain data on a ‘just in case’ basis.