Upload
jonathon-little
View
214
Download
0
Embed Size (px)
Citation preview
ava i lab le at www.sc iencedi rec t . com
www.compseconl i ne .com/ publ i ca t ions /prodc law.h tm
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 2 ( 2 0 0 6 ) 169 – 171
Public surveillance – An overview
Someone to watch over you
Jonathon Little, Alexander Brown
Simmons & Simmons, London, UK
a b s t r a c t
It seems that just about everywhere you go someone is watching you or knows your loca-
tion. While the ability of current technology to track individual movements is often over-
stated, possible tracking technologies take many forms and are developing rapidly. Some
are well known (such as CCTV) others less so (such as radio frequency identification
technology – RFID tags). The latest service to raise the spectre of Big Brother is the launch
of the new Google and Microsoft satellite imaging products. For those yet to try these out,
they enable the user to scoot around the globe zooming down (where images exist) to street
level. The launch of these services has prompted some privacy concerns. What if nefarious
people could use it to assess whether my house is worth burgling? Could it be used to track
my whereabouts? But more on these services later. This article explores the issues
involved.
ª 2006 Simmons & Simmons. Published by Elsevier Ltd. All rights reserved.
CCTV is the most prevalent and widely recognised tracking
technology. It seems impossible to stand on a station con-
course without being told that ‘‘video monitoring is used for
the purpose of safety and security management’’ or to walk
down a high street without seeing a myriad of mounted cam-
eras peering down on you. However, CCTV is well within our
existing privacy and data protection regulation. Crucially,
the Data Protection Act applies – most importantly requiring
that data are processed ‘‘fairly and lawfully’’ (the ‘‘First
Principle’’).
Given the potentially invasive nature of CCTV and in par-
ticular the processing of its images CCTV was the subject of
the first Code of Practice issued by the Information Commis-
sioner.1 The CCTV Code requires those using CCTV cameras
in places where the public have largely free and unrestricted
access to assess the purpose for and manner in which the
cameras are deployed. The purposes for which CCTV cameras
may be used tend to revolve around the prevention and detec-
tion of crime, public and employee safety and monitoring
1 Under section 51(3)(b) Data Protection Act 1998 – ‘‘CCTV: Code of0267-3649/$ – see front matter ª 2006 Simmons & Simmons. Publishdoi:10.1016/j.clsr.2006.01.001
premises. The images recorded by CCTV cameras can only
be used for a specified purpose: they cannot be retained and
used for any other purpose. Users of CCTV cameras must be
careful not to stray beyond the permitted purposes and should
take care not to record images from adjacent but irrelevant
areas. CCTV cameras should never be used to record conver-
sations between members of the public. In addition, in order
to comply fully with the First Principle, CCTV users must no-
tify the public of the monitoring by signs identifying the re-
sponsible person, its purposes and who to contact with any
questions regarding the CCTV cameras.
The Code of Practice lays down a number of guidelines
regarding the quality of images recorded by CCTV cameras,
retention of data and access and disclosure of such images
to third parties. CCTV users need to ensure good quality im-
ages: equipment should not be used where it becomes clear
that such equipment no longer produces clear images. Access
to and disclosure of images recorded by CCTV and similar sur-
veillance equipment must be restricted and carefully
Practice (July 2000)’’.ed by Elsevier Ltd. All rights reserved.
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 2 ( 2 0 0 6 ) 169 – 171170
controlled. Access should only be given to those staff who
need to have access to achieve the purpose of using the equip-
ment and all access should be documented. The identity of the
third party given access, the date and time of such access, the
reason for access and the extent of the information disclosed
should all be recorded. Furthermore viewing of recorded im-
ages should take place in restricted areas to ensure that only
those who need to have access in order to achieve the purpose
of using the CCTV cameras have access to the images. Users of
CCTV cameras also need to ensure that when they disclose
copies of the images the reason for such disclosure is compat-
ible with the purpose for which they were originally obtained.
In order to comply with the Fifth Data Protection Principle
images should not be retained for longer than is necessary. For
example, do images recorded by CCTV cameras monitoring
town centres and streets really need to be retained for longer
than 31 days? Perhaps not unless they are required for eviden-
tial purposes in legal proceedings. Images recorded from
equipment protecting the public’s safety at cash points, how-
ever, might need to be retained for a longer period, say up to 3
months in order to resolve customer disputes about cash
withdrawals. Once the retention period has expired the
images should be removed or erased.
In general, it is safe to say that the Code is required reading
for anyone using CCTV. However, CCTV users also need to be
aware that the world and the law have moved on since July
2000 and the Information Commissioner’s original guidance.
Data protection law has changed with the key decision in
Durant v. FSA2 which significantly restricts the scope of ‘‘per-
sonal data’’ and therefore what is protected by the Data Pro-
tection Act. In Durant v. FSA the Court of Appeal decided that
for information to relate to an individual, which is required
for information to constitute ‘‘personal data’’, it has to affect
their privacy. To help judge whether or not a data subject’s
privacy is affected the Court held that the following two re-
quirements need to be fulfilled:
� a person has to be the focus of the information; and
� the information must tell you something significant about
that person.
