Data Protection Commissioner
Data Protection Commissioner

Barcode/Westwood Club: Failure to comply with an access request for CCTV footage

I received a complaint from a data subject alleging that Barcode Night Club of WestWood Club in Clontarf did not comply with his access request for CCTV footage in respect of himself, which had been recorded at a specified time in the early hours of a morning in August 2005. The data subject requested footage specifically from the cloakroom inside Barcode Night Club and outside the main gate. He had been involved in an incident inside and outside Barcode Night Club, had his wallet stolen and he was injured as a result.

The data subject made his access request and, in doing so, he referred in his letter to the data controller's obligations under the Acts. He included a reference to my Office's website where the data controller could "see all the details surrounding the Act." After the 40 days had elapsed, during which time his access request had not been complied with, he contacted the manager of Barcode/Westwood Club and she said she would look into it. When he called her again on a later date he was told that Barcode/Westwood Club would not be giving him a copy of any data.

My Office commenced an investigation and wrote to the Manager of Barcode/Westwood Club. In a response received from the solicitor for the Club, my Office was advised that the Club no longer had CCTV footage from the relevant time and that it was not aware, at the time that the access request was made, of its obligations under the Data Protection Acts to provide such footage (if it existed then).

The right of access under the Acts to one's own personal data is a key right and it is the starting point for obtaining control over the use of one's own data. CCTV images which capture an individual are personal data relating to that individual within the meaning of the Acts. The Acts define "personal data" as "data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller".

I could not accept the explanation offered on behalf of Barcode/WestWood Club that they were not aware of their obligations under the Acts when they received the data subject's access request. This is especially so as the data subject specifically brought their obligations under the Acts to their attention. The solicitors introduced a question as to whether the data existed at the date of the access request, which was twelve days after the date in respect of which the CCTV footage had been sought. However, they subsequently copied to my Office a document which stated that "CCTV tapes are held for 31 days unless the Gardaí make an official request to download to a master tape." It seemed unlikely to me, therefore, that the data had been deleted at the stage of the access request. This retention policy reflects industry practice which is to retain such footage for 28 days. It is also important to emphasise that pursuant to Section 4(5) of the Acts, the deletion of data is not permissible following receipt of an access request - the Data Controller's obligation is to provide whatever data exists at the time the access request is received.

In March 2006, I issued my Decision on this case under Section 10(1) (b) (ii) of the Acts. I found that the data subject was entitled to a copy of the CCTV footage held by Barcode/WestWood Club in respect of the early hours of the morning concerned in response to his access request. I also found that Barcode/WestWood Club were in contravention of Section 2(1)(c) of the Acts as they failed to keep a copy of the CCTV tape as per their own procedures given to my Office. The specified purpose in this case was for the data subject's access request.

There is an onus on businesses which use CCTV cameras to make themselves aware of their data protection obligations. The eight principles of data protection apply to images of persons captured by such cameras, as they do to all other personal data. In particular, data controllers should be aware of the limited retention period which applies to such personal data as well as the need for transparency and proportionality in the operation of CCTV systems.