Introduction
In recent years, body-worn video (BWV) technology has emerged as a powerful tool in law enforcement and security operations. This technology provides an additional layer of transparency and accountability, benefiting both officers and the communities they serve. However, the use of BWV also raises important considerations regarding data protection laws. In this blog post, we’ll explore the benefits of body-worn video in policing and security, as well as the implications for data protection. Organisations using BWV need to understand the implications of data protection law on the processing of data, and how the risks of using these devices, where the law is concerned, can be mitigated.
A recent article from the BBC has brought attention to a number of areas that are cause for concern when the police force utilises BWVs. The article in question highlights serious allegations, including officers sharing camera footage with colleagues or friends, images of a naked person being shared between officers and footage being lost/deleted (amongst other allegations). Sky News has previously highlighted an incident where South Yorkshire Police lost nearly 3 years’ worth of BWV footage.
This blog aims to shed some light on the data protection considerations of these cameras, and how situations such as those mentioned above can be avoided.
Data protection considerations for BWV
As with the use of any surveillance technology, there are legal obligations that organisations consider. Due to surveillance technology (CCTV, BWV, ANPR) capturing personal data, organisations have an obligation to implement appropriate technical and organisational measures to protect this personal data, in line with the UK GDPR and the DPA 2018. Organisations must do this to show that they are integrating the principles of data protection law into their processing activities.
Additionally, both controllers and processors that use surveillance systems are required to maintain a Record of Processing Activities and must take a data protection by design and default approach, including completing CCTV Data Protection Impact Assessments. Further guidance from the ICO can be found here. Authorities have also been provided with a Surveillance Camera Code of Practice to follow, which provides guidance on the appropriate and effective use of surveillance camera systems by the relevant authorities.
In addition to this, it is integral that individuals understand their own responsibilities to uphold data protection law. In most instances, data breaches are as a result of human error and are avoidable. It is essential for organisations to ensure that all members of staff that use, or have access to these systems, understand their responsibilities, and any ramifications that may arise from failing to do this.
Mitigating the risks of body worn video
There are a variety of ways organisations and authorities can seek to reduce these risks. These include:
- Taking a data protection by design and default approach: A great way to do this is to conduct CCTV DPIAs before any processing activities take place. By completing a CCTV DPIA, your use of surveillance cameras will be examined to make sure it is compliant with the law and risks to the data subjects are being mitigated.
- Regular auditing and quality control: Implementing regular audits of BWVs to ensure compliance with all relevant legislation. This helps to identify any deviations from the established procedures and provides opportunities to take corrective action before the risks transpire.
- Comprehensive training: Ensure all staff that use BWVs or have access to the data captured by them receive thorough training on the proper use of BWVs and adherence to data protection laws. Training should be completed regularly, to ensure that it remains fresh in people’s minds, and also to make sure that any changes in legislation are being kept up to date with.
- Clear and comprehensive policies: To ensure the utmost transparency, guidelines and policies on the use of BWVs and surveillance practices should be made readily accessible to all relevant staff/employees. A comprehensive CCTV/Surveillance policy will help to ensure compliance with privacy laws and regulations and to protect individuals’ privacy rights. The policy should outline how the system will be used in a manner that aligns with legal requirements. You should have a comprehensive CCTV privacy notice which informs the data subjects what you do with their data, along with having signs informing the data subject.
- Encryption and Secure Storage: Employ robust encryption measures to protect the integrity of recorded data. Store footage in secure, tamper-proof systems with restricted access to authorised personnel only. Regularly backup data to prevent loss or corruption.
- Redaction and Anonymisation Tools: Invest in advanced redaction and anonymization software to safeguard the identities of individuals captured in recordings. This minimises the risk of unauthorised disclosure of sensitive information.
- Consistent Data Retention Schedule and Policies: Develop and strictly adhere to clear policies regarding the retention of BWV footage. Delete recordings within the legally mandated timeframes to minimise the risk of unauthorised access or use. Your organisation should have and keep an up to date retention schedule that outlines exactly how long you keep the data, and under what legal basis it is being retained.
- Regular Equipment Maintenance and Testing: Conduct routine checks and maintenance of BWV equipment to ensure proper functionality. This includes battery life, camera lenses, audio quality, and storage capacity. Promptly replace or repair any faulty equipment.
- Open Communication and Feedback Loops: Establish channels for personnel to provide feedback on the use of BWV technology. Encourage open dialogue to address concerns and improve practices over time.
- Collaboration with Legal Experts: Consult with legal experts who specialise in data protection and privacy laws to ensure compliance with local, regional, and national regulations. Stay informed about any updates or changes in relevant legislation.
- Community Outreach and Education: Engage with the community to explain the purpose and benefits of BWV technology. Address concerns about privacy and data protection and solicit input on policies and procedures.
- Transparency Reports and Accountability Measures: Publish regular transparency reports that detail the use of BWV, including statistics on activations, incidents recorded, and any actions taken based on footage. This demonstrates a commitment to accountability.
Key takeaways
Some recent news articles have brought to light some serious risks concerning the use of BWVs, and as such, it is important for organisations to start thinking about what surveillance systems they use and what the risks are, and acting upon those risks before it is too late. CCTV DPIAs are a great way to prove your organisation’s accountability, and training will ensure that staff are aware of their own responsibilities and help reduce the human error risk.
How DPAS can help
Here at DPAS we can help your organisation with our CCTV and surveillance data protection support. We offer a surveillance and CCTV audit that examines whether your organisation is meeting the standards contained in the Code of Practice and data protection law. At the end of this you will receive a comprehensive report detailing the current risks, remedial advice and a project plan to address the risks.
We also offer CCTV compliance documentation services, including supporting with your internal CCTV policy, CCTV privacy notice and CCTV Code of Conduct (and any other documents that demonstrate compliance).
If your organisation is thinking about implementing the use of any new surveillance systems, including BWVs, we can conduct a CCTV DPIA to highlight where there are any risks and reinforce your organisation’s accountability.
We offer a wide range of training services, including the BCS Foundation in Data Protection.
If you would like to find out more about any of the services we offer, or talk to us about how we can help, either give us a call on 0203 3013384, send us an email at info@dataprivacyadvisory.com, or simply fill in a contact form and we’ll get in touch with you.
