The London charge zone, the DP Act, and MS .NET
It may not entirely work, and its data protection registration looks more dubious by the day
Data Protection Act breaches by London's traffic congestion charge system may be numerous and varied, even if you exclude all of the ones that are committed if Mayor Ken's security ring of steel exists. And a report by one of the many (we presume) journalists who've infiltrated the system suggests a) that it doesn't work to anything like the extent claimed; b) that conduct and training of camera operators is inadeqate and in breach of CCTV legislation; and c) that the whole shooting match will fall over if too many recipients of penalty charges contest them.
Oh, and while we're about it we might mention that it's one of the largest Microsoft .NET project so far; but we'll get back to that.
On the subject of the congestion charge the London Evening Standard has, we accept, been coming on like some crazed petrolhead's implementation of Der Sturmer, but yesterday's report, detailing the experiences of a worker in one of the charge zone's mobile camera units, seems well-grounded. The vehicles housing the mobile cameras, which are intended as backup for the fixed cameras, are claimed to be unreliable, number recognition is ineffective, and the visual checks intended to deal with recognition failure are not being carried out.
A BBC Radio reporter broadcast from one of the zone's control rooms earlier this week, counting up in excess of 30 correct identifications before the first failure, but for the mobile units the Standard claims a failure rate of around 40 per cent. Note that this doesn't automatically translate into an overall failure rate of 40 per cent, because the mobile unit cameras have to be hand-sighted, while the fixed ones should already be trained on the right area. However, poor light, dirt and personalised plates should have a similar effect in both cases. Says the Standard:
"In dim light it fails to read three out of five registration plates. Muddy ones are almost always misread. It takes almost an hour of tinkering before the stubborn system works."
We should mention that if the charge zone system is acting as a CCTV system then that BBC reporter probably should not have been in the control room. The staff of the mobile unit certainly show no signs of having been briefed on CCTV good practice: "I've just seen David Dimbleby drive past on the camera," says one of the workers. Which would seem to us to be a clear invasion of the good Dimblebore's privacy, and a source of some trouble for Transport for London if he features in the video archive. Pay your tenner and find out, David.
Failures of the automatic system are intended to be checked visually. It's not clear if, in the case of the mobile units, the local visual check was the only one, but if it was then many errors will not have been picked up; the Standard reports the crew as watching videos and playing computer games instead. The presence of unauthorised VCR tapes or equipment is incidentally also a CCTV breach.
Staff in the control rooms for the fixed cameras clearly will not be allowed to watch LOTR II instead of working, but if the system there is also relying on visual checks in real time, then a likely weak spot of the system emerges. Penalty notices sent out under the system do not as a matter of course include the "capture" picture of the offending vehicle. This can be obtained on request if you send £10, and we feel sure it could also be obtained for free if you make them take you to court.
However, if plate readings of non-paying vehicles were being automatically matched up with the correct piece of archive video, then it would be easy for TfL's agents to send out the picture with the penalty notice. They're not doing this, QED the archive isn't being matched up, and TfL probably won't know if a snap exists or is usable until it's requested, or needed for a court case.
As regards Data Protection Act compliance, quite a lot - although not all - hinges on whether or not you class the system as CCTV, and on whether it can be deemed to be identifying individuals. TfL has however already put its hands up to one blooper - making it mandatory to fill in your phone number, while not telling people it wants the numbers for a customer satisfaction survey. We are told the number is now no longer mandatory, and that TfL proposes to change the layout in accordance with this in due course. But it still intends to use the numbers it's got, which sounds to us like promising to commit a second offence in the act of owning up to the first.
One Data Protection compliance consultant who contacted The Register said that it was clear to him that the congestion zone is a CCTV system, and noted that it is not correctly signposted as such. "Without the correct signage the congestion charging cameras are a covert system, and can only be used for a temporary period in response to a specific pre-identified criminal activity... and footage of other criminal activities caught on a covert system is extremely unlikely to be admissable in court. Hence the use of the cameras for activities other than congestion charge administration is certainly unlawful."
Another data protection professional says that if TfL's Data Protection registration is wrong (which it is if it's being used for security, CCTV or casually observing the movements of David Dimbleby), then the local authority "could well be acting "ultra vires.'" And he adds that requests under the Act for personal data held need not be particularly specific. "All they need say is they were travelling in a green Mondeo ABC123D between 9 and 10am on such and such a date at location X."
As there are cameras throughout the zone, some of them mobile, checking all footage for possible pictures could be a massive task, even if only a few requests were made, never mind 10,000. TfL would likely argue that the footage didn't qualify because it didn't personally identify anyone, but that argument may not be sustainable (see Dimbleby, above).
Export of personal data outside of the EU may also be an issue, and this is where we finally get to Microsoft .NET, by way of Mumbai. Charge zone contractor Capita is not exactly overburdened with successful case study reports, and its sub-contractors also seem somewhat shy and retiring. However Mumbai, India-based Mastek allows itself a small boast about using .NET to implement the charge zone scheme for Capita. "This will be one of the largest projects to be developed under the Microsoft DotNet [sic] platform and will be executed over a period of 16-18 months," says its 2002 annual report. And here, you will see that "Capita is... the largest client for Mastek in the UK." The annual report also describes Capita as "our business partner" and mentions another project, a 'frequent flyer for schools' project called Connexions. Capita meanwhile says nice things about Mastek here, but it is unclear which of Capita's many UK success stories were contributed to by Mastek and .NET.
There will undoubtedly be other non-EU contractors (NB, Mastek does have a London office) covered by TfL's catch-all "worldwide" Data Protection register entry for personal data distribution. In the case of US companies, these should be registered under the US-EU "Safe Harbour" scheme, whilst it is illegal under EU law to export data to companies outside of the EU or of the Safe Harbour scheme, where local data protection legislation does not match EU standards. As we don't know who the companies are, then TfL's compliance here can't yet be assessed. However, if the scheme turns out to be exporting personal data which TfL has wrongly categorised as not being personal data, then contractors' data protection status might suddenly become more relevant than TfL had anticipated.
We're also led to believe that TfL's record on CCTV data compliance in general might have be somewhat inglorious. But perhaps more of that another day. ®
Sponsored: Becoming a Pragmatic Security Leader