• Dear Guest, and welcome to RailUK Forums. Our non-railway discussion forums are currently restricted until members have five or more posts, and you will not be able to make a new thread or reply to an existing one in this section until you have made five or more posts elsewhere on the forum.

CCTV: Regulations and GDPR

Huntergreed

Established Member
Joined
16 Jan 2016
Messages
2,090
Location
Coach J Seat 39
Not sure of the best forum to place this thread in, the thread could equally apply in general discussion.

First of all, this is not another thread to discuss the effectiveness and/or mandation of face coverings, which has been done to death.

Scotrail have published an article, where they state that they are using CCTV to monitor the compliance of their passengers with the mask mandate on public transport in Scotland:

The train operator’s CCTV centres carry out daily monitoring of face covering compliance across Scotland’s Railway, which shows around three quarters of passengers are obeying the law.

(https://www.scotrail.co.uk/about-sc...d-and-british-transport-police-encourage-face)

My question is, is this lawful use of CCTV and is using CCTV in this way permitted in line with GDPR requirements?

Under my (very limited) understanding, CCTV can only be used in the way for which it has been intended (which for the railway I imagine this is for “safety and security”) - it certainly doesn’t sound lawful and/or morally acceptable to be using CCTV in this way. Can anyone who is more knowledgeable in this offer a more informed insight into using footage for this purpose?
 
Sponsor Post - registered members do not see these adverts; click here to register, or click here to log in
R

RailUK Forums

duncombec

Member
Joined
3 Sep 2014
Messages
360
An interesting one - CCTV is covered by GDPR, but is usually fairly easy to justify on the basis of legitimate interest (e.g. protection of property) or "public task" (e.g. local government buildings).

I think a very broad-brush understanding would be that they have told people they are using it (questionably how well) and some would argue it is in the public interest, so they could probably argue their way out of it. Are face coverings still mandatory in Scotland? (In which case it is covered by "law enforcement).

The other question would be: are they actually using it to identify people and fine them accordingly, is it just someone who happens to notice it whilst scanning for other things (e.g. standard station/train surveillance), or are they checking it after the fact and coming after you by cross referencing against personally identifiable tickets/smartcards (if they exist) weeks later.

I'd be surprised if Scotrail had gone public on their use without checking a more informed source... not to say that source will be correct either, but GDPR has substantially fewer holes in it than the DPA(s) that went before it and is substantially less open to interpretation.
 

bengley

Established Member
Joined
18 May 2008
Messages
1,607
Additionally, how do they know that 'three quarters of people are obeying the law'?

Surely a good percentage of those not wearing fave coverings could be exempt?
 

greyman42

Established Member
Joined
14 Aug 2017
Messages
2,853
Two of the cameras on the Settle to Carlisle web cam were, i believe, removed from the web site for reasons to do with GDPR. Perhaps someone can expand on that?
 

island

Veteran Member
Joined
30 Dec 2010
Messages
12,599
Location
0036
It is likely that this processing will be lawful by virtue of UK GDPR Article 6 (1) (e) (processing necessary for the performance of a task carried out in the public interest) and/or 6 (1) (f) (processing is necessary in pursuance of the legitimate interests of the data controller). They must inform data subjects that their data is being processed this way, and offer the usual rights of access etc., which they appear to have done.

They do not qualify under the law enforcement rules as ScotRail is not a listed authority in schedule 7 to the Data Protection Act 2018 nor does it have a statutory responsibility for law enforcement.

The other question would be: are they actually using it to identify people and fine them accordingly, is it just someone who happens to notice it whilst scanning for other things (e.g. standard station/train surveillance)
Almost certainly
or are they checking it after the fact and coming after you by cross referencing against personally identifiable tickets/smartcards (if they exist) weeks later.
Almost certainly not, as ASR have no power to issue fines or prosecute anyone.
 

duncombec

Member
Joined
3 Sep 2014
Messages
360
Thanks @island for checking the references for me - I wasn't in a position to quote the relevant sections so had to rely on easily findable online commentary!
 

35B

Established Member
Joined
19 Dec 2011
Messages
1,892
It is likely that this processing will be lawful by virtue of UK GDPR Article 6 (1) (e) (processing necessary for the performance of a task carried out in the public interest) and/or 6 (1) (f) (processing is necessary in pursuance of the legitimate interests of the data controller). They must inform data subjects that their data is being processed this way, and offer the usual rights of access etc., which they appear to have done.

They do not qualify under the law enforcement rules as ScotRail is not a listed authority in schedule 7 to the Data Protection Act 2018 nor does it have a statutory responsibility for law enforcement.


Almost certainly

Almost certainly not, as ASR have no power to issue fines or prosecute anyone.
Without comment on the merits of this approach, I'll also observe that it is common under English law for the holders of a premises license to be required to maintain CCTV, and to share the recordings with the police in the event of an incident. From experience of working that through with police, council and ICO registration, the effect of that is that the cctv recording is by the premises operator, but enforcement using the recordings is under the police's powers of law enforcement. Although IANAL applies, in the premises I have specific knowledge of, our CCTV recordings were admissible evidence in a criminal trial/

Assuming Scottish law is reasonably similar to English in this area, this implies to me that, although Scotrail are not a law enforcement body, their recordings could be made available to Police Scotland upon their request.

If I were to try to oppose these measures, I would therefore not seek to rely on GDPR protection as it is sufficiently loose that it wouldn't provide protection. I would instead focus on freedom of information law, and using that to establish what instructions had been given to police and prosecutors over the approach to enforcement of the laws on mask wearing.
 

island

Veteran Member
Joined
30 Dec 2010
Messages
12,599
Location
0036
Without comment on the merits of this approach, I'll also observe that it is common under English law for the holders of a premises license to be required to maintain CCTV, and to share the recordings with the police in the event of an incident. From experience of working that through with police, council and ICO registration, the effect of that is that the cctv recording is by the premises operator, but enforcement using the recordings is under the police's powers of law enforcement.
I think it would actually mean that the basis for collecting and retaining the data is to comply with a legal obligation, but nothing turns on that. However...
Assuming Scottish law is reasonably similar to English in this area, this implies to me that, although Scotrail are not a law enforcement body, their recordings could be made available to Police Scotland upon their request.
ScotRail does not hold a premises licence so that would fall down.
 

35B

Established Member
Joined
19 Dec 2011
Messages
1,892
I think it would actually mean that the basis for collecting and retaining the data is to comply with a legal obligation, but nothing turns on that. However...

ScotRail does not hold a premises licence so that would fall down.
I was in the dangerous area of analogy, not trying to suggest that the requirements of a premises licence would apply. Other legal obligations also exist in addition to premises licensing, and in the context of GDPR, much would turn on that.
 

Top