Posted by Kevin on December 23, 2014.
When you enter the Sainsbury car park at its Willows store in Torquay. a big sign flashes up your car number plate. In smaller figures it also displays the time by which you must depart, viz, four hours later. There is no explanation of why, how or by whom your number plate is recorded.
I object to this. I consider my number plate to be personal information, and I consider the use of unexplained ANPR cameras to record my number plate to be intrusive and unacceptable. So I wrote to Sainsbury with a series of quite specific questions (click on the image on the right for full-size).
It wasn’t automatic – I had to push – but a few days later I got the following PR fluff response:
As with a number of organizations and public bodies, we use ANPR across a number of our sites to help our customers park fairly and easily. We do not keep any number plate data beyond that of the customer’s stay so we can ensure our car parks are not misused and there is enough space available. Our car park operators are self-regulated through the BPA’s Code of Practice for Parking Enforcement on Private Land and Unregulated Car Parks. Further to this our car park operators strictly adhere to the Surveillance Camera Code of Practice and the CCTV Code of Practice.
This response did not directly address any of my questions. Nevertheless, a couple of answers can be assumed:
I replied with more specific questions. Again, click the graphic on the right for full size. This time I focused on whether the data is given to the police, and on the policy governing when and why it is given to the police. That was six days ago and I have not had a reply.
In the meantime, more in hope than expectation, I asked the Information Commissioner’s Office for an opinion on DPA conformance. I told the ICO I would be writing this article, and asked:
For the purpose of my article, would you be willing to comment on whether
- Sainsbury is jointly responsible with the car park operator, and that therefore allowing the car park operator to self-regulate is a dereliction of duty to the customer.
- the signage is inadequate for conformance with the DPA because it gives no indication (there is no signage at all at the point at which the data is collected) on why the data is collected, nor who is responsible for it.
- the process is in breach of the DPA’s rule of proportionality since it is not necessary to publicly display personal number plates “to help our customers park fairly and easily [and] so we can ensure our car parks are not misused and there is enough space available.”
I also wrote, wondering if there is a loop-hole in the regulations,
I would be very grateful for your view on whether the police can (even if only in theory) ask for continuous notification of the recorded licence numbers to correlate against their own list of stolen vehicles. Could it be claimed that searching for stolen vehicles is in fact a continuous active investigation?
Those who know the ICO will not be surprised that once again I just got PR fluff. Click the image to the right for full size.
To be honest, I was a bit surprised. Take the first paragraph, “depending on whose classed as the data controller.” The ICO’s own guidance says,
Where more than one organisation is involved, you should both know your responsibilities and obligations. If you make joint decisions about the purposes for, and operation of, the scheme, then both of you are responsible under the DPA.
A data protection code of practice for surveillance cameras and personal information
So both Sainsbury and the car park operator are jointly responsible, and Sainsbury has no excuse for not answering my queries.
However, the ICO does imply that Sainsbury is in breach. I cannot see how it can know precisely when a recorded vehicle leaves the car park. If the data is deleted, I rather suspect that it is automatically deleted after four hours. So for the period between departure and deletion, Sainsbury is in breach of the DPA.
Sadly, the ICO completely ignored my query on whether there is a potential loop-hole to enable the police to have a live feed of the data.
All of this matters. As long ago as 2006, the then Information Commissioner wrote a report entitled A Report on the Surveillance Society:
If we are to suggest overall themes they are that the future surveillance society will be one of pervasive surveillance, primarily directed at tracking and controlling mobilities of all kinds (people, objects and data) and at predicting and pre-empting behaviour.
While that may have been a scary prediction in 2006, it is an even more scary reality today.
The tragedy is that we have allowed it to happen. One of the reasons it has happened is that companies like Sainsbury, with or without a link to the police, think it is acceptable to record our number plates for no good reason – and we tend to think, what’s the harm. The harm is that surveillance is now so complete we have grown accustomed to it. I would like it to stop, please.Submitted in: Expert Views, Kevin Townsend's opinions, News_surveillance |