28 July 2015
The Camera Obscura at the top of the Royal Mile has long provided visitors with a glimpse of Edinburgh going about its business. Its operation is neatly described on the website as:
“…a cross between a giant pinhole camera and a periscope. At the top of the tower is a dark chamber with a mirror on top which reflects light downwards, passing through three lenses before projecting a stunning image of the city onto a large white table.”
Fascinated visitors have watched in delight as these projected images of concertina buses are made to twist around folded paper and groups of tourists are seemingly “picked up” on a piece of card and “dropped” back onto the table. All good, harmless fun but now the 180 year old attraction finds itself in the eye of a particularly modern storm of data privacy, CCTV regulation and spying.
A new exhibit in the Edinburgh Vision room allows visitors to control a number of CCTV cameras mounted on the exterior of the building. Visitors can pan, tilt and zoom the powerful cameras which produce clear, high quality images. A number of screens inside the room display real-time images as far as the wider city scape and as close as the street and castle esplanade. In fact, the cameras can even be used to zoom into nearby properties and see local residents within their homes.
As one would expect, the use of CCTV is regulated. The Data Protection Act 1998 requires businesses that operate CCTV cameras to notify the Information Commissioner’s Office (ICO) of their activity. The Act also sets out 8 Data Protection Principles which require those using CCTV cameras to process any personal data, including images of members of the public, lawfully and fairly.
The broad definition of data in the Act includes data which “is being processed by means of equipment operating automatically in response to instructions given for that purpose”. While the Camera Obscura itself is operated manually without circuits, electrics or cables, the live CCTV images in this new exhibit must fall in to the category of personal data in terms of the Act.
The Act does contain some exemptions from the Data Protection Principles which relate to the use of CCTV. That is why the Police can use CCTV to survey members of the public using the prevention or detection of crime exemption. That is not the purpose of the Camera Obscura CCTV and it is not clear what other exemption could apply.
In any event, it has become clear that these exemptions are not intended to be applied without limit. In December 2014, when deciding the case of Ryneš v Úřad, the European Court of Justice narrowed the domestic exemption and ruled that CCTV installed on private property which captured some areas which were not owned by the operator of the system did not fall within ‘purely personal or household activity’.
The Ryneš decision prompted the ICO to update its Guidance on CCTV in May 2015. The ICO’s clear position is that CCTV should not be used unnecessarily. It is recommended that Privacy Impact Assessments are carried out before any equipment is installed in order to assess any impact on the privacy of individuals. The cameras should only be installed if they can be justified as proportionate to the needs of the operator.
This new exhibit throws up two clear problems: not only are members of the public being watched/put under surveillance without their knowledge; the images are of such high quality that people can be easily identified in their homes or hotel rooms. We believe that in the event of a complaint by an observed individual, the ICO would consider this use of CCTV to be an invasion of the person's expectation of privacy.
The ICO requires that people are made aware of surveillance through clear and prominent signs which state who is operating the cameras. Furthermore, the guidance clearly states in relation to live streaming cameras:
“If individuals can be identified then this will need to be justified and shown to be necessary and proportionate.”
We think we have an easy fix - if the exhibit’s cameras were directed inwards so that the notified and consenting visitors could themselves be the subject of the surveillance rather than unsuspecting passers-by then this may not offend the ICO – or the neighbours!!