The Information Commissioner’s Office (ICO) has released an updated document, In the picture: A data protection code of practice for surveillance cameras and personal information.
The increased use of drones and the overall evolution of CCTV technology have encouraged the ICO to update a code of practice that hasn’t been updated since 2008.
Drones are coming into common use for broadcasters, police forces and construction companies. Because this use naturally involves capturing footage in public, the ICO saw space for some rules and regulations.
“Individuals may not always be directly identifiable from the footage captured by UAS (unmanned aerial systems), but can still be identified through the context they are captured in or by using the device’s ability to zoom in on a specific person,” the ICO said in its new code. “As such, it is very important that you can provide a strong justification for their use. As with all of the other technologies discussed in this section, performing a robust privacy impact assessment will help you decide if using UAS is the most appropriate method to address the need that you have identified.”
The ICO’s code goes on to say: “One major issue with the use of UAS is the fact that on many occasions, individuals are unlikely to realise that they are being recorded, or may not know that UAV have a camera attached. […] The challenge of providing fair processing information is something that you must address if you decide to purchase UAS. You will need to come up with innovative ways of providing this information.”
I spoke to Steve Watkins, director at IT Governance Ltd, who said “The need to keep on top of developments and harness the opportunities available from new and emerging technologies is paramount for any business, but not at the cost of what is generally acceptable. Updates to guidance such as this helps define the framework for organisations to work within in today’s world with today’s technology including, as an example, what might be factored into procurement requirements for, say, body-worn video equipment.”
Jonathan Bamford, head of strategic liaison at the ICO, published a detailed article about the updated document which I recommend reading.
What is a privacy impact assessment (PIA)?
A PIA is carried out to ensure privacy protection is taken into consideration when planning and implementing a project. “A PIA is designed to go further than a straightforward compliance check against the DPA or other legislation,” the Information Commissioner’s Office said.