Data Protection and Community Based CCTV Schemes
In recent months numerous articles have been published, particularly in regional and local newspapers, with regard to the roll-out of Community based CCTV schemes and to the reported difficulties which the roll-out of such schemes is encountering in some counties. A common theme running through these articles is the perception that proposed new schemes are encountering data protection difficulties and are unable to proceed. We wish to clarify the position of the Data Protection Commission with regard to the application of data protection law to Community based CCTV schemes.
First and foremost, it is not the case that data protection law is preventing the commencement and operation of Community based CCTV schemes. CCTV cameras capture the images of individuals and, accordingly, they process personal data. Under data protection law, the processing of personal data requires a legal basis. Community based CCTV schemes have such a legal basis under Section 38 of the Garda Síochána Act, 2005. This Section provides that the Garda Commissioner may authorise the installation and operation of CCTV for the sole or primary purpose of securing public order and safety in public places by facilitating the deterrence, prevention, detection and prosecution of offences. Authorisation may be given to An Garda Síochána or to “persons who meet the established criteria and whose application for authorisation in respect of a specified area within the administrative area of a local authority has been approved by the local authority after consulting with the joint policing committee for that administrative area.” (Commonly referred to as ‘Community based CCTV schemes’). The criteria to be met for Community based CCTV schemes is set down in a statutory instrument, namely S.I. No. 289 of 2006 which came into force on 30 May, 2006. In addition, a ‘Code of Practice for Community Based CCTV Systems’ was developed and published jointly by the Department of Justice and Equality and An Garda Síochána.
Amongst the conditions to be met in order to obtain authorisation of the Garda Commissioner for the installation and operation of a Community based CCTV scheme are the following:
- The CCTV scheme has been approved by the local authority after consultation with the joint policing committee for that administrative area;
- The CCTV scheme will comply with technical specifications issued by the Garda Commissioner and will be operated in accordance with the Code of Practice;
- Members of An Garda Síochána will be given access at all times to the CCTV system for the purposes of supervising and controlling its operation and retrieving information or data recorded by it; and
- The local authority gives an undertaking that it will act as a data controller in respect of the CCTV system.
In summary, for the purpose of security in public places, provisions have been made in Section 38 of the Garda Síochána Act, 2005 and S.I. No. 289 of 2006 for the installation and operation of Community based CCTV schemes where the local authority in whose administrative area the scheme is located acts as the data controller. Accordingly, once such schemes are authorised by the Garda Commissioner, having met the required criteria, they have sufficient legal basis to meet data protection requirements to lawfully process personal data.
It is also not the case that the EU General Data Protection Regulation (GDPR) has introduced new barriers to the installation of Community based CCTV schemes. The requirement for a legal basis to process personal data has been in place in Ireland for almost thirty years. The fundamental principles of data protection under the GDPR, while enhanced, are very similar to those that existed under the Data Protection Acts, 1988 & 2003. The Data Protection Commission would expect all local authority data controllers who operate Community based CCTV systems to be fully aware of their responsibilities with regard to safeguarding the data protection rights of individuals, including the requirement to conduct, where necessary, Data Protection Impact Assessments.
Since GDPR came into force in May 2018 every public body in the State, including local authorities, has been obliged to designate a Data Protection Officer (DPO) whose tasks include informing and advising the data controller on their obligations under the GDPR as well as monitoring compliance with the GDPR. The Data Protection Commission would expect that DPOs in local authorities would play an active role in monitoring the data controller’s compliance with the GDPR with regard to the operation of any Community based CCTV schemes for which the local authority acts as the data controller. Incidentally, this monitoring of the data controller’s compliance with the GDPR or the responsibility of the data controller to monitor compliance with the Code of Practice does not place an obligation on data controllers to monitor the CCTV camera live feeds on a continuous basis.
Inquiry by the Data Protection Commission
The Data Protection Commission is currently carrying out a very broad inquiry into surveillance of citizens by the State sector for law enforcement purposes through the use of technologies such as CCTV, body worn cameras, Automatic Number Plate Recognition-enabled systems and drones. This inquiry is currently focussing in its first module on the thirty-one local authorities in Ireland and in a second module on An Garda Síochána. Both modules involve comprehensive auditing by a team of Authorised Officers of the use of these technologies by the data controllers concerned under both the GDPR and the Law Enforcement Directive. One of the many aspects of these modules is the auditing of the deployment of Community based CCTV systems. In that regard, the inquiry is examining, for example, whether Section 38 of the Garda Síochána Act, 2005 is being fully complied with in relation to such matters as whether the Garda Commissioner has approved all schemes that are in operation at present and if and how the data controller obligations are being met by the local authorities as required under that Act.
As each local authority is a separate data controller our inquiry is, in effect, conducting thirty one separate audits in that sector. As each audit concludes, we intend to issue an audit report to each local authority containing the findings of the audit in respect of the data controller concerned. We have no plans at present to issue one single national report as the audits are being conducted in thirty one separate administrative areas each with its own data controller, however we may publish a summary of common findings across all the local authorities examined.
In short, our inquiry is auditing, among many other things, existing Community based CCTV schemes to establish whether they are being run by the data controllers concerned in accordance with the principles of data protection. In practical terms, this includes an examination of matters such as transparency (such as public signage), retention periods for recorded footage, security of systems, access to systems and logging thereof, and cooperation with requests by An Garda Síochána for copies of footage in the context of the investigation of crime.
For the sake of clarity, it is important to note that the Data Protection Commission has not called for any pause on the roll-out of any proposed Community based CCTV schemes or for the decommissioning of any existing scheme that has been authorised by the Garda Commissioner. By its very nature, an inquiry of the type outlined above must have the capacity to examine the current state of play in Community based CCTV schemes which are in full operation.
Data protection legislation does not stand in the way of the roll-out of Community based CCTV schemes that have been authorised by the Garda Commissioner. Once the local authority in the administrative area concerned is willing to take on and deliver on its responsibilities as a data controller for the schemes concerned, there is no legal impediment under data protection legislation to the scheme commencing.
The ongoing inquiry by the Data Protection Commission does not stand in the way of the continued operation of existing Community based CCTV schemes that have been authorised by the Garda Commissioner and for which the relevant local authority has undertaken to act as data controller and which are implemented in accordance with the requirements for appropriate governance and controls. In due course, the Data Protection Commission will consider the findings of each audit report on a case by case basis in making a decision as to whether infringements by the data controller, or by data processors working on its behalf, have occurred or are occurring, and the Data Protection Commission will also decide then whether a corrective power should be exercised.