Does London mayor's ‘ring of steel’ breach UK Data Act?

If it really exists, it certainly looks like it...

  • alert
  • submit to reddit

Boost IT visibility and business value

London mayor Ken Livingstone's claims earlier this week that the capital's new charge zone cameras had a security aspect raised numerous questionmarks, not least of them being the one over Transport for London's registration under the Data Protection Act. Livingstone in the past few days has performed something of a somersault, to the extent that he now thinks the terrorist-stopping powers of the zone cameras are so great that they should and would be retained even if the original road-charging purpose turned out to be a complete failure.

It was an intriguing revelation because - presuming Ken isn't just making it up as he goes along - it means that a central London security monitoring zone has been introduced not by the police, not by the government, but by a local authority, without any prior consultation at all. And perhaps not even by a local authority - it is unclear to us whether any security purpose has been discussed at the Greater London Authority itself. The consultation that went out in the run-up to the scheme's adoption meanwhile makes no mention of security zones, focussing entirely on the relief of traffic congestion and the improvement of London's transportation systems.

Local authorities in the UK do of course introduce CCTV security systems without widespread 'do you want a ring of steel' consultation, but there is just the teensiest of differences here. Purpose is important as far as the Data Protection Act is concerned, schemes specifically designed as CCTV security (or indeed other) systems will have clearly defined and documented purposes, and at least ought to comply with the Data Protection Commissioner's CCTV guidelines, which are available here.

Traffic management and monitoring systems however are not necessarily CCTV surveillance systems, and are frequently designed not to function in this way - if they are simply snapping number plates, then they're not identifying individuals. So the UK's speed cameras snap the rear of the car, which is only going to get somebody's face in rather esoteric circumstances, and the congestion charge scheme itself is designed to snap number plates, not people.

So, when Ken talks merrily of cameras being panned, zoomed and being used to identify drivers, we have clear purpose-drift and the probable need for whole new categories of registration for TfL under the data protection act.

TfL's own data protection registration is substantial, and the paranoid might care to be worried about how many of the individual categories are tagged "Transfer: Worldwide". Purpose 7 covers CCTV and traffic management (and makes chilling reading in its own right - Political opinions? Religious beliefs? Sexual life? On a bus?) but it's Purpose 28 that concerns us here.

Note that among the data subjects listed are those buying permits, offenders and suspected offenders, those incurring penalty charges and evaders. But there is no reference to the cameras being used to identify individuals, and plenty of individuals not covered (car passengers, pedestrians, cyclists) could be identified by them. Note also: "Images of vehicles entering the charging zone; registration marks of these vehicles will be matched with keeper details held by the DVLA (Driver and Vehicle Licensing Agency) if a valid charge payment, exemption or discount is not held, so that a penalty charge notice may be issued."

That's pretty clear, isn't it? Identification of the vehicle owner will take place in the event of suspected evasion, and will be done via DVLA records. It doesn't say anything about more general vehicle identification or zooming in on faces, so if it's doing that TfL is in breach of the 1998 Data Protection Act. If it is doing that, incidentally, it should also have a code of conduct governing how and when it should be done. And we suspect demoing the zooming in on faces to the mayor might at the very least be deemed not to be good practice.

Bodies listed for disclosure are sufficiently wide to cover all of the security services, but again the lack of a stated security purpose and of a reference to direct identification via the cameras means Ken's claims aren't covered. As an aside, if you're one of the ones who thought foreign plates would be a good gag, you'll see you're probably going to be disappointed. We know we were.

Distribution for both the CCTV and the congestion charge registrations is listed as being worldwide, but this is likely to be simply because of the companies involved in the implementation and management of the systems, rather than because its all being sent over to the CIA. It would however be nice to know what, why and to whom.

But you could try to find out. There's a FAQ on obtaining information on what's held on you here. Note that "Data controllers may ask for the information they reasonably need to verify the identity of the person making the request and to locate the data." As far as CCTV footage is concerned, this is generally viewed as meaning you need to tell them where and when you were in the zone. This however might be a little tricky if you were moving through a zone crawling with cameras for, say, an hour or so.

This could make finding the data expensive and difficult, if there is in fact qualifying data being recorded. The score from day one, incidentally, was claimed yesterday to be approximately 80,000 permits sold, and around 10,000 possible offenders. Chasing all of these would be expensive if they were being manually matched up with a picture of the vehicle, but as the DP registration doesn't mention this, we're pretty sure they're not. So we expect some interesting bloopers to emerge in the next couple of days. ®

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.