Archive for the 'Data Protection' Category

Be kind, rewind: the dangers of covert CCTV

Copyright nolifebeforecoffee (Flickr) https://www.flickr.com/photos/nolifebeforecoffee/with/124659356/Cameras are everywhere these days, but CCTV systems have been popular since well before the advent of camera phones. For the most part CCTV cameras are positioned in fixed, known locations such as public offices, shops or streets. A variety of covert cameras are available which have been used for many years to detect theft and fraud in particular. Any such use of covert recording should only be undertaken with caution, in specific circumstances and on the basis of advice.

Capture

This week’s Limerick Leader carries a story of covert recording in the offices of a school. It appears from the report that the reason for covert recording was that sensitive files had gone missing from the school. The full circumstances of the case are not yet known. The use of covert CCTV systems raises one set of issues, the missing files another. Missing files indicates a security breach and while a loss of personal data (likely sensitive personal data) is not specifically governed in the Data Protection Acts 1988 and 2003 a duty of care arises and the Data Protection Commissioner has published a code of practice on dealing with such breaches.

In general terms, the main considerations in using CCTV systems are the individual’s constitutional right to privacy, the Data Protection Acts and employment law. The right to privacy is somewhat undefined as no specific privacy law has been enacted (a previous bill was abandoned). Data protection legislation does not specifically refer to recording equipment or CCTV but since cameras record images of individuals, the images themselves are personal data within the meaning of the Acts and the general rules therefore apply to them. It is crucial that the collection of personal data by recording images is justified. Security would be an obvious justification but the Data Protection Commissioner is very clear that security does not justify indiscriminate recording of employees, for example.

[U]sing a CCTV system to constantly monitor employees is highly intrusive and would need to be justified by reference to special circumstances. If the monitoring is for health and safety reasons, a data controller would need to demonstrate that the installation of CCTV was proportionate in addressing health and safety issues that had arisen prior to the installation of the system.

Cameras should not ordinarily be put in locations where occupants and visitors would have a reasonable expectation of privacy. Particular sensitivity might be required in a school, for example, which is obviously frequented by minors. In addition, the Acts require that people are provided with information about the data collected about them and who has collected it. In the context of CCTV, therefore, notices should be displayed indicating that recording is taking place, who is responsible for the recording and why it is being carried out.

Use for monitoring staff performance or conduct is not an obvious purpose and staff must be informed before any data are recorded for this purpose.

Of course, there are situations in which these rules will neither work nor be appropriate and the Acts do allow for this. Indeed, the collective EU grouping of data protection regulators accepts that employers may have to resort to covert recording in order to address fraudulent or criminal behaviour and that national laws may permit this. Employment law has long recognised that covert recording might sometimes be justified. But it is clear that specific consideration must be given on a case-by-case basis to the use of covert CCTV recording. Case studies of the Commissioner demonstrate the factors which must be borne in mind.

For data protection purposes, covert recording can be justified generally only with the involvement of the Gardaí. Covert recording may be justified in the case of criminal offences, but not for performance-related monitoring.

The use of recording mechanisms to obtain data without an individual’s knowledge is generally unlawful. Covert surveillance is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies that a written specific policy be put in place detailing the purpose, justification, procedure, measures and safeguards that will be implemented with the final objective being, an actual involvement of An Garda Síochána or other prosecution authorities for potential criminal investigation or civil legal proceedings being issued, arising as a consequence of an alleged committal of a criminal offence(s).

Where CCTV footage is recorded, whether covertly or not, obligations continue to govern its retention and access to it. It is common for operators of CCTV systems to refuse to provide copies of their recordings to anyone other than Gardaí. It should be noted that, because camera footage is the personal data of the people recorded on it, those people have a right of access to it under the Acts. Again the Commissioner is quite clear:

Where a data controller chooses to use technology to process personal data, such as a CCTV system to capture and record images of living individuals, they are obliged to shoulder the data protection obligations which the law places on them for such data processing. In the matter of access requests for CCTV footage, data controllers are obliged to comply fully with such requests. Claims by a data controller that they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. In short, where a data controller uses a CCTV system to process personal data, its takes on and is obliged to comply with all associated data protection obligations.

Yet another Toyota recall

I wrote twice before on product recalls by Toyota and the apparent legislative oversight which meant that there was no legal provision allowing Toyota to obtain records of Toyota owners from the vehicle licensing authorities.

