Date: 29 December 2016
Privacy Commissioner responses to Media Enquiry on a pilot scheme on the installation of Internet Protocol (IP) cameras at six refuse deposit blackspots by The Food and Environmental Hygiene Department (FEHD)
The Food and Environmental Hygiene Department (FEHD) will launch a pilot scheme on the installation of Internet Protocol (IP) cameras at six refuse deposit blackspots in Central and Western, Sham Shui Po and Yuen Long districts on 30 December to strengthen the monitoring of illegal deposits of refuse and facilitate the planning of more effective enforcement actions.
1. Would the scheme intrude privacy?
2. Which ordinance is FEHD referring for the enforcement?
3. Has FEHD consulted Privacy Commissioner for Personal Data on choosing the blackspots and installation?
Our response is as follows:
1. The improper use of CCTV cameras for identifying a person carries a likelihood of intruding the privacy of individuals. Generally speaking, no CCTV cameras should be installed in places where people have a reason to expect privacy (e.g. changing room). CCTV systems as a whole should be properly protected from vandalism or unlawful access of the data recorded. As an independent statutory body overseeing the enforcement of the Personal Data (Privacy) Ordinance (the “Ordinance”), The Privacy Commissioner for Personal Data (“PCPD”) has issued “
Guidance on CCTV Surveillance and Use of Drones”, offering advice to organisations on determining whether CCTV should be used responsibly, such as:
-
Put up conspicuous notices at the entrance to the monitored area and affix further notices inside the area as reinforcement.
-
The personal data collected should be deleted from the CCTV as soon as practicable once the purpose of collection is fulfilled.
-
Security measures must be in place to prevent unauthorised access to the CCTV system including proper access control defining who can access the recorded images and under what circumstances.
-
Devise CCTV monitoring policies and/or procedures to ensure that matters such as the kinds of personal data held, the main purposes for which the data collected is to be used and the retention policies are clearly set out. The relevant policies or procedures should be communicated to and followed by the relevant staff members.
-
Compliance checks and audits have to be carried out regularly to review the effectiveness of the safeguards and procedures for the CCTV system.
-
If third party contractors are engaged in the provision and/or maintenance of CCTV, and have access to the CCTV images, contractual or other means must be adopted to ensure that there is no diminution in protection for the personal data accessible by contractors.
2. PCPD would not comment on other organisations discharge of their statutory functions or the execution of its duty, suffice to say that Data Protection Principle (“DPP”) 1(3) under the Ordinance provides for an exemption as specified in Part VIII of the Ordinance, where the personal data is held for the purposes of:
-
The prevention or detection of crime.
-
The apprehension, prosecution or detention of offenders.
-
Ascertaining whether the character or activities of the data subject are likely to have a significantly adverse impact on anything to which the discharge of statutory functions by the data user relates.
3. In relation to this particular case of CCTV installation, PCPD has not yet been consulted by FEHD.