Tag Archives: surveillance

Dashcams and domestic purposes

What do people use dashcams and cameras on cycle helmets for? I’m sure that some (especially in the latter group) use them to capture footage of interesting journeys they have made. But a considerable proportion of users – surely – use them in the event that the user is involved in a road traffic incident. Indeed the “National Dash Cam Safety Portal”, although provided by a commercial organisation selling cameras, is operated in partnership with, and enables upload of footage to, police forces in England and Wales, and its FAQ clearly inform people of the evidential nature and implications of such footage. And a recent piece on the “Honest John” website suggests that one in four dashcam submissions result in a prosecution. Whatever the intentions were of the people who used those dashcams to record that footage, it is undeniable that the outcome of the processing of personal data involved had a significant effect on the rights of those whose data was processed.

Article 2 of the UK GDPR says that the law’s scope does not extend to processing of personal data “by a natural person in the course of a purely personal or household activity”, and the case law of the Court of Justice of the European Union (at least insofar as such case law decided before 1 January 2021 is retained domestic law – unless departed from by the Court of Appeal or the Supreme Court) makes clear that use of recording cameras which capture footage containing personal data outwith the orbit of one’s property cannot claim this “purely personal or household activity” exemption (see, in particular the Ryneš case).

Yet the position taken by the authorities in the UK (primarily by the Information Commissioner’s Office (ICO)) largely fails to address the difficult issues arising. Because if the use of dashcams and helmet cams, when they result in the processing of personal data which is not exempt under under the “purely personal and household exemption, is subject to data protection law, then those operating them are, in principle at least, obliged to comply with all the relevant provisions of the UK GDPR, including: compliance with the Article 5 principles; providing Article 13 notices to data subjects; complying with data subject request for access, erasure, etc. (under Articles 15, 17).

But the ICO, whose CCTV guidance deals well with the issues to the extent that domestic CCTV is in issue, implies that use of dashcams etc, except in a work context, is not subject to the UK GDPR. For instance, its FAQs on registering as a data protection fee payer say “the use of the dashcam in or on your vehicle for work purposes will not be considered as ‘domestic’ and therefore not exempt from data protection laws”. It is very difficult to reconcile the ICO’s position here with the case law as exemplified in Ryneš.

And what raises interesting questions for me is the evidential status of this dashcam and helmet cam footage, when used in prosecutions. Although English law has traditionally tended to take the approach that evidence should be admitted where it is relevant, rather than excluding it on the grounds that it has been improperly obtained (the latter being a species of the US “fruit of the poisoned tree” doctrine), it is surely better for a court not to be faced with a situation where evidence may have been obtained in circumstances involving illegality.

If this was a passing issue, perhaps there would not need to be too much concern. However, it is clear that use of mobile video recording devices (and use of footage in criminal, and indeed civil, proceedings) is increasing and will continue to do so, at the same time as access to such devices, and the possibility for their covert or surreptitious use, also increases. It is, no doubt, a tremendously tricky area to regulate, or event to contemplate regulating, but that is no reason for the ICO to duck the issue.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under CCTV, crime, Data Protection, Information Commissioner, police

Monitoring of blogs and lawful/unlawful surveillance

Tim Turner wrote recently about the data protection implications of the monitoring of Sara Ryan’s blog by Southern Health NHS Trust. Tim’s piece is an exemplary analysis of how the processing of personal data which is in the public domain is still subject to compliance with the Data Protection Act 1998 (DPA):

there is nothing in the Data Protection Act that says that the public domain is off-limits. Whatever else, fairness still applies, and organisations have to accept that if they want to monitor what people are saying, they have to be open about it

But it is not just data protection law which is potentially engaged by the Trust’s actions. Monitoring of social media and networks by public authorities for the purposes of gathering intelligence might well constitute directed surveillance, bringing us explicitly into the area of human rights law. Sir Christopher Rose, the Chief Surveillance Commissioner said, in his most recent annual report

my commissioners remain of the view that the repeat viewing of individual “open source” sites for the purpose of intelligence gathering and data collation should be considered within the context of the protection that RIPA affords to such activity

“RIPA” there of course refers to the complex Regulation of Investigatory Powers Act 2000 (RIPA) (parts of which were reputedly “intentionally drafted for maximum obscurity”)1. What is not complex, however, is to note which public authorities are covered by RIPA when they engage in surveillance activities. A 2006 statutory instrument2 removed NHS Trusts from the list (at Schedule One of RIPA) of relevant public authorities whose surveillance was authorised by RIPA. Non-inclusion on the Schedule One lists doesn’t as a matter of fact or law mean that a public authority cannot undertake surveillance. This is because of the rather odd provision at section 80 of RIPA, which effectively explains that surveillance is lawful if carried out in accordance with RIPA, but surveillance not carried out in accordance with RIPA is not ipso facto unlawful. As the Investigatory Powers Tribunal put it, in C v The Police and the Home Secretary IPT/03/32/H

Although RIPA provides a framework for obtaining internal authorisations of directed surveillance (and other forms of surveillance), there is no general prohibition in RIPA against conducting directed surveillance without RIPA authorisation. RIPA does not require prior authorisation to be obtained by a public authority in order to carry out surveillance. Lack of authorisation under RIPA does not necessarily mean that the carrying out of directed surveillance is unlawful.

But it does mean that where surveillance is not specifically authorised by RIPA questions would arise about its legality under Article 8 of the European Convention on Human Rights, as incorporated into domestic law by the Human Rights Act 1998. The Tribunal in the above case went on to say

the consequences of not obtaining an authorisation under this Part may be, where there is an interference with Article 8 rights and there is no other source of authority, that the action is unlawful by virtue of section 6 of the 1998 Act.3

So, when the Trust was monitoring Sara Ryan’s blog, was it conducting directed surveillance (in a manner not authorised by RIPA)? RIPA describes directed surveillance as covert (and remember, as Tim Turner pointed out – no notification had been given to Sara) surveillance which is “undertaken for the purposes of a specific investigation or a specific operation and in such a manner as is likely to result in the obtaining of private information about a person (whether or not one specifically identified for the purposes of the investigation or operation)” (there is a further third limb which is not relevant here). One’s immediate thought might be that no private information was obtained or intended to be obtained about Sara, but one must bear in mind that, by section 26(10) of RIPA “‘private information’, in relation to a person, includes any information relating to his private or family life” (emphasis added). This interpretation of “private information” of course is to be read alongside the protection afforded to the respect for one’s private and family life under Article 8. The monitoring of Sara’s blog, and the matching of entries in it against incidents in the ward on which her late son, LB, was placed, unavoidably resulted in the obtaining of information about her and LB’s family life. This, of course, is the sort of thing that Sir Christopher Rose warned about in his most recent report, in which he went on to say

In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should.

And one must remember that he was talking about cash-strapped public authorities whose surveillance could be authorised under RIPA. When one remembers that this NHS Trust was not authorised to conduct directed surveillance under RIPA, one struggles to avoid the conclusion that monitoring was potentially in breach of Sara’s and LB’s human rights.

1See footnote to Caspar Bowden’s submission to the Intelligence and Security Committee
2The Regulation of Investigatory Powers (Directed Surveillance and Covert Human Intelligence Sources) (Amendment) Order 2006
3This passage was apparently lifted directly from the explanatory notes to RIPA

3 Comments

Filed under Data Protection, human rights, NHS, Privacy, RIPA, social media, surveillance, surveillance commissioner