The Information Commissioner’s Office (ICO) has required CCTV monitoring website, Internet Eyes, to make significant changes to its operations after CCTV footage of a shopper was posted on YouTube.
Internet Eyes allows retailers to have their live surveillance footage streamed online to registered members who can get rewards if they spot and report crimes they see taking place. In January 2011, the ICO received a comp laint about a clip posted on video sharing website YouTube that contained an identifiable image of a person in a shop. The clip appeared to have been uploaded by a viewer who had used the CCTV footage streamed to their computer from the Internet Eyes website.
The ICO investigated and found that Internet Eyes had not encrypted the transfer of CCTV images it was streaming to its viewers over the internet. The company also did not keep a full record of its viewers’ activities and so was unable to identify which viewers had monitored specific footage. Internet Eyes was therefore unable to determine which viewer had posted the clip online.
On 18 May 2011, Internet Eyes agreed to the terms of an undertaking laid down by the ICO. In consideration of the Information Commissioner not exercising his powers to serve an Enforcement Notice under Section 40 of the Data Protection Act 1998, Internet Eyes undertook to ensure that personal data was processed in accordance with the Seventh Data Protection Principle. In particular, it undertook to ensure that equipment and technology used to transmit personal data, the loss of which could cause damage or distress to individuals, were encrypted using encryption software that met the current standard or equivalent. Furthermore, it undertook to ensure that a full audit trail of all user activity was implemented and the details retained for a sufficient period, so that individual, named viewers of particular footage could be identified at any time. Internet Eyes also agreed to consider carefully where it sited its cameras and to carry out adequate checks on viewers before accepting them in order to verify their identity, integrity and location.
The ICO has also required Internet Eyes, by 31 July 2011, to ensure that no viewer can access footage from cameras located in the same postcode, or in any postcode district within a 30 mile radius of the viewer’s registered location. Finally, Internet Eyes undertook to
…implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage. In particular, these measures should be aimed at preventing the unauthorised dissemination of footage by viewers signed up to the Internet Eyes scheme.
The ICO then carried out random spot checks in several shops registered with the scheme, as well as visiting the company’s office in Devon to see first-hand the changes that had been put in place. From the evidence seen so far, the ICO has said that it is satisfied that Internet Eyes is complying with the terms of the undertaking.
The ICO took this matter very seriously, although it had only received one complaint. Deputy Commissioner, David Smith, said:
CCTV footage should not end up on YouTube when it shows someone simply out doing their shopping. A person’s CCTV image is their personal data… it should only be disclosed where necessary, such as for the purposes of crime detection, and not merely for entertainment… We will… continue to keep a close watch on them and do not rule out taking more formal enforcement action if further complaints are received.