A recent ‘advert’ by a CCTV company on social media has prompted and inspired this blog post.
The ‘offending’ advert boasted about a domestic CCTV set-up that the business had installed. The photographs accompanying the advert illustrated the view from a wide angle, high definition camera that pointed well beyond the property’s perimeter; it captured the road in front of the property and included properties across the road. Somebody responding to the advert asked if it was ‘aloud’ [sic] as they had been informed that the camera coverage had to be confined within the boundary of the owner’s property. That is correct, however, the company appeared more interested in making a sale than correcting the legal position; indeed, it is at least probable that they were/are not even aware of the legal position.
In response to an attempt to set the record straight, the company claimed that the Data Protection Act 1998 ‘was more for businesses‘ and pointed to a Wikipedia entry about the Data Protection Act 1998 (hereafter ‘DPA1998’). Attempts to further enlighten the company and it’s customers/potential customers were not exactly welcomed and so perhaps this blog post will assist those who are interested in ensuring: (1) that they do not breach data protection laws, and (2) any CCTV evidence that they capture is not ultimately ruled ‘inadmissible’ in legal proceedings.
THE DPA 1998.
The DPA1998 is one of ‘those laws‘ deriving from the EU; it comes as a result of an EU directive. An EU Directive requires each member state to introduce legislation that delivers on the requirements outlined in the Directive.
Despite what the security company in question would have consumers believe, the DPA1998 is NOT ‘more for businesses‘ – Data Protection legislation has wide application. The legislation does however provide for a number of exemptions and one of those exceptions is defined as ‘domestic purposes‘. As a consequence, domestic CCTV systems where the camera coverage is confined within the property’s boundary are likely to be exempt from the requirements of the DPA1998:
Section 36 DPA 1998: Domestic purposes.
Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.
Where the camera coverage extends beyond the boundary of the property or routinely captures members of the public, it would not qualify for exemption and it will be necessary to have regard to the full requirements of the DPA1998 (this was confirmed by the Court of Justice for the European Union in 2014: see https://www.theguardian.com/law/2014/dec/11/home-surveillance-cctv-images-may-breach-data-protection-rules-european-court-judgment-says).
The judgment of the CJEU can be found here and the relevant sections of the judgment are reproduced below:
31 In the light of the foregoing considerations, it must be held that, as the Advocate General observed in point 53 of his Opinion, the processing of personal data comes within the exception provided for in the second indent of Article 3(2) of Directive 95/46 only where it is carried out in the purely personal or household setting of the person processing the data.
32 Accordingly, so far as natural persons are concerned, correspondence and the keeping of address books constitute, in the light of recital 12 to Directive 95/46, a ‘purely personal or household activity’ even if they incidentally concern or may concern the private life of other persons.
33 To the extent that video surveillance such as that at issue in the main proceedings covers, even partially, a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner, it cannot be regarded as an activity which is a purely ‘personal or household’ activity for the purposes of the second indent of Article 3(2) of Directive 95/46 [*i.e. the domestic purposes exemption].
Businesses – even small businesses – of course, cannot rely on the domestic purposes exemption and will need to have full regard to the requirements of the DPA1998.
You may legitimately ask, “so what if I don’t comply with the DPA1998?”
Well, there are two potential consequences that I would suggest are of particular concern:
- You may be fined/taken to task by the ICO for breaching the Act, and;
- The CCTV evidence is likely to be ruled inadmissible in any court proceedings!
Before any trial gets under way, the Defendant’s barrister/solicitor advocate will ask the judge to exclude the CCTV evidence because it is evidence that was unfairly/unlawfully obtained. If it isn’t clear to the Judge (and it probably will be) the Judge will ask the prosecution advocate whether they accept that it was unfairly/unlawfully obtained. If the system did not comply with the DPA1998 at the material time (when the evidence was filmed) the advocate (who cannot mislead the Court) will be obliged to answer that question truthfully. If the Judge agrees that the system did not comply with the DPA1998, then the evidence will have been unfairly/unlawfully obtained and the CCTV evidence will inevitably be excluded.
Rhetorical question time:
- What good is evidence from an expensive CCTV system that will be excluded from consideration by a Court? And;
- How unjust and ironic would it be if you were also to then find yourself facing a fine imposed by the ICO for breaching the DPA1998?
The lesson here is obvious: (i) if you are getting a CCTV system, ensure it/you comply with the requirements of the DPA1998, and (ii) if you are in the business of installing a CCTV system for a customer – make sure you understand the law and advise the customer accordingly.