At the time I wrote those posts, the most recent legislation on the issue was the Finance Act 1993 (Section 60) Regulations 2005. Now that Toyota are undertaking another product recall, I discover the  Finance Act 1993 (Section 60) Regulations 2009, which took effect on 25 September 2009 but which, oddly, were not available on the Irish Statute Book when I wrote my posts in 2010 and 2011.

At any rate, the 2009 Regulations revoke and replace the 2005 Regulations and designate specified manufacturers and distributors as being entitled to obtain vehicle licensing records, rather than the generalised category stated in the 1996 Regulations.

So, it appears that I was mistaken, but had no way of knowing it at the time.

New data protection rules on cookies & mandatory data breach reporting for electronic communications providers

 

From George Eastman House

Not those kind of cookies.

Last week, the Minister for Communications, Energy and Natural Resources signed a group of statutory instruments into law which transpose the EU telecommunications reform package.

Among those regulations are the European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011.

The Regulations are lengthy but the Data Protection Commissioner already has a guidance note online outlining the changes introduced, the most significant being:

  • Compulsory notification of individuals and the Office of the Data Protection Commissioner in the case of data breaches
  • More stringent requirements for user consent for the placing of “cookies” on electronic devices
  • Stricter requirements for the sending of electronic marketing messages and the making of marketing phone calls

I previously wrote about mandatory reporting of data breaches in the context of general data protection law (rather than sector-specific rules).

Leo Moore (William Fry) points out that the new rules on cookies do not provide for a lead in time, as was the case in the UK. This will put pressure on operators subject to the rules to get their house in order quickly. He notes:

Website operators and other interested parties are keenly following how the Cookie Regulations will be interpreted and enforced in Ireland in light of the need to obtain website user consent each time a cookie is placed on a website user’s computer. Many such parties have concerns in relation to the practical implications of complying with such obligations.

For more, try following Ronan Lupton (ALTO), TJ McIntyre (UCD/DRI), Leo Moore (WF) & David Cullen (WF) on Twitter.

Privacy and the press

I wrote a short article for last week’s Sunday Business Post on the super-injunctions story and the conflict between freedom of speech and privacy. It appeared in the Computers and Business magazine and is available here.

It’s a difficult topic to tackle in a short article and some more thoughts on the issue are in my earlier rambling blogpost. However, Karlin Lillington dealt with the issue expertly in last Friday’s Irish Times by contrasting the UK super-injunctions saga with the Irish experience of data protection and retention laws.

PRIVACY HAS two definitions. There is the definition that applies if you are wealthy, or a celebrity, or a corporation or organisation, and you wish carefully to protect from the public eye your infidelities, personal peccadilloes, ethically questionable activities, illegal doings or other foibles that might damage your income, reputation or bottom line.

Then, there is the definition that applies if you are just an ordinary citizen and a bank, an insurance company, an electronics manufacturer, a telecommunications company, a law enforcement agency, a government department or other organisation holds or would like to view lots of potentially sensitive information about you.

If you are in the former, elite group, lucky you. You will find you are entitled to all sorts of perks and privileges when it comes to your special definition of privacy. Your national government may come up with laws specifically to protect your version of privacy.

Justice systems may invent special protections that mean not only is no one allowed to mention whatever it is you or your company is said to have done, but no one is even allowed to mention that such a legal protection is there in the first place.

Social media and internet companies may, despite public statements about valuing their users and freedom and democracy, relinquish information about the people who might have said something annoying about you, your company or your government, the better to enable the justice system to get these aggravating people off your back.

If you are in the second group, your privacy is too often a commodity.

The surprising reason given for the change to HSE policy on providing patient lists to clergy

This morning’s Irish Times reports on a change to a Health Service Executive policy I never knew existed. Until now, Irish hospitals provided members of the clergy with access to patient admission records. This practice, the article reports, “has been stopped by recent data protection legislation.”

I was surprised by the reference in the article to “recent data protection legislation” and “new legislation”. The main Irish legislation in this area is the Data Protection Act 1988. It was amended in 2003. There are a number of regulations affecting those Acts but the most recent relates only to the Director of Corporate Enforcement.

So, is the new legislation referred to the 8 year old act or the 23 year old one?

The truth is, one might reasonable speculate, that the consequences of long-standing legislative requirements have recently been considered by the HSE and they changed their policy accordingly. [I since found that the Offaly Independent reported on this story last Friday, without any indication that the legislative requirement which led to the policy change was new or recent.]

