Staying safe—personal security technology and the Data Protection Act 1998
IP & IT analysis: Sales in personal security devices are growing apace, but are users sufficiently aware of the implications of these technologies in terms of data protection? Hazel Grant, partner and head of the privacy and information group at Fieldfisher, alongside Amy Lambert, solicitor, and Fiona Morris, trainee solicitor, explain the legal framework surrounding their use and identify a worrying lack of knowledge among the general public.
With security technology from fingerprint scanner to surveillance cameras now being used in private, could there be any legal concerns?
The key issue is the context in which these activities are carried out. There is a difference between using these technologies in a private, domestic context (eg a family safe unlocked by a finger print scanner) and a manner which will fall outside this context (eg using a surveillance camera on your land to film a public area outside your home). In addition, the data collection may be taking place for other legally permitted reasons, such as for reasons relating to national security.
Depending on the nature of the activities and the reasons for processing such data, the user of this technology could qualify as a data controller for the purposes of the Data Protection Act 1998 (DPA 1998), regardless of their original intentions. As such, the user would have to comply with a number of requirements under DPA 1998. This could include requiring the user to:
- register with the Information Commissioner’s Office (ICO) as a data controller, and
- notify any individuals whose fingerprints are being scanned (or who are caught on camera) that their personal data is being collected and how and for what purposes it is being processed
This could place a—perhaps unconsidered—burden on the user. If the user was unaware of their obligations under DPA 1998, or did not comply with them, the user may be liable under DPA 1998 and fined by the ICO.
What about data protection issues if all the information collected through these devices is stored by and available to private persons?
There is no distinction in DPA 1998 between a data controller who is a natural person and one which is a corporate body. If the devices are owned by private persons, but still collect and process personal data for non-exempt purposes, DPA 1998 will be engaged.
All data controllers are obliged to ensure that the security of the personal data is protected by appropriate technical and organisational measures against unlawful or accidental distribution, loss or alteration.
Further, all data subjects have a right to receive a copy of their personal data by way of a subject access request. Under the EU General Data Protection Regulation (GDPR), expected to be implemented by 2018, data controllers will also have to comply with a data subject’s right of rectification (ie a right to amend incorrect information) and right of erasure (ie the ‘right to be forgotten’). These responsibilities may place a far greater burden than anticipated on the user.
What are the rights of neighbours or visitors who are within the operating field of a camera or in any other way affected by security technology that collects data?
As set out above, the question of whether DPA 1998 will apply in a private setting will depend on whether the use of the technology will fall within an exemption within DPA 1998. Note that the ‘domestic purposes’ exemption has also arguably narrowed following the decision of the Court of Justice of the European Union (CJEU) in C-212/13: Rynes v Urad pro ochranu osobnich udaju  All ER (D) 174 (Dec). Here, the CJEU held that the use of surveillance cameras to film a public space could not be viewed as ‘purely domestic’, and accordingly could not benefit from the household exemption, despite the cameras being privately owned and placed within Mr Rynes’ land. If the technology is capturing data for purposes which are not ‘exclusively personal or domestic’ (although note that DPA 1998 also permits processing for recreational purposes), or is not exempt for any other reason, the data subject will be entitled to exercise its rights under DPA 1998.
How well are the current legal frameworks equipped to deal with these new technologies and the new problems arising?
There is a query as to whether DPA 1998 (and even the GDPR) will go far enough to create clear exemptions and frameworks for the use of technology which is likely to be employed in a seemingly private context, yet may still expose the user to obligations under DPA 1998. It is also important that users are aware exactly how their technologies functions—with the increase of big-data technologies it is possible that far more information will be collected than the user is aware, which may place both the user and the data subject at risk.
What are the trends in this area and do you have any predictions for the future?
The rapid evolution of technologies and lack of public understanding of the relevant laws suggests that the disconnection between the strict requirements of DPA 1998 and the pragmatic responses that the ICO can reasonably require the public to take will undoubtedly take centre stage in the future. This can only be exacerbated by the potential for new claims for personal distress made possible by the Court of Appeal’s judgment in the case of Vidal-Hall and others v Google Inc (The Information Commissioner intervening)  EWCA Civ 311,  All ER (D) 307 (Mar) (currently being appealed).
This article was first published by Lexis Nexis on 26 January 2016