Transcript Document

Information Commissioner’s
Office: data protection
Judith Jones
Senior Policy Officer
Strategic Liaison – public security
16 November 2011
The role of the ICO
•
Enforce and regulate:
–
–
–
–
Data Protection Act
Freedom of Information Act
Environmental Information Regulations
Privacy and Electronic Communications
Regulations
• Provide information to individuals and organisations
• Adjudicate on complaints
• Promote good practice
About the ICO
• 206,585 – calls to our helplines
• 339,298 – organisations notifying
• 29,685 – data protection cases closed
• 4,369 – freedom of information cases closed
• Public awareness of data protection rights 89%
• Public awareness of freedom of information rights
84%
The data protection principles
1. Fair and lawful processing
2. Specified purposes
3. Personal data shall be adequate, relevant and not
excessive
4. Accurate and up to date
5. Personal data shall not be retained longer than is
necessary
6. Individuals have rights
7. Appropriate technical and organisational
measures to secure the personal data
8. No transfer outside of the European Economic
Area except where there is adequate protection at
destination.
ANPR data– personal information?
• Identifiable information: vehicle keeper identified
by the VRM and other “readily available”
information
• Useful tool in detecting and preventing crime,
public safety, managing car parks and traffic
• Limited consequences for most people
• But tracking vehicle movements of huge numbers
of people who have done nothing wrong brings
data protection responsibilities
ICO’s CCTV code of practice
• Data Protection Act applies to images
of individuals or information derived from images
related to them (eg VRMs)
• Covers UK, all sectors
• Helps CCTV operators comply
with legal obligations
• Focus on data protection
• Education – intervene/enforce
where risks high. Monetary penalties
for serious breaches
ANPR data: data protection issues
• Lack of awareness that often ANPR is personal
data
• Who is the data controller?
• Fairness - signage
• Purpose of collecting the data – car park
management, prevention and detection of crime,
public safety
• Accuracy of underlying databases – DVLA, hotlists
• Excessive retention of “reads”
• Retention of “hits” for DVLA audit purposes
• Sharing of information eg with police
Further CCTV regulation
ICO view:
• Want effective CCTV and ANPR regulation
• Want to see improved standards
• Don’t want to see a weakening of data
protection standards or a perception that
data protection no longer applies to CCTV
Protection of Freedoms Bill
• Surveillance Camera Code
• Surveillance Camera Commissioner
What about data protection?
• Data Protection Act continues to apply to images
of individuals – or information derived from
images related to them (eg VRMs)
• Wider geographic scope - DPA covers UK
• DPA covers all sectors, public and private space
except for domestic use
Surveillance camera code
• Minister has confirmed that ICO remains
responsible for data protection
• Welcome provision in the Bill that Secretary of
State has to consult ICO on code
• Agree clarity and co-ordination are
essential
• Committed to working closely with
Surveillance Camera Commissioner
Public attitudes to CCTV/ANPR
• Public trust and confidence – can’t be taken for
granted
• More access requests
• Expect proper control
and fair use
• Privacy concerns
about new proactive
technologies
Fairness is the key
• Be honest and open about how you use
information
• Do people understand what you are doing and
why?
• The more unexpected the processing, the more
sensitive the data, the more you need to do
• No surprises
Disclosure of information
• Disclosure of images must be controlled
• Appropriate to disclose data to law enforcement
agencies on case by case basis so as not to
prejudice the prevention and detection of crime
• Release of CCTV images to the media for
identification purposes should generally be
through law enforcement agencies
Data quality
• Accurate records – fit for the purpose
• Cleaning up existing information resources such
as hotlists
• Making corrections and informing others e.g.
problems caused by cloned plates
• Compatibility of information-systems, format of
names, dob’s etc
• Common defined retention periods
Data sharing code of practice
• DPA is not a barrier where information sharing is
justified, necessary and proportionate
• DPA provides a framework for sharing in a secure,
lawful and reasonable way
• Limitations and safeguards are
essential
• Vital to get this right with
partnerships, multi-agencies,
outsourcing
• Statutory code
ICO approach to enforcement
• New powers and monetary penalties but primary
focus is education, awareness, good practice
• Strengthening public confidence by making it:
– easier for the majority of organisations who
seek to handle personal information well
– tougher for the minority who do not
• Calling for tougher penalties for people who
misuse data and stronger audit powers
Getting it wrong
• Monetary penalty notices
– Applicable to serious infringements likely to
cause damage or distress
– Either deliberate or knew (or should have
known) the risks
– Failed to take reasonable steps to prevent the
contravention
– If standards are widely known and used and
you are not using them this will stand out
Reducing the risk
• Knowing what information is held – sensitive
images?
• Access – levels of control
• Data sharing – communication methods
• Policies and procedures?
• Staff awareness?
Good practice
Reducing risk requires:
– Leadership - accountability
– Assessing what can go wrong (how, how often,
how much)
– Keep up to date and agile with new technology
– See staff not just as a vulnerability
but also as a first line of defence
Keep in touch
Subscribe to our e-newsletter at www.ico.gov.uk
or find us on…
www.twitter.com/iconews