There is a simple question that underpins a lot of concerns for anyone that has video of people acting within the European Union - "Is video containing people considered personal data"?
This is an important question because the answer has some pretty serious ramifications...
- No it is not personal data - This means you do not need to provide it if you are requested to by the person in the video (for free) under GDPR guidelines.
- Yes it is personal data - Means that this data then becomes liable under GDPR and all the associated rules.
At Col8 we wanted clarity on this subject for our clients so we went straight to the source; The Information Commisioner's Office (ICO) is the body that manages GDPR and data protection within the UK and beyond, so they are the right people to speak to about this.
We asked them the following questions and here are the responses (verbatim) with some additional notes on the implications of what they mean:
Question 1
Can you confirm that video data of individuals captured or recorded is deemed as personal data
Email confirmation to Col8 - 22/07/19If an individual can be identified from the video footage, then this should be treated as personal data.
Implications
Straight forward response to the main question and the answer is yes video can be considered personal data.
The aspect that talks about "If an individual can be identified" has been used as an excuse not to treat it personal data, but this point becomes invalid if the person provides you with a way to identify them. Why would they do that you ask? They have to provide you with proof of identity like a driving licence, passport etc for you to be able to legitimately action the request... this also gives you a way to identify them and thus means that the video containing them is deemed personal data.
Another aspect we get a few times is people wearing things like ID badges and that again gives you a way to identify the individual so makes it personal data even without them contacting you.
Question 2
Any organisation that records video footage of people has to, under GDPR release that footage of the person (with the provision that the personal data of others is redacted) if requested?
Email confirmation to Col8 - 22/07/19Personal data held by an organisation must be considered for release if a subject access request (SAR) is made, unless an exemption can be applied.
Based on the response to question 1 around video being considered personal data that means that an organisation must release this data to the person that requests it. This is the answer to another statement we get sometimes "Why would I ever release that footage to someone who isn't the police?!"
The topics of exemptions comes up in this answer, this can be a complicated field and the reasons to rely on an exemption need to be very carefully managed (often it is far safer to comply with the request than try to think of a way around it). A crucial piece of information about exemptions is this (direct from ICO webpage):
"Exemptions should not routinely be relied upon or applied in a blanket fashion. You must consider each exemption on a case-by-case basis."
Question 3
Even if the organisation does not believe they have the footage they still have to show evidence of searching their database and presenting this to the requestor
Email confirmation to Col8 - 22/07/19An organisation must make reasonable searches to comply with a SAR. Data protection law doesn't compel you to provide details of searches to a requestor, but this may be useful in some circumstances.
An organisation should make a record of the searches conducted in response to a SAR. Should an individual make a complaint to the ICO about an SAR response, then the evidence of making reasonable searches would be easy to provide.
You do not necessarily have to present evidence that you have done the search (though in all communications to the requestor you need to make them aware of their rights to complain to a governing body like the ICO so if they think you have not done a good job they know who to approach) but if a compliant is made having well documented evidence will help massively.
As we have seen previously in fines by the ICO there has been a tendency to punish more severely organisations that both breached the rules and also showed they had not considered their process than ones that considered what they were doing but this did meet the standards of the law. When it comes to things like documenting searches to comply with legal processes the more of evidence of following the process is better.
From the responses the ICO have given the liability for video containing people under GDPR is more vast than many organisations currently consider.
The implications of this information can't be under estimated, especially when many organisations implement video systems (e.g. body cameras on enforcement officers or CCTV in shops) to improve public safety and transparency. But by having this data it then opens them up to a new level of legal compliance that is still not well understood.
Download the Col8 guide on video data under GDPR for more details on how we can help.
