Information Commissioner’s Office: data protection

Judith JonesSenior Policy Officer

Strategic Liaison – public security

16 November 2011

The role of the ICO

• Enforce and regulate:

– Data Protection Act

– Freedom of Information Act

– Environmental Information Regulations

– Privacy and Electronic Communications Regulations

• Provide information to individuals and organisations

• Adjudicate on complaints

• Promote good practice

About the ICO

• 206,585 – calls to our helplines

• 339,298 – organisations notifying

• 29,685 – data protection cases closed

• 4,369 – freedom of information cases closed

• Public awareness of data protection rights 89%

• Public awareness of freedom of information rights 84%

The data protection principles 1. Fair and lawful processing2. Specified purposes3. Personal data shall be adequate, relevant and not

excessive4. Accurate and up to date5. Personal data shall not be retained longer than is

necessary6. Individuals have rights7. Appropriate technical and organisational measures to

secure the personal data 8. No transfer outside of the European Economic Area

except where there is adequate protection at destination.

ANPR data– personal information?• Identifiable information: vehicle keeper identified

by the VRM and other “readily available” information

• Useful tool in detecting and preventing crime, public safety, managing car parks and traffic

• Limited consequences for most people

• But tracking vehicle movements of huge numbers of people who have done nothing wrong brings data protection responsibilities

ICO’s CCTV code of practice• Data Protection Act applies to images of individuals or information derived from images related to them (eg VRMs)

• Covers UK, all sectors

• Helps CCTV operators comply with legal obligations

• Focus on data protection

• Education – intervene/enforce where risks high. Monetary penalties for serious breaches

ANPR data: data protection issues• Lack of awareness that often ANPR is personal

data • Who is the data controller?• Fairness - signage• Purpose of collecting the data – car park

management, prevention and detection of crime, public safety

• Accuracy of underlying databases – DVLA, hotlists• Excessive retention of “reads”• Retention of “hits” for DVLA audit purposes• Sharing of information eg with police

Further CCTV regulationICO view:

• Want effective CCTV and ANPR regulation

• Want to see improved standards

• Don’t want to see a weakening of data protection standards or a perception that data protection no longer applies to CCTV

Protection of Freedoms Bill• Surveillance Camera Code• Surveillance Camera Commissioner

What about data protection?

• Data Protection Act continues to apply to images of individuals – or information derived from images related to them (eg VRMs)

• Wider geographic scope - DPA covers UK

• DPA covers all sectors, public and private space except for domestic use

Surveillance camera code• Minister has confirmed that ICO remains

responsible for data protection

• Welcome provision in the Bill that Secretary of State has to consult ICO on code

• Agree clarity and co-ordination are essential

• Committed to working closely with Surveillance Camera Commissioner

Public attitudes to CCTV/ANPR• Public trust and confidence – can’t be taken for

granted• More access requests• Expect proper control and fair use• Privacy concerns about new proactive technologies

Fairness is the key

• Be honest and open about how you use information

• Do people understand what you are doing and why?

• The more unexpected the processing, the more sensitive the data, the more you need to do

• No surprises

Disclosure of information

• Disclosure of images must be controlled

• Appropriate to disclose data to law enforcement agencies on case by case basis so as not to prejudice the prevention and detection of crime

• Release of CCTV images to the media for identification purposes should generally be through law enforcement agencies

Data quality• Accurate records – fit for the purpose• Cleaning up existing information resources such

as hotlists• Making corrections and informing others e.g.

problems caused by cloned plates• Compatibility of information-systems, format of

names, dob’s etc • Common defined retention periods

Data sharing code of practice• DPA is not a barrier where information sharing is justified, necessary and proportionate

• DPA provides a framework for sharing in a secure, lawful and reasonable way

• Limitations and safeguards are essential• Vital to get this right with partnerships, multi-agencies, outsourcing

• Statutory code

ICO approach to enforcement• New powers and monetary penalties but primary

focus is education, awareness, good practice

• Strengthening public confidence by making it:

– easier for the majority of organisations who seek to handle personal information well

– tougher for the minority who do not

• Calling for tougher penalties for people who misuse data and stronger audit powers

Getting it wrong

• Monetary penalty notices– Applicable to serious infringements likely to

cause damage or distress– Either deliberate or knew (or should have

known) the risks– Failed to take reasonable steps to prevent the

contravention – If standards are widely known and used and

you are not using them this will stand out

Reducing the risk

• Knowing what information is held – sensitive images?

• Access – levels of control

• Data sharing – communication methods

• Policies and procedures?

• Staff awareness?

Good practice

Reducing risk requires:

– Leadership - accountability– Assessing what can go wrong (how, how often,

how much)– Keep up to date and agile with new technology– See staff not just as a vulnerability but also as a first line of defence

www.twitter.com/iconews

Keep in touchSubscribe to our e-newsletter at www.ico.gov.uk

or find us on…