SBC + CCTV = GDPR CHAOS

SBC + CCTV = GDPR CHAOS

• an “In My View” article by NIGEL WARD, pointing out a fatal flaw in the Council’s CCTV coverage.

~~~~~

Hard on the heels of my recent exposure of the absurdities of the Scarborough Borough Council Car-Cruising Public Space Protection Order (PSPO), I now turn my attention to certain far more fatal flaws in the Council’s CCTV program. One begins to wonder whether or not there is anyone at SBC capable of understanding and implementing any of the statutory functions of the Council.

The Information Commissioner’s Office (ICO) website provides guidance to authorities (and other data processors) regarding the General Data Protection Regulations (GDPR). In this article, I will be examining the situation in relation to citizens’ rights of access to personal data held by Data Controllers, through a process known as the Subject Access Request (SAR).

Let us begin by considering personal data held by local authorities which has been obtained by mean of Closed Circuit Television (CCTV).

In present times, it is almost invariably the case that CCTV systems include digital storage facilities which preserve images recorded via CCTV cameras. Under a Subject Access Request, every citizen has the right to obtain a copy of ‘footage’ (i.e. data) in which she/he appears.

Having fallen victim for some years now to Scarborough Borough Council’s unlawful email interception, I became interested in what image data the Council may have obtained and stored in relation to me and the people with whom I have met in public spaces overviewed by CCTV cameras. Has the Council spied on me, noting my meetings with Councillors and Officers within public spaces overviewed by its CCTV systems? I have reason to believe so.

On 16th June 2019, in order to test the system, I lodged a Subject Access Request with SBC via the newly-installed Portfolio Holder for Finance & Operations, Councillor Janet JEFFERSON [Ind.] (who referred it to the Portfolio Holder for Legal, Democratic & Governance, Councillor Tony RANDERSON [Ind.]), requesting copies of CCTV images of me held by the Council.

On 24th June 2019, taking pity on the Council’s Data Protection Officer (who, I have since learned – but did not know at that time – is none other than Mrs Alison JOHNSON, whose threatening email to me has drawn fire from former Leader Councillor Derek BASTIMAN [Con.]), I revised my SAR, constraining it to just eight of the Council’s CCTV installations (some of which include several cameras) on one particular day (Saturday 22nd June 2019) in Whitby, and in the short time period of 10:50am to 12:30pm (100 minutes) – a minute sample of the vast number of occasions on which I have appeared, alone or in company, on the SBC CCTV system.

In both my original and my constrained/revised SAR, I offered to withdraw my SAR, “contingent upon the Council (i) co-operating with my efforts to ensure that the Council’s CCTV systems are compliant with the terms of the GDPR and (ii) acknowledging my contribution to achieving that end”. This has received no response.

Needless to say, the Council has disregarded my offer of assistance, no doubt on account of the innate sense of humiliation attendant upon needing the assistance of a doddering old pensioner to resolve an otherwise insurmountable difficulty. In fact, the Council has gone to ground – or rather, stuck its head in the ground – with the usual evasion and fabrication:

Which is another way of admitting that the Data Protection Officer has no clue that there is a problem.

But the ICO instructs all Data Controllers:

• “You must act on the subject access request without undue delay and at the latest within one month of receipt.”

Clearly, the Data Protection Officer is now well out-of-time (seven weeks and counting) and my Subject Access right is being abused. The Council stands (once again) in breach of the GDPR.

The Data Protection Officer’s difficulty in responding to my SAR is rather obvious.

There can be no discussion about the fact that I am entitled to copies of all footage in which I appear.

Equally, there can be no doubt that I am NOT entitled to obtain (or view) footage of other people, since their personal data must, at all costs, be protected and under no circumstances provided to any third party (i.e. me).

The difficulty of fulfilling my SAR can be surmounted – but not easily. The solution is to provide me with all footage in which I appear, whilst obscuring the identity of every other person who appears in the same section of footage, thus:

However, CCTV footage is usually recorded at between 15 and 30 frames (still images) per second (f/s) – i.e. for every second of footage in which the Subject (in this case, yours truly) appears, between fifteen and thirty individual frames will require the images of EVERY other person present in shot to be pixelated (or in some other way fully anonymised).

