You searched for:
Landmark court case serves as a useful reminder of CCTV compliance
A Scottish couple were awarded damages of £17,268 for the “extreme stress” they suffered as a result of the “highly intrusive” use of CCTV and audio recording systems by the owners of the neighbouring property.
In their section 13 claim for compensation under the Data Protection Act 1998 (Act), the claimants alleged breaches by their neighbours of the following data protection principles:
The first principle, according to which data must be processed only for lawful and legitimate purposes and in a fair and transparent manner;
The third principle, which requires that the data being processed is adequate and not excessive; and
The fifth principle, which requires that any data is retained only for as long as necessary for the specific lawful and legitimate purposes.
The Edinburgh Sheriff Court upheld all breaches in favour of Mr and Mrs Woolley.
, the Sheriff has accepted the claimants’ calculation of damages for distress absent any previous authority on compensation in similar cases. The calculation accepted was based on £10 per day per person from the day the CCTV equipment was installed, less one month’s worth of damages to account for the claimants’ likely absences from their property.
The judgment offers an interesting alternative to the awards for distress caused by the misuse of private information made by courts in 2016. In
Brown v Commissioner of Police of the Metropolis
, where the police force abused its powers to obtain private information about its officer in relation to a disciplinary matter, the court benchmarked its award against the £10,000 awarded in the
case in 2015, the largest award of damages for breach of a person’s privacy at the time. Noting that the misuse did not reach the magnitude of Gulati and ‘doing the best I can’ the judge awarded £9,000. In another case,
TLT v Home Office
, the judge awarded £12,500 which he noted was ‘not out of kilter with awards for moderate psychiatric and psychological damage’. In that case, the claimants had to move house because they genuinely believed that their security was compromised due to the Home Office’s wrongful publication of refugee data. The judge noted that the word “distress” was “a misstatement and an understatement” to describe the totality of the claimants’ experience. That case was covered in detail by my colleague Brian Johnston in an
published in January.
The present case could, according to commentators, potentially have attracted higher damages, which is consistent with the Sheriff’s observation that the claim of £8,634 per person was ‘modest and reasonable’.
The facts were rather overwhelmingly in favour of the claimants. The evidence was limited to the oral evidence of the claimants and their friends. Also adduced were parts of evidence heard in previous court proceedings between the neighbours, including one audio recording, a harassing text message and their conversations. In particular, one of the defendants had provoked the claimants about his ability to listen to their private conversations in the garden. Perhaps unsurprisingly, the defendants did not file or lead evidence. One of the defendants had previous criminal convictions but, due to an objection, the court made no findings of fact regarding his character.
The claimants lived in the upstairs flat and the defendants owned the downstairs flat in a converted semi-detached house. The front and garden areas were split in two.
The defendants ran their downstairs flat as a guest house and did not reside there.
The CCTV cameras of the claimants covered only their property.
The four CCTV cameras of the defendants were deliberately set to capture the defendants’ as well as the claimants’ private property for a period of one and a half years.
The defendants had installed audio recording boxes, two of them immediately below the claimants’ bedroom window, with a recording reach well beyond the claimants’ property.
The cameras were recording 24 hours a day and the footage was retained for five days, which was the technical default setting on the equipment.
The defendants had remote access to their cameras.
Despite obvious knowledge of the intrusion, no precautions were taken to limit the coverage.
The defendants failed to register as data controllers until virtually the end of the intrusive monitoring.
There was no prior consultation about the cameras and no transparency notices.
Four subject access requests were sent in the period and the defendants consistently delayed their responses or failed to respond entirely.
In correspondence with the Information Commissioner’s Office (ICO), the defendants wrongly claimed their property was a private residence and that exemptions applied. This was later rejected by the ICO.
The court noted some contradictions in the ICO’s correspondence. Apparently, the ICO was said to have assessed non-compliance but it was satisfied the processing was compliant with the Act.
The court cited the approach to transparency set out in the ICO’s Guide to Data Protection and noted that the defendants had done the opposite. The Sheriff said that in his view, “surveillance and recording of an individual’s personal residence is potentially so intrusive as to require the maximum possible amount of information, which is what is “necessary” for these purposes”.
The court held that the defendants had no legitimate reason for the nature and extent of such monitoring. The defendants had led no evidence attempting to explain the surveillance. However, in previous correspondence, one of the defendants said he recorded the audio because he had previously spent time in custody and before the Sheriff due to false allegations that were proven by audio and CCTV. Another alleged purpose was to record any possible incidents between the arguing parties. The Sheriff held that the possibility of confrontation cannot justify surveillance when the defendants were not at the property (as was the case most of the time) or surveillance of the private garden area, to which the defendants had no access. In the court’s view, the coverage was evidently an effort to oppress.
Making a reference to the ICO’s
In the picture: A data protection code of practice for surveillance cameras and personal information
(2015), the Sheriff suggested that the alleged purpose of recording confrontations, of unspecified type, will not justify retention beyond a single day. Such footage could be deleted daily without affecting the alleged purpose.
As a result of the breaches, the claimants suffered extreme stress. They severely restricted their use and enjoyment of their own home, voluntarily restricted their external movements and could not use their rear garden. They also restricted their conversations both inside and outside as they did not know the extent of the coverage and had to warn their visitors of the monitoring. The court described the monitoring as highly intrusive, excessive, highly visible, extravagant, unjustified and unnecessary in relation to any legitimate purpose. The monitoring was also oppressive and unfair.
This case helpfully expands on the methods for calculating damages for distress caused by a misuse of private information and provides useful insights into what a court may consider in cases of intrusion by surveillance. It brings a refreshing flexibility into the assessment of damages in these privacy cases and may encourage judges to allow more adventurous claims in future, where the facts so permit.
The growth of litigation in this area and the trend of growing awards of damages serve as a useful reminder to businesses operating CCTV systems of their continuous compliance obligations. As the starting point, a Privacy Impact Assessment should be carried out to identify the pressing need that the monitoring is supposed to address and whether the proposed monitoring is lawful, justified, necessary and proportionate. The assessment should be repeated regularly to ensure that the circumstances justifying the use of CCTV persist. Due to the intrusive nature of audio recording, it is generally less likely that its use coupled with CCTV would meet the requirements in the context of most business operations.
Data protection updates - 20 July 2017
Incident Response Plans
Data Protection codes of conduct hitting the fast lane under GDPR
Data protection update