At what point does CCTV go from being an acceptable security measure to an infringement of others' privacy – or even unlawful harassment? A recent case provides useful guidance on the position and highlights the key issues that businesses need to consider.
Fairhurst v Woodard: 6 things to think about when installing CCTV outside your property
The use of CCTV and other security devices is a common way for individuals, businesses and public bodies to increase the safety and security of their property and their people. The visual and audio technology underlying these systems has become increasingly complex and sophisticated in recent years, as have the methods for gathering, analysing, storing and sharing the digital data collected. Surveillance technology is no longer a passive tool for recording images, but is now a proactive system that can be linked to AI and used for a number of activities from identifying people of interest to the police through to recording shoppers' responses to marketing activities. We have previously written about live facial recognition technology here. The use of surveillance cameras in this way has aroused public concern which has led to a strengthening of the regulatory landscape.
In this context, the recent County Court judgement of Fairhurst v Woodard is an interesting example of how the courts are likely to apply the regulatory regimes in practice. In this case, the judge decided that a homeowner who had installed security equipment in order to protect his cars, and had been dishonest with neighbours about the existence and scope of these devices, had engaged in both harassment and a breach of data protection laws.
This case was decided in the County Court and is therefore not a binding authority, and relates to residential not commercial property, but is nevertheless a useful reminder of the key principles that commercial property owners and occupiers should bear in mind when using CCTV and other security devices on and around their properties.
The parties in this case are neighbours who both have access to a shared driveway leading into a large private parking area containing a number of spaces used by local residents. Both of their properties back onto this car park. Dr Fairhurst became aware that Mr Woodard had installed a floodlight and sensor, and a video and audio surveillance camera with an integrated motion sensitive spotlight, both pointing in the direction of the car park. He had also installed a combined doorbell and video and audio surveillance system by his front door, a security camera in his windowsill which both pointed at the street, and a second spotlight camera attached to another neighbour's wall pointing down the driveway towards the car park.
Dr Fairhurst's case is that Mr Woodard was not honest with her about these devices, unnecessarily and unjustifiably invaded her privacy by their use and intimidated her when challenged about them. She argued that this amounted to a nuisance, a breach of UK data protection law and a course of conduct designed to harass her contrary to the Protection from Harassment Act 1997. She sought damages, and injunctive relief mandating the removal of the devices and forbidding the installation of further surveillance cameras. Mr Woodard denied her claims.
During the hearing, some of the main issues under investigation related to:
- the field and depth of view of each camera, in particular whether they couldn't ‘see’ Dr Fairhurst or her visitors entering and leaving her property, her car, or the car park;
- the sensitivity of their microphones;
- the extent to which the devices activated themselves automatically, or were triggered, to capture, transmit or record video images and/or associated audio from the field of view;
- whether Mr Woodard consulted neighbours sufficiently before installation or provided adequate notices or warnings after installation of the equipment; and
- how and for what purpose Mr Woodard stored and processed the data produced by his devices.
The judge found that Mr Woodard caused Dr Fairhurst alarm and distress, by his dishonesty and threatening behaviour, including a threat to set up more concealed cameras and his assertion that two of the cameras were non-operational dummies (when they were in fact active). She found that this behaviour amounted to harassment under the Protection from Harassment Act 1997, entitling Dr Fairhurst to damages for distress.
The Protection from Harassment Act 1997 was brought in primarily to deal with stalkers but has since been applied in a variety of other situations. Although Fairhurst v Woodward involved individuals, the legislation is widely framed and has been applied by the courts to bodies corporate. In particular, there have been a number of cases where banks, utilities and other businesses were found to have engaged in harassment as a result of unwarranted tactics employed in relation to debt collection activities. A business which responded to concerns about CCTV in a manner similar to Mr Woodard would probably be at risk of infringing the 1997 Act.
The nuisance claim failed. Part of that case relied on loss of privacy, the main authority for which is the Court of Appeal decision in Fearn and Ors v Board of Trustees of the Tate Gallery  EWCA Civ 104 in which the court held that mere overlooking from one property to another is not capable of giving rise to a cause of action in private nuisance. The claim for light nuisance failed on the basis that the houses were in the town, where night-time lights are a feature, as opposed to the countryside where it would be less appropriate.
The parties agreed that the images and audio files collected by Mr Woodard were personal data within the meaning of UK data protection law. Their transmission to his phone, computer or other device, and their retention and onward transmission to others (whether neighbours, the police, or the cloud for storage) constituted processing of personal data. This meant that Mr Woodard was a data controller and accordingly must comply with the principles set out in UK data protection law (see textbox below).
There are seven key data protection principles but the ones most relevant to this case were that personal data should be processed:
- lawfully, fairly and transparently;
- in line with legitimate, specified and explicit purposes; and
- both the relevant relevant data and the nature and extent of the processing should not go beyond what is necessary for those purposes.
Lawfulness and transparency
Importantly, the judge acknowledged that Mr Woodard had a legitimate interest in using the cameras to prevent crime. However, as regards transparency, the judge found that Mr Woodard tried actively to mislead Dr Fairhurst about how and whether the cameras operated and what information they captured.
The fact that he collected data outside the boundaries of his property meant that the onus was on him to satisfy the Court that such processing of data was "necessary" for the purposes of his legitimate interests. He argued that, having been scared by the attempted theft of his cars, his use of security cameras was reasonable. The judge decided that:
- the processing of data from the front doorbell did find the right balance between the parties' interests because any video personal data was likely to be collected only incidentally as Dr Fairhurst walked past, and his legitimate interest in protecting his home was not overridden by her right to avoid such incidental collection on a public street, even if it was near to her home.
- the camera which was trained on Dr Fairhurst's property was not necessary for the purposes of his legitimate interests as it was not focused on his land or cars. These could have been protected in a less intrusive way, for instance by a camera with a close focus on only the cars in his parking spaces. His argument that this sort of camera would be prohibitively expensive was unsuccessful.
- the audio personal data collected by the devices was held to be unreasonable for crime prevention purposes. A great deal of the required purpose could have been achieved without audio at all, or only picking up sound within the immediate vicinity of the device. The extent of the microphone range meant that personal data could have been captured from people who were unaware that they were being recorded, and their identities could have been revealed from the data itself, from what they said or even by their voices and they could certainly be identified with both the audio and video data used together.
The court therefore found that Mr Woodard had breached the provisions of UK data protection law, and that Dr Fairhurst was entitled to compensation and orders preventing him from continuing to breach her rights in the same or a similar manner in the future. However, before making any decision, the judge asked for further submissions from the parties in relation to both the data protection and harassment claims – so it is not yet clear exactly what remedies Dr Fairhurst will be granted.
The ICO has issued a code of practice here for organisations that use CCTV, automatic number plate recognition technology, body-worn video, drones and other systems that capture information of identifiable individuals. All entities using these systems should satisfy themselves that they have complied with its requirements. Here is a summary of its 6 key points:
- Think about how you will respect people’s privacy and uphold their rights. People have a right to privacy, so if you are thinking about installing CCTV, you have to consider how it could impact them.
- Consider whether you need to use audio. Many cameras can record sound – but this doesn’t mean you should. Only do so if it is necessary in the situation you want to use it in.
- Create a document which explains your decision and sets out why you think you need CCTV and how you plan to minimise the impact it will have on people’s privacy.
- Update your policies using the information you have gathered in steps one, two and three above.
- Pay attention to how your CCTV is set-up. Before you start using it, check the camera angle, put up signs to tell people it’s there and register with the ICO.
- Keep on top of the footage you capture. You should not keep the CCTV footage for longer than you need it and you need to keep it safe while you have it.