Whether or not a person’s use of CCTV cameras will be cov-
ered by the Data Protection Act following the decision in
Durant v. FSA will therefore depend on how the equipment is
used. The present Information Commissioner has issued
further guidance on CCTV use under the Data Protection Act
following the decision, which confirms that many CCTV activ-
ities, particularly where basic CCTV equipment is used, are no
longer covered by the Data Protection Act. By way of example,
if a retailer does not move their CCTV equipment remotely,
only records whatever the cameras pick up and would only
give the recorded images to the police to investigate an inci-
dent, then such retailer’s use would not be covered by the
Data Protection Act. Only those activities that are focussed
on picking up the activities of particular persons are likely to
fall within the Data Protection Act. For example, if CCTV
equipment is used to monitor a particular member of staff
then the Data Protection Act will apply to those images which
2 2003 ECWA Civ1746 Court of Appeal (Civil Division).
record the activities of that member of staff. If CCTV equip-
ment is used for a number of purposes, some of which focus
on particular individuals and others which are more general
and not focussed on particular individuals then only those im-
ages that focus on particular individuals will be covered by the
Data Protection Act. Whilst not all images recorded by CCTV
cameras will be governed by the Data Protection Act, the
Code contains helpful guidance that users of CCTV equipment
would be wise to follow so as to ensure that images recorded
are of sufficient quality to prevent or detect crime.
But CCTV is not the only mechanism through which we
could be tracked. Our mobile phones constantly transmit
‘‘cell of origin’’ data back to the network when switched on.
At a basic level these data are used by the network to tell it
where the mobile phone is to connect calls. However, the loca-
tion data (which now, through the use of triangulation tech-
nology, can be relatively accurate) can also be used to
provide a number of location based services. These services
are controlled under the Privacy and Electronic Communica-
tions (EC Directive) Regulations 2003.3 There is no restriction
on the type of services that can be provided as long as the ser-
vice provider fulfils one of the two conditions. Location data
may only be processed if either it is anonymised or if the pro-
cessing is necessary to provide a value added service to the
user, if the user’s consent has been obtained. When seeking
consent, a service provider must tell the individual the type
of data that will be processed, the purpose and duration of
the processing and whether the data will be passed to a third
party to provide the value added service. Individuals who have
given their consent in this way must be able to withdraw con-
sent at any time and service providers are required to make
users aware of this and provide users with a simple and free
of charge means of doing so each time they connect to the
service.
How should a service provider that offers, for example, ser-
vices in which it sends location relevant information by SMS
to mobile users, obtain a user’s consent? This is not an easy
question to answer since the Regulations do not prescribe
how service providers should obtain this consent. However,
the Information Commissioner has advised that a service pro-
vider will not be able to rely on a blanket ‘‘opt-out’’ statement
on a website that purports to obtain a user’s consent but will
instead need to obtain specific consent for each value added
service requested from each user. Consent mechanisms can
easily be incorporated into a registration process and there-
fore these requirements do not impose a significant burden
on service providers.
RFID (Radio Frequency ID) tag technology presents a similar
challenge. RFID tags are small electronic tags which either
send signals to readers (active tags) or (more frequently) re-
flect a signal sent by a reader back to it (passive tags). Prices
have fallen to the extent that it will shortly be possible to in-
clude tags in even low value items. Tags may be ‘‘persistent’’
i.e. lasting well beyond their original use (e.g. after checkout
and calculation of the total bill). Ultimately RFID tags could re-
place bar codes but RFID protest groups (particularly in the US)
see a potentially more sinister purpose. The fear is that persis-
tent tags in, for example, clothing could be read each time an
3 Statutory Instrument 2003 No. 2426.
c o m p u t e r l a w & s e c u r i t y r e p o r t 2 2 ( 2 0 0 6 ) 169 – 171 171
individual enters a location allowing some form of tracking.
However, it is easy to be carried away by the hype rather
than focus on the reality. RFID tags are predominantly used
on pallets and crates where no privacy issue arises. Item level
tagging is some years away and even then RFID readers and
tags are unlikely to have the sort of range that would enable
‘‘Big Brother’’ surveillance. In any event, should RFID tags be
used to collect personal data the Data Protection Act will oper-
ate to ensure that such data are processed fairly and lawfully
and not used for intrusive purposes.
So what about latest technology from Microsoft and Goo-
gle. Time to get worried? Well not really. Users of these ser-
vices will soon realise that, as impressive as they are, they
do not allow the sort of detail that could readily constitute per-
sonal data (and even if they did the Data Protection Act would
then apply to regulate the processing of that data). It is con-
ceivable that the technology and imaging could improve to
be sufficiently granular to enable identification of individual
houses (but probably not individuals themselves) but even
then it is doubtful that the data could be regarded as fulfilling
the tests set out in Durant v. FSA so as to constitute ‘‘personal
data’’. So the technology has some way to go before enabling
one to trace one’s husband or wife. An attempt to visit the
Taj Mahal sent the globe spinning in the rather unexpected di-
rection of South Wales. Had this modern wonder of the world
been shipped to boost tourism in the valleys? Nothing so spec-
tacular; Neath is home to the Taj Mahal Indian restaurant.
Conspiracy theorists can rest easy in their beds.
Jonathon Little ([email protected]) Partner,
IT&Telecoms Group.
Alexander Brown Senior Associate, IT&Telecoms Group, Simmons
& Simmons.