Using CCTV? Make sure you consider the issues.

A couple in Scotland, Mr and Mrs Woolley, have made a successful claim under the data protection Act 1998 (which I will call the “DPA”) for “extreme stress” they suffered as a result of “highly intrusive” CCTV and audio recording system use by their neighbours.

The couple were awarded damages in the sum of £17,268.00 after the Edinburgh Sheriff Court upheld all of the breaches in their claim.

Mr and Mrs Woolley lived in an upstairs flat and the defendants owned the flat below them in a converted semi-detached house. The gardens at the front and the rear were split in two. The defendants didn’t live in their flat but instead used it as a guesthouse.

CCTV cameras were in place belonging to both the claimants and the defendants. Those belonging to the claimants were positioned so as to only cover their property, whilst the defendants’ were deliberately set so that they could see their property as well as the claimants’. This went on for a year and a half.

The defendants had also installed audio recording boxes directly below the claimants’ bedroom window. These boxes were sufficiently powerful to record sound from well beyond the extent of the Claimant’s property.

The CCTV cameras recorded footage 24 hours a day and were set to keep those recordings for a period of 5 days. The recordings could be accessed by the defendants remotely.

Even though it was obvious to the defendants that the cameras and recording equipment were intrusive, they did nothing to limit their coverage which they could easily have done by changing settings.

The DPA contains certain principles which should have been taken into account by the defendants (who didn’t register themselves as data controllers):

  1. the first principle, which states that data must be processed only for lawful and legitimate purposes and in a fair and transparent manner;
  2. the third principle, requiring that data being processed is adequate and not excessive; and
  3. the fifth principle, which requires that any data is retained only for as long as necessary for specific lawful and legitimate purposes.

There had been no consultation by the defendants with the claimants and despite the claimants making four subject access requests, the responses to these were either delayed by the defendants or, in some cases, completely ignored.

The defendants claimed in correspondence with the Information Commissioner’s Office (the “ICO”) that the property in question was used by them as a private residence. This was obviously incorrect and this argument was later rejected by the ICO.

When looking at the ICO’s correspondence with the defendants the court found some inconsistencies and it appeared from that correspondence that the ICO indicated that it was satisfied that the processing by the defendants did in fact comply with the DPA.

When reaching its decision the court found that the defendants had not followed the ICO’s approach of “transparency” and, in fact, had done exactly the opposite.

The Sheriff said that, in his view, “surveillance and recording of an individual’s personal residence is potentially so intrusive as to require the maximum possible amount of information, which is what is “necessary” for these purposes”.

One of the defendants said in previous correspondence that he had undertaken the recording as he had been the subject of false allegations before and that audio and CCTV evidence had helped to prove his innocence.

Another alleged reason for the intrusion was to record any possible incidents between the defendants and the claimants. The Sheriff decided that the chance of confrontation was not sufficient to justify surveillance of the nature undertaken when the defendants weren’t even living at the property, and the court expressed the view that the purpose of the recording was an effort to oppress the claimants.

The court ultimately decided that the defendants did not have a legitimate reason for the nature and scope of the monitoring they undertook and no legitimate reason had been given by the defendants for their activities.

This case serves as an excellent reminder to businesses (or individuals) that use CCTV to ensure that they comply with the law at all times. A Privacy Impact Assessment must be carried out to ensure that there is a pressing need for the monitoring and that it is lawful, justified, necessary and proportionate. An Assessment should be carried out periodically to ensure continued need and compliance. Bear in mind, audio recording is more intrusive than video and as such it is generally considered to be less likely that, when linked to CCTV monitoring, it would meet the necessary requirements for most businesses.

By Daniel Gardener

Subject to our terms and conditions and copyright policy.