Back at Easter, Wexford County Council announced they were using drones to help police travel restrictions in respect of Covid-19. Cameras mounted on drones constitute a form of mass surveillance over a public area. As such, Article 35 of GDPR requires that a DPIA be undertaken.
Full stop. Failure to do so is a contravention of the legislation. End of story.
With that in mind, I sent an FOI request to Wexford County Council for a copy of their DPIA. I was interested to see how they had laid it out and what lessons local authorities would have learned from the Data Protection Commission’s audit of 31 local authorities in respect of Community CCTV (a not dissimilar technology to drone mounted cameras).
Imagine my surprise (no do… it’s a good exercise because I wasn’t surprised at all) when the response back from Wexford County Council was 10Mb of documentation and a cover note that confirmed that no Data Protection Impact Assessment could be found.
Wexford County Council’s Response
The image opposite is taken from Wexford County Council’s response to my request, which was quite simple. I had just asked for the DPIA and any associated documentation.
The response to the request for the DPIA was odd. My request was refused because the record didn’t exist or couldn’t be found.
Ergo, Wexford County Council had acted in contravention of Article 35 GDPR by failing to undertake a Data Protection Impact Assessment for processing which a DPIA was required.
Complaint to the Data Protection Commission
I submitted the complaint opposite to the DPC on the 4th of June 2020. The complaint was clear that the only subject matter of my complaint was the failure to complete a DPIA. (click on image to enlarge)
I referred to the extensive correspondence that Wexford CoCo had provided to me (130 pages of it), a lot of which was basically attempts to retrospectively determine a justification for the processing. But nowhere was there a DPIA conducted before the processing.
The DPC’s response
The DPC’s investigation engaged in correspondence with the County Council. I’m going to be blunt here. I don’t see why they bothered. The breach that I complained about was not about the processing or any impact on any individual, but rather that a governance requirement under the legislation had not been complied with.
However, the DPC’s letter to me concluding their investigation is a little odd.
1. The Clarifications
The DPC asked a number of clarifying questions. I paraphrase them here.
- Were drones used?
- If yes, why?
- What was the legal basis for the use of the drones?
- How was the use of drones compatible with obligations under Data Protection Act 2018
Question 1 makes sense. If the drones weren’t used there was no risk of processing personal data, ergo there was no need to conduct a DPIA. However, I’d argue that the contemplation of using drones would trigger a need for a DPIA to help ensure that the use respected Data Protection by Design / by Default.
The County Council’s response was that drones were used between 10th April and 29th April 2020. So, at some time prior to the 10th of April a DPIA should have been done.
Question 2 clarified the purpose for the use of the drones. Was there any intention to process personal data?
The Council used the recordings to inform them “whether any further increase in population movement was evident between the 10th and 29th of April 2020, by examining vehicle volumes”. So, the purpose was to count vehicles and monitor vehicle movements.
Question 3 examines the legal basis for the use of the drones.
This is where things get a little squirrely for me. The Council advised the DPC that given the public health situation, their function as a local authority, and “the functions permitted under COVID 19 regulations” that their actions were measured, proportionate, and essential”.
There is only one problem. Unless they were instructed by a Medical Officer of Health to put drones in the sky, there is no legal basis for such processing. The operative legislation is the Health Act 1947, as amended by the Health (PRESERVATION AND PROTECTION AND OTHER EMERGENCY MEASURES IN THE PUBLIC INTEREST) Act 2020, and SI390/1981, specifically Regulation 11 of that SI, and SI 121/2020. NOWHERE is a surveillance function for a Local Authority defined in that legislation.
So, measured, proportionate, but potentially lacking a legal basis.
Bear in mind, I’ve read the 130 pages of internal correspondence and documentation that Wexford County Council provided me in response to my FOI. It wasn’t clear what legal basis or framework they were relying on at all, even to them.
Question 4 deals with whether the Data Protection Act actually applies. Based on the information that Wexford County Council provided, I’d agree with the DPC’s apparent view that this is outside the scope of the Act as individuals and vehicle identification numbers couldn’t be identified from the footage. The drones were flown at altitude and were not using a sufficiently high resolution camera.
2. The DPIA Question
The DPC’s letter to me tells me that they have slapped Wexford County Council’s wrist and that they have updated their Drone Policy to require a “Data Protection Impact Statement” to be completed before drones are bought or used. The DPC will take these commitments into account in future.
While there has been a remedial action taken, a few things wrinkle with me:
- It’s not a “STATEMENT”, it’s an “ASSESSMENT” – if Wexford County Council are adopting a ‘tick box’ approach to this they are doing it very wrong.
- There appears to be no sanction of any kind for a failure to do a basic thing from a Data Protection Governance perspective.
The core of my complaint actually hasn’t been addressed. No DPIA was undertaken in contravention of Article 35. This needed to be an explicit stated finding of the DPC in my view. After all, I handed them a signed confession to that bit. As it stands, the engagement by the DPC appears to have been one of retrospectively determining if a breach of other rights and freedoms arose rather than taking the easy win of a definite enforcement action for a clear cut infringement of the legislation.
Yes, Wexford County Council has promised not to be naughty in future and has made changes to their policies and procedures. But a “no harm, no foul” approach here is less than ideal. After all, Local Authorities have been the subject of a special investigation into Community CCTV. Therefore, knowledge and awareness of the requirements on Public Bodies to undertake DPIAs should have been there, particularly for surveillance over public areas.
What next?
I’ve written to the DPC to confirm if they used any of their enforcement powers under Article 58 of GDPR in relation to the specific contravention in respect of the Data Protection Impact Assessment. I’ve also FOI’d Wexford County Council for correspondence between them and the DPC between June and August, and a copy of any DPIA that may have been done for the use of drones for any purposes. I’m interested to understand more of the approach taken by the DPC to this case.
After all, the reticence of the DPC to actually levy a sanction here is a concern. It was an open goal. A simple case, with a complaint that included a signed confession. A formal decision that breach had occurred would have been useful, particularly as senior staff in other local authorities have expressed incredulity to me that a DPIA might be needed for launching a camera-enabled drone.
Hopefully the DPC will issue updated guidance specifically in respect of the application of Data Protection by Design to the use of Drones. After all, it was only an exam question in the Law Society of Ireland’s Certificate in Data Protection Practice four times since 2013 (I know… I set the exam).