ITsecurity
twitter facebook rss

Is Sainsbury in breach of the Data Protection Act?

Posted by on December 23, 2014.

When you enter the Sainsbury car park at its Willows store in Torquay. a big sign flashes up your car number plate. In smaller figures it also displays the time by which you must depart, viz, four hours later. There is no explanation of why, how or by whom your number plate is recorded.

Sainsbury mail 1

My first email to Sainsbury

I object to this. I consider my number plate to be personal information, and I consider the use of unexplained ANPR cameras to record my number plate to be intrusive and unacceptable. So I wrote to Sainsbury with a series of quite specific questions (click on the image on the right for full-size).

It wasn’t automatic – I had to push – but a few days later I got the following PR fluff response:

As with a number of organizations and public bodies, we use ANPR across a number of our sites to help our customers park fairly and easily. We do not keep any number plate data beyond that of the customer’s stay so we can ensure our car parks are not misused and there is enough space available. Our car park operators are self-regulated through the BPA’s Code of Practice for Parking Enforcement on Private Land and Unregulated Car Parks. Further to this our car park operators strictly adhere to the Surveillance Camera Code of Practice and the CCTV Code of Practice.

This response did not directly address any of my questions. Nevertheless, a couple of answers can be assumed:

  1. The stated purpose of this surveillance is “to help our customers park fairly and easily.” I consider that using surveillance cameras and recording number plates to be disproportionate to this purpose, and that Sainsbury is therefore contravening the Data Protection Act. (For the use of ANPR to have any effect on length of stay, it would have to monitor the vehicle within the car park to its point of rest, then note when the vehicle leaves the car park, and finally dispatch an attendant to the vehicle once the four hours is exceeded. I do not believe any of this happens.)
  2. The data is only retained (we can assume that ‘we’ actually means the car park operator) for a maximum of four hours. But there is no response to my query on whether the data is shared with anyone else. There is also a clear attempt to avoid any responsibility and place it all on the car park operator who remains unnamed.
My second email to Sainsbury

My second email to Sainsbury

I replied with more specific questions. Again, click the graphic on the right for full size. This time I focused on whether the data is given to the police, and on the policy governing when and why it is given to the police. That was six days ago and I have not had a reply.

In the meantime, more in hope than expectation, I asked the Information Commissioner’s Office for an opinion on DPA conformance. I told the ICO I would be writing this article, and asked:

For the purpose of my article, would you be willing to comment on whether

  • Sainsbury is jointly responsible with the car park operator, and that therefore allowing the car park operator to self-regulate is a dereliction of duty to the customer.
  • the signage is inadequate for conformance with the DPA because it gives no indication (there is no signage at all at the point at which the data is collected) on why the data is collected, nor who is responsible for it.
  • the process is in breach of the DPA’s rule of proportionality since it is not necessary to publicly display personal number plates “to help our customers park fairly and easily [and] so we can ensure our car parks are not misused and there is enough space available.”

I also wrote, wondering if there is a loop-hole in the regulations,

I would be very grateful for your view on whether the police can (even if only in theory) ask for continuous notification of the recorded licence numbers to correlate against their own list of stolen vehicles. Could it be claimed that searching for stolen vehicles is in fact a continuous active investigation?

Reply from the ICO

Reply from the ICO

Those who know the ICO will not be surprised that once again I just got PR fluff. Click the image to the right for full size.

To be honest, I was a bit surprised. Take the first paragraph, “depending on whose classed as the data controller.” The ICO’s own guidance says,

Where more than one organisation is involved, you should both know your responsibilities and obligations. If you make joint decisions about the purposes for, and operation of, the scheme, then both of you are responsible under the DPA.
A data protection code of practice for surveillance cameras and personal information

So both Sainsbury and the car park operator are jointly responsible, and Sainsbury has no excuse for not answering my queries.

However, the ICO does imply that Sainsbury is in breach. I cannot see how it can know precisely when a recorded vehicle leaves the car park. If the data is deleted, I rather suspect that it is automatically deleted after four hours. So for the period between departure and deletion, Sainsbury is in breach of the DPA.

Sadly, the ICO completely ignored my query on whether there is a potential loop-hole to enable the police to have a live feed of the data.

All of this matters. As long ago as 2006, the then Information Commissioner wrote a report entitled A Report on the Surveillance Society:

If we are to suggest overall themes they are that the future surveillance society will be one of pervasive surveillance, primarily directed at tracking and controlling mobilities of all kinds (people, objects and data) and at predicting and pre-empting behaviour.

While that may have been a scary prediction in 2006, it is an even more scary reality today.

The tragedy is that we have allowed it to happen. One of the reasons it has happened is that companies like Sainsbury, with or without a link to the police, think it is acceptable to record our number plates for no good reason – and we tend to think, what’s the harm. The harm is that surveillance is now so complete we have grown accustomed to it. I would like it to stop, please.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions, News_surveillance | Tags: , , , ,