A dashboard mounted camera or "dashcam" is an inexpensive way businesses can combat vehicle accident insurance fraud. But these devices are subject to the General Data Protection Regulation (GDPR).
The image of a person recorded by a dashcam will constitute personal data under the GDPR since it allows for the identification of an individual, in the same way as CCTV and other surveillance systems. If your business is using dashcams, here are some of the key things that you should take into account to comply with the law when capturing and storing images:
- Have a dashcam policy that identifies the lawful basis for the processing of personal data collected from dashcams to ensure that the processing is necessary for the purpose it aims to achieve. For example, you may be able to point to a legal obligation or you may be able to establish a legitimate interest for the processing of that data.
- There must be a clearly defined purpose for the use of personal data captured from dashcams. The purpose (together with other privacy information, such as the lawful basis for processing) should be communicated to those who operate the dashcams and, depending on how and where the dashcams are being used, to those being filmed.Notices on fleet vehicles might help with this communication to data subjects.
- Recorded material should be securely stored and access should be restricted to authorised individuals who have been trained on data protection obligations and handled in accordance with record retention policies. Image sequences must not be altered in any way, in case they are required for evidence.
- A Data Protection Impact Assessment (DPIA) should be conducted for the processing of personal data that is likely to result in a high risk to individuals. You should consider how long it is necessary to keep the recorded material and not store it for longer than this period.
If you are a business involved in the sale of dashcams, you may want to consider what information you should provide to your customers in relation to GDPR compliance. The Surveillance Camera Commissioner's Buyers' Toolkit contains information that will be relevant for purchasers of dashcams as well as surveillance camera systems.
What about action cameras that we see in many aspects of daily life? Cyclists, for example, may use devices such as GoPro's to share exciting rides with fellow cyclists. If these are used in the course of purely personal or household activities, the GDPR will not apply. However, if images captured through these cameras are used for evidential purposes (for example, in the event of a road traffic accident), sharing these images will be subject to the requirements of the GDPR.
More information on the use of surveillance equipment can be found on: the ICO Guide to the GDPR; the ICO code of practice for surveillance cameras and personal information (this relates to the Data Protection Act 1998 but according to the ICO, it is still useful to refer to while it is being updated); and the Surveillance Camera Commissioner's guidance in relation to the use of surveillance equipment which can be found on its website.