The Information Commissioner’s Office has required CCTV monitoring web site Internet Eyes to make significant changes to the way it operates after CCTV footage of a shopper was posted on YouTube.
In January, the ICO received a complaint about a clip posted on YouTube that contained an identifiable image of a person in a shop. The clip appeared to have been uploaded by a viewer who had used the CCTV footage streamed to their computer from the Internet Eyes site.
Internet Eyes is a CCTV scheme that allows retailers to have their live surveillance footage watched online by individuals. The scheme operates by streaming CCTV images that are viewed by registered members who can get rewards if they spot and report crimes that they see taking place.
Deputy Commissioner, David Smith, said:
‘CCTV footage should not end up on YouTube when it shows someone simply out doing their shopping. A person’s CCTV image is their personal data. The law says that it should only be disclosed where necessary, such as for the purposes of crime detection, and not merely for entertainment. Although we have only received one complaint about Internet Eyes, we have investigated fully and have required them to make changes to the way their system operates. We are now satisfied that they have met our requirements. We will though continue to keep a close watch on them and do not rule out taking more formal enforcement action if further complaints are received.’
The ICO’s investigation found that Internet Eyes had failed to make sure that the transfer of CCTV images it was streaming to its viewers over the Internet was encrypted. The company also did not keep a full record of its viewers’ activities and so were unable to identify which viewers had monitored specific footage. This meant Internet Eyes was unable to determine which viewer posted the clip online.
On 18 May, Internet Eyes agreed to the terms of an undertaking laid down by the ICO. This committed them to make immediate changes to their service to address the privacy concerns raised. This included encrypting the transfer of CCTV images, putting in place an audit trail for viewer activity and ensuring proper checks are carried out on registered viewers. The ICO also required Internet Eyes to put a further change in place by 31 July to ensure that no viewer can access footage from cameras located in the same postcode, or in any postcode district within a 30-mile radius of the viewer’s registered location.
The ICO then carried out random spot checks in several shops registered with the scheme as well as visiting the company’s office in Devon to see first-hand the changes that had been put in place. From the evidence seen so far, the ICO is satisfied that Internet Eyes is complying with the terms of the undertaking.
A full copy of the undertaking can be viewed here.
The ICO’s CCTV Code of Practice provides guidance and advice for CCTV users on how to comply with the Data Protection Act.