• Contact Us

What Are the Data Security Issues With Surveillance Camera Systems?

on Friday, 22 May 2020.

Public authorities control personal data through a wide variety of systems and are therefore always at risk of data security issues arising.

Here we look at a recent incident involving traffic cameras which flags this issue - and provide some recommendations and tips for minimising risks.

What Happened?

Personal data that was gathered from an ANPR (automatic number plate recognition) system utilised by Sheffield City Council and South Yorkshire Police has been accidentally made available to the public through a website.

An information security expert found that the internal management dashboard of the camera system could be accessed via a web browser by entering the ANPR system's IP address. This exposed the details of thousands of motorists, and it has been reported that there were a total of over 8.5 million records of vehicle movements, which could be searched via the dashboard.

Both Sheffield City Council and South Yorkshire Police have taken steps to address the issue, and the information is no longer available to the public. They have confirmed that they will be taking joint responsibility for working to address the breach, and the Information Commissioner's Office (ICO) has been informed of the incident and will also be investigating.

Areas that will likely be considered include:

  • the due diligence that the parties conducted on the system
  • the consideration that they had to information security
  • whether a data protection impact assessment (or DPIA) was conducted at the outset.

Tony Porter, Britain's Surveillance Camera Commissioner has confirmed that he will be requesting a report into the incident, and hopefully this should assist in fleshing out responses to the concerns of the public.

Coronavirus Legal Advice

Our Tips for Organisations Utilising New Technology

When considering utilising a new technology we recommend that organisations proceed with caution, and ensure that all angles have been contemplated, and risks mitigated, before implementing privacy intrusive technology, such as surveillance cameras.

In our experience, well intentioned solutions which take advantage of the latest technology to assist with specific projects (such as monitoring the carbon emissions of densely populated cities) can become subject to 'purpose creep', whereby the use of the technology expands into areas which had not previously been considered. This is usually done without due consideration for the privacy implications, and a solution which was carefully mapped out to ensure it was proportionate to the original aims, is suddenly being used to assist in areas which were not originally anticipated.

Our top tips for organisations who are considering the use of such surveillance technology include:

  • Carry out detailed due diligence on the systems. This will include ensuring that information security standards are up to standard as well as considering issues such as where the information will be stored, who can access it, and for how long it will be kept for.
  • Consider whether the use of technology is a proportionate and responsible approach to the issue at hand. If the same aim can be achieved by less privacy intrusive methods then these should be employed in the first instance.
  • Conduct a data protection impact assessment (DPIA) if required by the GDPR. It can also be a good idea to carry out a DPIA on a voluntary basis even if the legal obligation to do a DPIA has not been met. This is because a DPIA will help you to identify and mitigate data protection risks and may be seen as a mitigating factor by the ICO should a breach happen.
  • Ensure that you are meeting your transparency obligations. Individuals have a right to know that their personal data is being collected, as well as that it is being stored securely. A key part of using new technology is engaging with individuals to ensure that they are appropriately informed about how their data is being used. Meeting this requirement can be challenging in the context of surveillance and it should be noted that there are some limited exemptions in the GDPR from the transparency requirements.

If you need specialist advice on your organisation's use of technology, please contact Andrew Gallie or Bronwen Jones in our Information Law team on 07467 220831 or 07818 018215, or complete our contact form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Telephone
Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input