By Matt Lewin
In August 2018, the Information Commissioner's Office (ICO) published a short guidance note on the use of CCTV cameras in licensed hackney carriages and private hire vehicles.
Following the publication of the Jay Report, Rotherham Council introduced a mandatory requirement for all licensed vehicles to be fitted with video and audio recording. Many other licensing authorities have followed suit.
The widespread use of CCTV has, for many people in the UK, become an unremarkable fact of life. It can help prevent, and assist in the detection of, crime and can provide reassurance and security for both passenger and driver.
However, the law regulating the use of CCTV is not straightforward. The ICO's guidance specifically addresses the data protection risks of installing CCTV in licensed vehicles. Because CCTV monitors and/or records the activities of individuals, it is processing their personal data and is therefore subject to data protection legislation.
The use of CCTV in taxis has caught the ICO's attention because many systems operate continuously, activated whenever a vehicle is running (even if not being used for hire and reward) while others include an audio-recording facility. Both have the potential to significantly – and unlawfully – invade the privacy of passengers and drivers.
In a nutshell, the ICO says that all licensing authorities which already operate, or are thinking of introducing, a CCTV policy, need to demonstrate a clear justification for the policy and that they have thought carefully about how the policy will operate in practice so as to minimise the potential for interference with the privacy of passengers and drivers.
It is not at all clear that those licensing authorities which have introduced CCTV policies have done so lawfully – and therefore they urgently need to consider the ICO's guidance, which is summarised below.
The ICO says that authorities need to identify the problem the CCTV policy is seeking to address. Is your policy:
- seeking to safeguard vulnerable passengers?
- providing assurance to drivers to protect them from unjustified allegations?
- trying to prevent and detect crime?
Then consider whether there are any other solutions which may be less intrusive on the privacy of passengers and drivers, but which are just as effective in addressing that problem. Many authorities may justifiably conclude that other measures – for example, self-reporting, incident log books, passenger complaints process – are not as effective and therefore some form of CCTV policy is justified.
Data Protection Impact Assessment
If a vehicle is equipped with CCTV because your authority's policy requires it, that means that the authority is the "data controller" – the council decides how and for what purposes the personal data being captured on the CCTV is used.
This means that your authority is accountable under data protection legislation for the processing of passenger and driver personal data. Those obligations are very important – not least because errors can lead to significant fines.
Therefore the decision to introduce a CCTV policy must be underpinned by a Data Protection Impact Assessment (DPIA). A DPIA is a mandatory requirement before any CCTV policy is implemented. A DPIA helps you identify and minimise the data protection risks of a CCTV policy and to answer fundamental but tricky questions, including:
- what is our justification for requiring the use of CCTV?
- when should the CCTV be operating?
- should the driver be able to manually control the system?
- for what purposes will we use the CCTV footage?
- how do we ensure that the footage is kept secure and only used for authorised purposes?
- should we allow audio-recording and, if so, in what circumstances?
- how long should the footage be retained?
- what are the risks to passengers' and drivers' data protection rights and interests?
Read the Code of Practice for Surveillance Cameras and personal information
The ICO has published a detailed Code of Practice on good practice in the use and governance of CCTV systems. It is intended to help those who use surveillance cameras to collect personal data lawfully.
Additionally, English and Welsh authorities must have regard to the government's Surveillance Camera Code of Practice.
The ICO reminds licensing authorities to carefully study both documents to ensure that their policies comply.
CCTV has the potential to promote the underlying objective of taxi licensing legislation: the protection of the travelling public. However, those benefits must be carefully and demonstrably weighed against the potential for invasion of privacy – not only of passengers, but also of drivers.
Cornerstone Barristers is uniquely well-placed to help licensing authorities strike the correct balance with members of chambers practising in both Licensing and Data Protection, and we would be more than happy to advise authorities on the adoption and operation of their CCTV policies.