Overlooked - Liberty
Overlooked - Liberty
Overlooked - Liberty
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
38 <strong>Overlooked</strong>: Surveillance and personal privacy in modern Britain<br />
adapting, transferring and viewing of images were all considered to be covered when the DPA was<br />
introduced, and the Principles became the foundation of a code of practice for CCTV, devised by<br />
the ICO 74 .<br />
Most important is the requirement for fair and lawful processing; this requires that data be processed<br />
for limited purposes and not in a manner incompatible with those purposes. This principle is behind<br />
requirements for signage and a range of control room practices in public visual surveillance systems.<br />
The processor of images (whether the public body itself or a security company contractor) is<br />
responsible for ensuring that processing is carried out lawfully. Where it has grounds, the ICO can<br />
serve a notice asking a data controller for information on its practices, and in extreme cases can<br />
obtain a warrant for inspection and take enforcement action.<br />
Durant v Financial Services Authority<br />
Data protection legislation was not originally envisaged as covering camera operated visual<br />
surveillance, and before 1998 a conceptual stretch was made to demonstrate that it covered video<br />
recording. The emergence of digital methods, and changes in the law following the implementation<br />
of the European Directive 75 , have meant that visual surveillance is becoming a more natural fit<br />
within the data protection regime, although a recent decision of the Court of Appeal 76 has rather<br />
curtailed this more positive trend. The issue in this case arose over the need to show the relevance<br />
of retained data, in order to make a successful application for access to records. In order for the<br />
data protection legislation to apply, information must comply with the definition of ‘personal data’<br />
in the DPA.<br />
The Appeal Court refused Mr Durant access to certain records in the Financial Services Authority’s<br />
(FSA’s) filing system connected with a complaint he had made against Barclay’s Bank, on the<br />
grounds that it did not qualify as personal data. In order to count as ‘personal data’, and so be<br />
covered by the DPA, it must be information that affected his privacy, whether in his personal or family<br />
life, business or professional capacity. Mr Durant had not been able to show that the information<br />
was close enough to this standard. The tests should be, whether information was biographical in a<br />
significant sense, and whether the individual was the focus of the information on file. As a result of<br />
the Durant case, whether any particular piece of information is covered by the DPA, will depend on<br />
where it falls along a continuum of circumstances in which an individual might have been involved<br />
to a greater or lesser degree. The implications of the Court’s decision for visual surveillance are<br />
particularly complex, and are still being considered.<br />
The key question must be; how far does the scenario outlined by the court limit the degree to which<br />
data protection bites on the use of visual surveillance technologies<br />
The Information Commissioner’s initial assessment was that this would depend on the use and<br />
capacity of the system. A Good Practice Note, issued in February 2004, distinguished between<br />
focusing cameras or examining recorded images looking for particular people or examining the<br />
74<br />
CCTV Code of Practice, Information Commissioner, 2000.<br />
75<br />
Directive 95/46/EC (OJ 1995 L281/31), on the protection of individuals with regard to the processing of<br />
personal data and on the free movement of such data led to the Data Protection Act 1998.<br />
76<br />
Durant v Financial Services Authority [2004] F.S.R 28, CA.