The Data Protection Implications of Using Body Worn Video Technology

For any type of personal data processing, there are a number of aspects to consider.  The first is the basics.  What are you looking to use BWV for and why.  Can you meet your aims without using the technology and, if you do use it, what are your constraints?  Do you already have a data protection regime in place for other types of processing?  If you do, this will give you a head start in achieving compliance.  This could mean that you may only need to edit your record of processing activities (ROPA), policies and privacy notices, rather than draft them from scratch.  However, if you decide to go ahead with BWV, you will need to meet the data protection principles, data subject rights and other requirements of the legislation.

First, you should read the available guidance and advice to gain an understanding of what will be required;  the Information Commissioner’s Office (ICO) has issued guidance, and there is help available from the European Data Protection Board, from the Home Office on safeguarding body worn video data and from the Surveillance Camera Code of Practice.  Reviewing these resources at the outset will help you gain a clear understanding of the regulatory expectations and considerations that should inform your approach.

By adopting data protection by design and default, organisations are taking a proactive approach to protecting privacy and personal data.  Such an approach requires organisations to integrate privacy considerations into the planning and development of systems and processes from the outset.  It ensures that data protection is not an afterthought, but that it is instead built into the core of any data processing activity.

The key tool for data protection by design and default is the data protection impact assessment (DPIA); Article 35 of the UK GDPR requires that a DPIA is undertaken if the processing in question is likely to result in a ‘high risk’.  However, whether you assess your processing as high risk or not, a DPIA is a great tool to lead you through your thought process and create a valuable record of your preparation and decision making, helping you to comply with your obligations under the accountability principle.  It helps you to systematically analyse data protection risks and identify how you will mitigate them.  Data protection compliance is difficult to achieve retrospectively, so it is vital that the DPIA is completed before you select which equipment you intend to use. For example, you may decide that in some circumstances it will not be necessary to record audio as well as video, so in that case, the equipment you choose must be able to record video or audio or both.

Lawfulness, fairness and transparency principle

Once you have decided what your BWV will be used for, you need to establish a lawful basis for processing.  It is often difficult to obtain genuine consent for using BWV, so you may have to rely on legitimate interests as your lawful basis, unless you are a public body and can rely on public task.  If you decide on legitimate interests, you should complete a legitimate interest assessment (LIA), which will help you to balance your interests in processing the data against the potential impact on individuals' rights and freedoms (to learn more about LIAs, read our blog on How to Conduct a Legitimate Interest Assessment (LIA)).

A good test of fairness is whether individuals would reasonably expect you to use BWV in the circumstances in which you intend to use it.  The use of BWV by the police is more widely accepted, but individuals might not be comfortable with its use nor think its use fair in other contexts, such as in a hospital or schools.

Transparency is vital, and you will need to be clear about the use of BWV in your privacy notices.  But there may also be a need for operatives wearing BWV to issue leaflets or announce to individuals that they are being recorded and why.  Standard scripts would be useful here, and training for staff will be vital to help you remain compliant.  You should also communicate more widely with the likely data subjects, to inform them why you may use BWV and the context in which it would be used.  There could be a discrete set of individuals, such as in a community, location or customer base, and it is important that you listen to their concerns and address them where you can.

Purpose limitation principle

You must decide what BWV is being used for and, as importantly, what it is not being used for, so that you can ensure recording is necessary for the intended purpose.  Again, staff training is vital so that operatives know when to use video, when to record audio and the circumstances under which they must not record.

Data minimisation principle

As is the case for compliance with the purpose limitation principle, operatives need to be trained about the circumstances under which they must – and must not – record.  This principle also spills into the requirement for retention and deletion of data, more of which later.

Accuracy principle

This requires that data is accurate and, where necessary, kept up to date.  The practical aspects of achieving compliance are that the recording should capture what it is intended to capture for the purpose you have set out.  For example, where capturing audio and video, operatives need to be sure that the camera is not obscured or capturing ineffective footage in such a way that audio could be taken out of context, and that it avoids capturing other data subjects unintentionally.

Storage limitation principle

Once footage is captured and stored, you need to be clear about how long it will be retained.  If your purpose is to prevent and detect crime, for example, and the footage does not detect a crime, do you need to keep the footage?

You may decide that footage can be deleted automatically after a certain period unless action has been taken to preserve it, because it serves the purpose for which it was captured.  You should never keep all footage indefinitely or ‘just in case’.

Integrity and confidentiality principle

This requires that you implement all appropriate technical and organisational measures (TOMs) to protect the data.

Organisational measures would include policies and procedures to ensure the system isn’t misused and to protect vulnerable individuals.  Regular staff training and awareness is vital, and should include listening to feedback from operatives so that you are aware of any operational issues and challenges.

Technical measures will include maintaining a secure IT system by limiting access to footage on a need-to-know basis and considering encryption.  It would also include checking BWV equipment periodically to ensure it functions as intended.

Accountability principle

You need to be able to demonstrate that your processing is compliant.  Your DPIA will go some way to achieving this, but a programme of reviewing policies and procedures, auditing GDPR compliance, and checking and testing equipment are likely to be required.

‍

Data subject rights

As with any personal data processing, you need to be able to comply with requests from data subjects to exercise their data protection rights.  Once you start using BWV, individuals will ask you for a copy (known as a data subject access request or ‘DSAR’) and, whilst they are entitled to footage involving them, they are not entitled to footage of others.  As such, you must redact both video and audio; this will require specialist skills and software to achieve, and the effort and cost to meet this requirement should not be underestimated.  The legislation does not require you to retain footage just in case it is requested, and if the footage has been deleted as part of your retention and disposal policy you do not need to provide it, which may help you balance your proposed retention period.  (It is, however, an offence to delete it after it has been requested!)

Data subjects may also ask you to delete footage or exercise other rights, and you should have staff trained to be able to recognise such requests, process them, and provide a response, as well as equipment and software to support them.  If you use BWV, you may also receive complaints, so you need to have a process and staff training in place to answer complaints from data subjects.

Breaches

There is a requirement to report breaches of personal data to the ICO within 72 hours, unless the data breach is unlikely to result in a risk to individuals’ rights and freedoms.  When the breach is likely to result in a high risk to the rights and freedoms, you must communicate the breach to the data subjects without undue delay.

Consequently, you will need staff to report all breaches quickly, so that they can be assessed to decide whether they need to be notified to the ICO or data subjects.  You should keep a log of all breaches and ‘near misses’, however minor, because this will help you to identify the mechanisms by which breaches are occurring and rectify them by changing procedures or providing further training.

Data Sharing

You may need to share BWV with others, such as the police or clients.  You should identify and record the circumstances and conditions under which any data sharing will take place, and if it is regular sharing, you may consider putting a data sharing agreement in place.

Leadership

Body worn video can be a useful business tool, but the business leadership needs to be aware of the unique risks it poses.  The leadership should be proactive in monitoring the use of BWV, by requiring periodic reports on usage, equipment checks, training attendance, DSARs, breaches, complaints and audits.  It is important that the leadership establishes the appropriate culture around the use of BWV, including a ‘no blame’ culture to ensure staff report breaches and near misses.