Operating CCTV lawfully

A county court judge has ruled that Islington Council’s operated its CCTV system lawfully. Sam Fowles explains why.

The County Court at Clerkenwell and Shoreditch has confirmed that Islington London Borough Council’s CCTV surveillance system operates on a lawful basis. An employee of one of Islington’s contractors brought a claim against the Council alleging various breaches under Articles 5 and 6 of the General Data Protection Rules (GDPR, now the UK GDPR). The case concerned CCTV footage that captured an altercation between the Claimant and a member of the public. The footage was identified by Islington after the member of the public lodged an official complaint and handed on to the Claimant’s employers under the terms of an existing data-sharing protocol. The Claimant argued that Islington had no lawful basis for processing his data and/or handing it to his employer.

The case had significance beyond its facts because, had the court found that Islington lacked a lawful basis for collecting the Claimant’s data, it would have thrown into question all of the personal information collected through Islington’s CCTV system, potentially requiring Islington (and perhaps even other local authorities) to cease using CCTV to surveil public or semi-public spaces and leaving the authority liable to hundreds of thousands, if not millions, of claims.

The court found that Islington had a lawful basis for collecting the Claimant’s data under Article 6(1)(e) of the GDPR, which permits the collection of personal data where it is necessary for a public purpose. That purpose was conferred on the Defendant by section 163 of the Criminal Justice and Public Order Act 1994 and section 17 of the Crime and Disorder Act 1998 (which provide for an explicit power for public authorities to operate CCTV and require them to consider using their powers to reduce crime and disorder).

The court also found that Islington had a lawful basis for the processing of the Claimant’s special category data (to the extent that it did so), under Article 9(2)(g), for the same reasons.

The Claimant succeeded only on a single point: the allegation that Islington had not fully discharged its duty to process data transparently. Under normal circumstances, Islington identifies the areas in which CCTV cameras operate through the use of signage. When officers checked the signage in the relevant area, they found that it had been removed. The Claimant was, therefore, allowed to rely on the absence of signage.

The Claimant claimed damages in the region of £20,000 and the same amount again in costs. He was awarded £700 in damages and a small percentage of his costs (meaning that he spent more than double on the claim than he recovered).

Comment

The court’s decision will be welcome to all local authorities that operate CCTV schemes. Islington may, however, have avoided liability altogether had it relied on Part 3 of the Data Protection Act (which governs “law enforcement processing”) rather than Part 2 (which governs “general processing” under UK GDPR). Part 3 allows the data controller to avoid many of the transparency obligations imposed under Part 2.

Sam Fowles is a barrister at Cornerstone Barristers. He acted for Islington Council.