Privately controlled cameras are appearing in ever greater numbers within our homes, and now they are starting to appear outside them in ever greater numbers too. Whilst the UK remains the world’s most watched nation, with an estimated 6 million cameras covering the nation, the overwhelming majority of these (reportedly around 96%) are owned and operated privately by businesses and individuals rather than the UK Government.
If you, like many others, have CCTV cameras operating on your property, then you need to pay close attention to data protection law in order to understand how you can get things wrong. Any business that uses CCTV will automatically become a Data Controller of CCTV recordings and will be subject to data protection laws. But what about homeowners? Do they also need to comply with these laws? Whilst it depends on the situation, you can avoid triggering data protection laws if you do things properly. This might be harder than you think though, and could require some careful planning. It's often best to assume that the law does apply (and you may need specialist advice to figure that out for yourself).
Whilst you might think you're a small fry, the UK's data watchdog, the Information Commissioners Office (ICO), will not ignore you or anyone who complains about you, so you're always at risk if you don’t process personal data in compliance with the law. A recent case between Dr. Mary Fairhurst (the person claiming against) and Mr. Jon Woodard (who had domestic CCTV in place at his property in Oxfordshire) demonstrates the key points to avoid and the risk to homeowners in getting this wrong.
Mr. Woodard (W) had numerous cameras in place, including hidden cameras and doorbell cameras as well floodlights and microphones set to cover both his own property and that of his neighbours who included Dr. Fairhurst (F). F first tried to raise the issue with W but was later forced to complain about W through more official channels after F threatened to effectively conduct extensive surveillance of her with more cameras and listening devices in response to her raising a complaint. F was understandably quite upset and worried about W's monitoring activities, feeling that they went above and beyond what was required merely for home security purposes and the Judge agreed that W's surveillance was excessive in that instance. F was so disturbed that she chose to move house, though the Judge thought that was probably taking things too far in the circumstances. Accordingly, the Judge found that W was both in breach of data protection laws and was harassing F; F was awarded damages and W was required to cease processing personal data in such an intrusive way. The particular point around audio recordings was mentioned several times by the Judge in this case to be far more problematic than simply recording video or still images, because it could potentially capture a lot more information than video.
Some important points to note (and probably avoid) that came up in the case between W and F, which may distinguish it from other examples:
- F was a doctor, so her conversations might reasonably be assumed to sometimes contain health information relating to her patients. Although this wasn’t discussed in detail, if a colleague of W visited her property and discussed "the office" by her door, that might have been picked up by W's recordings;
- W wasn’t very good at explaining his processing activities to F;
- W didn’t take F's thoughts and feelings into account, even after F raised them with him;
- F lied about certain cameras being switched on (he had claimed certain cameras were dummy cameras despite them being fully functional); and
- F actively threatened W and her friends, saying he would report them to the police, and became increasingly difficult and aggressive after they raised complaints with him, instead of discussing the issues constructively.
So, what do you need to do to comply with GDPR (whether that’s Data Protection legislation in the UK or the EU) if you have a CCTV camera installed on your property? Do home security cameras automatically put you at risk of breaching data protection laws? Well, the simple answer is: "Yes" - it might put you at risk of breaching the law. The ICO calls this "domestic CCTV", which is a different thing to commercial use of CCTV, and there are a few things you should understand.
- Private Domestic Property does not include public footpaths/curbs/public roads etc. If you are using a camera that covers anything other than your own private property, then you will trigger the need to comply with data protection laws. Using a camera that can only capture images of your property and doesn’t ever risk capturing any members of the public will not trigger data protection laws (assuming you only use it for security purposes).
- Be transparent. Whether you are capturing images exclusively of your own property, or if you're recording public areas, it is usually going to be best practice to show your neighbours where your cameras are and to explain why you feel you need cameras in place. Whilst you might want to invite every local gang/robber along for the open-house, consider those "innocent bystanders" most likely to be affected and try to bring them into the loop. You are more likely to be able to argue that your processing is transparent if you are yourself transparent with exactly what your processing is. Simple!
- Avoid audio recordings. Powerful microphones exist in many modern cameras which can pick up personal conversations of neighbours or passer's by without much problem. Considering that most crimes like burglary will be pretty obvious even when mimed, you don’t necessarily need audio recordings in order to protect yourself against crime. Whilst its possible they might capture an extra bit of evidence, microphones tend to record too much information and you can't realistically control "where" it records the audio as someone could be shouting from five doors down and you might hear/record them even without intending to.
- Know the law, comply with subject access request and other rights. If you capture images of someone else using CCTV, unless you have a legal reason to keep that information, you need to delete it within one month of the request. People can also ask you verbally, or in writing, to provide further information, or they can request a copy of the data that includes/reveals their identity. If you fail to comply with these requests without a good reason, you may be fined by the ICO.
If you have a CCTV dispute with a neighbour, or have concerns that their home security might be invading your privacy in some way, you can either get in touch with us or you can further educate yourself using the following helpful resources which might help to read first:
Neighbourhood watch best practice guidance:https://www.ourwatch.org.uk/crime-prevention/crime-prevention-advice/cctv-domestic-property
For business CCTV:https://www.gov.uk/data-protection-your-business/using-cctv