Information on an individual’s health is sensitive personal data for the purposes of the Acts and is the category of personal information that is subject to the strongest protections.

The Data Protection Commissioner has published a guidance note on the application of the Acts to the health sector. That note begins with the following, non-legislative point:

The confidentiality of patient records forms part of the ancient Hippocratic oath, and is central to the ethical tradition of medicine and health care.

It goes on to say that

Given the immense sensitivity of health-related information, it is imperative that professionals in this sector be clear about their use of personal data.

This recent, very much belated, change of policy by the HSE suggests that the organisation may have some distance to travel in this regard.

Irish data retention law now in force

There has been so much political uncertainty in recent weeks that one wonders what business of Government has gone on unnoticed. One such item of business, I discovered from the A&L Goodbody legislative FAQ referred to earlier, was the passing by the Oireachtas of the Communications (Retention of Data) Act 2011.

This controversial piece of legislation is not available,  as yet, in its final form as none of the Department of JusticeHouses of the Oireachtas or Irish Statute Book have published it.

The President signed the Act into law on 26 January 2011 but, as far as I am aware, this has not been reported on anywhere. The commencement date is not known but the latest draft available does not contain a commencement clause so, if one was not inserted before it was passed by the Oireachtas, it is now in effect.

[Update: I wasn’t correct in stating that the introduction of the Act hasn’t been reported on. I had missed Eoin O’Dell’s reference to its passing on his blog and Karlin Lillington‘s coverage in the Irish Times. She also covered the Seanad debates on twitter. However, it is still noteworthy that this news has been confined to analysis pieces and has not been headline news, by contrast with other rushed legislation recently signed by the President.]

According to the Internet Service Providers Association of Ireland:

ISPs providing Internet services to the public are now obliged to retain certain data, as set out in the Act, identifying the occurrence of a communication (but not about the content of the communication itself). This must be done for every user, whether they are a private or business customer. In the case of Internet communications the ISP must keep the data for a period of one year … [The] ISPAI regrets [the passing of the Act] despite the trojan efforts of non-government Senators who argued the amendments (which were defeated) aimed at giving greater clarity to the legislation and particularly to minimise its potential to put Ireland at a cost disadvantage to our EU neighbours for Internet based business.

Digital Rights Ireland summarised the effect of the legislation when it was first put before the Oireacthas as follows:

In essence, the Bill requires telecommunications companies, internet service providers, and the like, to retain data about communications (though not the content of the communications); phone and mobile traffic data have to be retained for 2 years; internet communications have to be retained for one year … This will impose significant costs on those obliged to retain and secure the data, and those costs will be passed on to their already hard-pressed customers. And it is likely to drive international telecommunications and internet companies to European states which have introduced far less demanding regimes.

The Irish Council for Civil Liberties made submissions to the Department of Justice about the legislation. Digital Rights Ireland took a constitutional challenge against the legislation and that challenge is en route to the European Court of Justice (the Act implements the EU data retention directive).

Privacy & Human Rights in Europe

Privacy InternationalPrivacy International have published their latest study reviewing privacy and human rights in Europe.

I contributed to the Irish chapter of the report, along with TJ McIntyre and Colin Irwin. It gives a good overview of current Irish law on privacy and data protection.

The report concludes that, while Europe is the world leader in privacy rights, there remains much work to be done in the field.

The Directive on Data Protection has been implemented across EU member states and beyond, but inconsistencies remain. Surveillance harmonisation that was once threatened is now in disarray. Yet there are so many loopholes and exemptions that it is increasingly challenging to get a full understanding of the privacy situations in European countries. The cloak of ‘national security’ enshrouds many practices, minimises authorisation safeguards and prevents oversight.

The report includes a report card in its key findings, the highlights of which for Ireland include criticisms that Ministerial warrants can override privacy law protections and that powers allowing for interception of VoIP calls are ambiguous.

For more on international privacy law, Morrison Foerster have a very useful library which acts as an online sourcebook.


Photostream

Hello. #westlimerick #glenastar

West Limerick hills on a Summer evening. #nofilter

If ever passing through Newcastle West, stop for a stroll around the Castle grounds. Lovely on a day like today.

Access denied

A snap for Editor_Tupp @tupp_ed

Shower

More Photos
Know Your Rights

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 4,068 other followers

Please read the disclaimer and notes.

Follow

Get every new post delivered to your Inbox.

Join 4,068 other followers