'Fair processing' notices can be posted on social media, says ICO

Out-Law News | 20 May 2014 | 3:44 pm | 2 min. read

Organisations may be able to meet their obligations to ensure that personal data is processed fairly by notifying individuals about their processing activities through social media, the UK's data protection watchdog has said.

The Information Commissioner's Office (ICO) said organisations may need to think creatively to ensure their compliance with the Data Protection Act (DPA) when using video surveillance technologies and that explaining the use of such technology on social media is one way they can meet their legal obligations.

The ICO's comments were published in a new draft code of practice for the use of CCTV systems and other surveillance technologies (31-page / 1.56MB PDF) that it is consulting on. The draft code highlighted the potential use of social media in explaining how organisations wishing to use new remote controlled unmanned drones can adhere to the DPA.

"If you are considering using such devices, you will need to come up with appropriate and potentially innovative ways of informing individuals of their rights," the ICO said. "Example: if a drone is to be operating in a specific area at a specific time then it may be that the organisation operating the drone can use social media to promote the usage and provide a link to the related privacy notice and any other relevant information."

The DPA requires that individuals' personal data is processed fairly and lawfully. Organisations processing personal data must ensure that individuals to whom the data relates are provided with certain information, including who the 'data controller' is, the purposes for which the data is to be processed, and any other information about the data processing circumstances that is "necessary" to ensure the processing is fair.

The ICO warned against the use of recording equipment that captures audio, and said that the recording of individuals' conversations is unlikely to be justified.

Organisations should conduct a review of their use of CCTV and other surveillance cameras at least once a year to make sure that use remains compliant with data protection laws, the ICO also said.

The watchdog said that such a review of a "system's effectiveness" may prompt a need for organisations to halt their use of CCTV cameras altogether.

"There should be a periodic review (at least annually) of the system’s effectiveness to ensure that it is still doing what it was intended to do," the ICO said in a new draft code of practice on CCTV use that it is consulting on. "If it does not achieve its purpose, it should be stopped or modified."

"Example: a CCTV system implemented to deal with persistent problems of nightlife related incidents may no longer be justified if the location of the nightlife district has migrated to another area of town over the intervening years," it said.

The ICO's draft code, which seeks to revise its existing CCTV code which has been in place since 2008, stressed the importance of carrying out privacy impact assessments ahead of using surveillance technology so as to identify risks and ways to reduce or eliminate those risks.

It also said that public organisations would generally not be under a duty to disclose uncensored footage to a requester under freedom of information (FOI) laws where the footage features identifiable others.

"If individuals are capable of being identified from the relevant surveillance system, then it is personal information about the individual concerned," the ICO said. "It is generally unlikely that this information can be disclosed in response to an FOI request as the requester could potentially use the information for any purpose and the individual concerned is unlikely to expect this. This may therefore be unfair processing in contravention of the DPA."

"However, consideration can be made of the expectations of the individuals involved, what the information considered for disclosure would reveal and the legitimate public interest in the information when deciding on whether disclosure is appropriate.  Where you think obscuring images will appropriately anonymise third party personal data ... then it may be appropriate to do this rather than exempting the information," it said.

Organisations have until 1 July to respond to the ICO's consultation.