Information Commissioner's Office
Blog: Continuous CCTV in taxis – where do councils stand?
Blog posted by: Elizabeth Denham, 14 August 2018.
Suitable for councils and other organisations using surveillance and CCTV systems.
CCTV cameras have become a part of our everyday lives, we go about our business largely unaware of them. They can serve as a valuable tool for security, crime prevention and detection.
However, capturing a person’s movements on camera is intrusive, and, as you’d expect, subject to strict data protection and human rights laws.
Those laws say that organisations have to think through the privacy implications carefully before implementing any type of CCTV or surveillance system.
And while there are many areas of concern around surveillance, one particular issue we are currently dealing with is the rise of CCTV cameras in taxis.
Councils across the UK have installed the cameras in licensed taxis as a way to combat crime, and to protect drivers and vulnerable passengers.
But we have discovered that many of these CCTV systems are activated whenever a vehicle is running. They operate continuously, including when the taxi is being used privately by the driver.
That means it’s switched on when drivers are picking up their children from school, taking the family shopping or heading off on holiday driving to another part of the country. Taxi drivers, like all of us, have a right to privacy. And that right is enshrined in law.
The law states that the processing of personal data should be necessary for its purpose and proportionate. So where a taxi is being used by a driver for their own private or domestic purpose, continuous recording is likely to be unlawful, unfair and excessive under data protection legislation and in breach of Article 8 of the Human Rights Act 1998.
It’s not just continuous recording that raises concerns. There’s also the question of who controls the processing of this data. In most circumstances a council which instructs systems to be installed should be responsible for the data. It’s the council which is the data controller, not an individual taxi driver. Councils need to make sure they understand this part of the law.
Before introducing any new CCTV or surveillance system, councils need to stop, think and check that they’ve taken the appropriate mitigating actions to minimise the risk of the loss or misuse of personal data captured by CCTV. The ICO has powers to stop the processing of personal data and to take action against any organisation breaking the law.
With this in mind we’ve put together three key points for councils:
Start at the beginning
You need to go back to the start of your project and consider the problem you are seeking to address and whether a CCTV system would be a necessary, justified and effective solution.
Take into account whether other, potentially less intrusive solutions exist that can achieve the same aim, as well as the effect that each aspect of the CCTV system may have on individuals, and whether their use is a proportionate response to the problem identified.
Conduct a Data Protection Impact Assessment (DPIA)
Data protection law has changed - new legislation states that Data Protection Impact Assessments (DPIAs) must be carried out prior to the roll-out of any intrusive surveillance system - CCTV in taxis is likely to be one of these systems. You need to be able to demonstrate you have conducted a DPIA to the ICO. There’s more information on DPIAs on our website.
If you decide that a CCTV system is required, then a ‘privacy by design’ approach should be considered when making decisions about which equipment to purchase. You should identify which equipment is the most appropriate to meet the need and purposes it is required for.
It’s a guide to how you should be running your system, plus it highlights particular problem areas and the fact that your CCTV system needs to be registered with the ICO.
We’ll be continuing our work in this area offering councils advice and guidance where necessary.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
Latest News from
Information Commissioner's Office
Blog: Community groups and COVID-19: what you need to know about data protection01/04/2020 09:10:00
Blog posted by: Ian Hulme, Director for Regulatory Assurance at the ICO, 30 March 2020.
Statement in response to the use of mobile phone tracking data to help during the coronavirus crisis30/03/2020 12:25:00
The ICO’s Deputy Commissioner Steve Wood recently responded to the use of mobile phone tracking data to help during the coronavirus crisis.
Blog: Community groups and COVID-19: what you need to know about data protection27/03/2020 13:20:00
A blog by Ian Hulme, Director for Regulatory Assurance at the ICO.
Council employee fined £400 for illegally deleted audio file16/03/2020 10:25:00
A council employee has been fined £400 for an offence under the Freedom of Information (FOI) regulations.
Data protection and coronavirus12/03/2020 15:25:00
We all share the same concerns about the spread of the COVID-19 virus. The need for public bodies and health practitioners to be able to communicate directly with people when dealing with this type of health emergency has never been greater.
Blog: Don’t get caught out when it comes to pupil photos10/03/2020 15:10:00
Blog posted by: Andrew Laing, ICO Head of Data Protection Complaints, 09 March 2020.
Combining privacy and innovation: ICO Sandbox six months on10/03/2020 12:25:00
It’s been an exciting, interesting and challenging first six months for the ICO Sandbox – both for those externally involved in the various projects and for the ICO staff working on the scheme. Ian Hulme discusses the progress so far.
The ICO and the Office of the Australian Information Commissioner sign Memorandum of Understanding06/03/2020 12:25:00
James Dipple-Johnstone (Deputy Commissioner) yesterday commented on the signing of the Memorandum of Understanding.