Clearly, this would present even a competent and experienced Data Protection Officer (one with specialist video-editing skills) with a extremely  demanding task in order to satisfy my Subject Access Request, in compliance with the GDPR.

If, for example, the other party in the above image were also to lodge a Subject Access Request, the Data Protection Officer would have to repeat the very demanding process described above, but this time pixelating both my image and the image of the person in the background, so as to protect the personal data of all but the applicant.

Imagine the footage captured by CCTV cameras overlooking the Whitby Swing Bridge on a busy Sunday in the school holidays, or Scarborough’s Westborough on a busy Saturday during the run-up to Christmas. In such cases, the identities of every human being ‘in shot’ (there may be hundreds), with the exception of the SAR applicant her/himself, would have to be pixelated (or anonymised in some other way).

Importantly, it is not just a matter of pixellating/anonymising the faces of the people in each frame. Any identifying feature must be pixelated/anonymised: visible tattoos, unusual rings and piercings, missing or prosthetic limbs, unusual forms of dress (kilts, kaftans, etc), accompanying dogs or wallabies – the list goes on.

If the SAR applicant had remained within the purview of the Council’s CCTV system for one hour, that would necessitate a minimum of 15 x 60 x 60 = 54,000 images per hour to be pixelated/anonymised (perhaps double that). A separate (i.e.) different SAR applicant would have to be provided with a completely different sequence of frames – another 54,000 of them. And that assumes that the subject appears on the footage of only one camera. In some locations, up to three cameras overlap the same territory.

Clearly, it becomes apparent that any greater number of SAR applicants than just two would force the Data Protection Officer into an impossible position. Nevertheless, the SAR applicants are entitled to their data.

To compound the problem, the Data Protection Officer is not at liberty to ‘outsource’ the pixelation/anonymisation process to a specialist video-editing contractor, as this would expose the personal data of everyone who appears in the footage to a third party – the contractor – which is, of course, strictly prohibited.

In brief, it is unlawful for the Council to gather data in such a way as to defy the requirements of the GDPR, including the Subject Access Request provisions. It is unlawful, but it is going on as you read this article.

All this is by no means trivial. In fact, it has some very serious consequences.

It is almost certainly the case that prosecutions have been brought, and convictions obtained, reliant in part or in whole on SBC CCTV footage which has been unlawfully obtained.

Persons convicted in this way may have been wrongfully convicted. On this basis, they would be hold solid grounds to appeal to the Courts to have their convictions quashed. This is not to say that they are innocent – only that they may have been convicted on inadmissible evidence. Some may even have been wrongfully imprisoned.

Incidentally, other Councils in our general area find themselves in a similar predicament and I can confirm that the legal department of the Humberside Poilce is presently scratching its collective head. Unsurprisingly. The implications have national ramifications.

Returning to SBC, this raises the spectre of large sums in compensation. And all because the Council has been unable to devise an adequate policy for the gathering and storage of CCTV data such as is compliant with the legal requirements of the SAR provisions of the GDPR (and, of course, the judicial system).

On these SAR grounds alone – and on others (which I am happy to explain to Councillor RANDERSON and his Officers) – the present system is worse than useless. It is a liability. Essentially, it is a “Criminal’s Charter”, since it constitutes an open invitation to law-breakers to commit offences for which the best (and perhaps only) source of evidence likely to lead to a conviction (i.e. CCTV footage) is inadmissible in a Court of law, having been unlawfully obtained. I have no doubt that the celebrated solicitor  Nick ‘Mr Loophole’ FREEMAN will be all over this like a tight onesie.

In my view, until such time as the Council brings its CCTV system into compliance with the GDPR, it has little option but to switch off all of its CCTV cameras.

I have explained all this to Councillor RANDERSON and my offer to assist the Council remains open.

Nevertheless, my SAR remains unresolved and the Council continues to break the law.

What’s new?

So I now rely on Councillor RANDERSON to inform me what steps the Council intends to take to rectify this very grave shortcoming in its CCTV system.

Note: Those wishing to lodge a Subject Access Request are advised to read the Information Commissioner’s Office guidance:

https://ico.org.uk/your-data-matters/your-right-of-access/?fbclid=IwAR0QnSJw0MNTvMtIihllESVVQ-IOCIvlNyIeYi0IWhAWM0BfBhpTfleesiU