This article is the second in a two part series about the use of surveillance technologies in vehicles. The first part, relating to personal use of such technologies, is available here.
Video surveillance has a variety of uses in commercial vehicles. Perhaps the most interesting of these applications, and the most worthy of writing about, is anti-theft video surveillance. How does this work? And what does data protection law and guidance say about the use of such surveillance systems? I’ll address both questions, as well as the practical compliance steps to take when using these systems.
How does an anti-theft surveillance system work?
Anti-theft video surveillance is both a hi-tech solution to the “no tools are left in this vehicle overnight” sticker and an evolution of existing anti-theft tools such as GPS tracking. GPS tracking is great at telling your where your stolen vehicle is, but you don’t have to move a vehicle to pinch its contents. That’s where the video surveillance comes in.
Positioned (typically) internally, a simple system might comprise a camera with a wide-angle lens that captures the content of the cargo area in the van. Usually upon a trigger event like forced entry to the vehicle, the system will stream and record the unauthorised activity. The system operator can alert the police about the break-in and, if the perpetrators get away, the police can then use the footage to assist with the investigation. There is also the deterrent factor.
Who provides and operates these systems?
Carmakers can integrate a system directly into a vehicle as part of the build. Alternatively, the system can be added as an ‘aftermarket’ service by a third party service provider. Commercial fleet operators such as civil engineering or trades companies are the core customers for these products. In most instances, the fleet operator will outsource the monitoring of such systems to a third party (usually but not always the maker of the system), who will notify the fleet operator of any incidents and may even liaise with the police on the fleet operator’s behalf following an incident.
What is the data protection position on their use?
Any video captured by the system is likely to contain images of people. Images of an identifiable person will be the personal data of that person. Therefore, the processing of this personal data is subject to the UK GDPR.
The fleet operator is typically the controller of the personal data and the fleet operator may engage processors to perform the monitoring on the fleet operator’s behalf. Alternatively, a third party service provider may operate the system as a controller given the right set of circumstances. As usual, it will depend on who makes the key decisions that influence the processing.
The data subjects will be employees of the fleet operator, criminals breaking into the vehicle (yes, they are data subjects too) or members of the public incidentally captured by the system when, for example, a door is opened or the vehicle has windows. This diverse range of data subjects creates some headaches for the fleet operator when trying to satisfy its compliance requirements.
What are the main compliance priorities?
Helpfully, surveillance technology is an area where there is lots of guidance to draw on. The ICO’s recently released guidance on video surveillance covers non-traditional CCTV such as in-vehicle surveillance. There’s also the Surveillance Camera Code of Practice, introduced under the Protection of Freedoms Act 2012. Although this Code applies only to ‘relevant authorities’ (mostly police-related organisations), the code offers a raft of best practice pointers and a handy DPIA template (with guidance) that is useful to any private enterprise operating a video surveillance system. Finally, the ICO also recommends that commercial fleet operators consult the ICO’s Employment Practices Code when using a surveillance system that may monitor employees.
Taking this guidance into account, the following areas require careful attention:
- Notice
Transparency is crucial to the compliant operation of any video surveillance system. Where there is a possibility that the camera could capture footage of members of the public, the vehicle should display appropriate signage to let people know that the vehicle is subject to video surveillance. The signs should name the operator of the system (unless this is obvious) and provide contact details for the operator.
A fleet operator using in-vehicle surveillance needs to ensure that its employees are made aware of the surveillance and, importantly, to explain why it is needed. Signs in the vehicle will be useful to this effect, such as on the dashboard and in the cargo area, which can refer employees to the relevant privacy notice.
- Data minimisation
Fleet operators should carefully consider how much data they actually need to collect and what a data subject would reasonably expect from the surveillance system. The ICO video surveillance guidance is clear that audio should only be recorded in rare circumstances. Fleet operators should also consider technical solutions to prevent unnecessary continuous recording. More advanced anti-theft surveillance systems will only operate once a ‘trigger event’ occurs, such as forced entry or any access during certain ‘blocked’ times.
These issues are particularly important where employees are involved. Employees may also use vehicles after work hours for personal use, surveillance of which must be considered with extra sensitivity. In addition to the minimisation points above, fleet operators should: (i) consult with employees prior to implementing any surveillance system; (ii) avoid placing cameras in areas that employees would expect to be private. In the context of vehicles, this could include the cab of the vehicle, especially where the purpose of the surveillance is to monitor valuable contents of the vehicle that are likely to remain in the vehicle’s cargo area; and (iii) explain what ‘triggers’ will activate the system.
To protect members of the public, fleet operators should limit any monitoring of a public place as much as possible. This means angling cameras in such a way that the minimum amount of public space is captured. If this proves difficult, then technical solutions to blur faces or whole areas of the frame may assist.
- Do a Data Protection Impact Assessment (DPIA)
The ICO’s guidance recommends a DPIA where any surveillance system is used. Although this may seem broad brush, it is actually quite easy to see what DPIA ‘triggers’ are in play. In the context of anti-theft vehicle surveillance, the data subjects may be ‘vulnerable’ data subjects (employees, unaware members of the public), the technology will often be an ‘innovative technology’, and the processing could be ‘invisible’ to some data subjects. A DPIA will help uncover unexpected risks to data subjects and will lead to good ‘privacy by design’ practices when implementing the system.
Other privacy concerns
So far I’ve painted a simple picture of an anti-theft video surveillance system; a camera that records unauthorised entries to the vehicle. In reality, most systems are likely to be more complex. Some might include audio monitoring to detect tampering with the vehicle while the vehicle is locked. Others may use facial recognition to recognise the driver/other occupants of the vehicle, bringing with it a raft of onerous compliance obligations relating to the use of this ‘biometric’ data. However, the same key principles apply to any system no matter how complex. It just means your DPIA is likely to be much longer!
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-12-20-14-40-34-661-676581e2e237a0871914c367.png)
/Passle/5f3d6e345354880e28b1fb63/MediaLibrary/Images/2024-08-23-11-31-07-354-66c872fb971eecc249d83d40.png)
/Passle/5f3d6e345354880e28b1fb63/SearchServiceImages/2024-12-20-10-14-57-827-676543a18b3a544801097a93.jpg)