CCTV and other security measures (for example video doorbells) are increasing in popularity and can be a useful way of increasing safety and security.  However, they do raise issues in relation to the gathering, analysing, storing and sharing of the digital data that they collect. 

In the case of Fairhurst v Woodward, the parties, who were neighbours, both had access to a shared driveway which led to a large private parking area used by local residents.  Both party’s properties backed on to the parking area.  Mr Woodward had installed a floodlight, sensor and a video and audio surveillance camera with an integrated motion sensor spotlight.  Both devices pointed in the direction of the parking area.  Mr Woodward had also installed a combined doorbell, video and audio surveillance system by his front door, a security camera in his windowsill, both of which pointed towards the street, and a second spotlight camera attached to another neighbour’s wall pointed down the driveway towards the parking area. 

Dr Fairhurst became aware of all of this and brought a claim on the basis that Mr Woodward had not been honest with her about his use of these devices, that they were unnecessarily and unjustifiably invading her privacy and that Mr Woodward had intimidated her when she challenged him about them.  She argued that they amounted to:

1. a nuisance;
2. a breach of UK data protection law; and
3. a course of conduct designed to harass her contrary to The Protection from Harassment Act 1997.

Dr Fairhurst sought damages and an injunction seeking the removal of the devices and forbidding the installation of further surveillance cameras.  Mr Woodward denied the claims.

Nuisance Claim

The nuisance claim failed.  This was in part because one of the leading cases that was relied on by Dr Fairhurst had stated that mere overlooking from one property to another was not capable of giving rise to a cause of action in private nuisance.  The second aspect claimed, namely that the devices caused light nuisance, failed because the houses were in town where streetlights were a common feature.  Had the claim been brought in the countryside, things may have been different on this point. 

Harassment Claim

The Court found that Mr Woodward had caused Dr Fairhurst alarm and distress by his dishonesty and threatening behaviour, including a threat to set up more concealed cameras and his assertion that two of the cameras were non-operational deterrents when they were in fact fully operational.  The Court also found that Mr Woodward’s behaviour amounted to harassment under the 1997 Act and that Dr Fairhurst was entitled to damages for distress. 

Data Protection

The parties agreed at trial that the images and audio files collected by Mr Woodward were personal data within the meaning of the UK data protection laws.  The transmission of this data to Mr Woodward’s computer, phone and other devices and their retention and potential onward transmission did constitute data processing.  Mr Woodward was therefore a data controller and accordingly that he must comply with the UK data protection law principles.  The key principles, most relied upon in the case were that data must be processed:

• lawfully, fairly and transparently;
• in line with legitimate, specified and explicit purposes; and
• both the relevant data and the nature and extent of the processing should not go beyond what is necessary for those purposes. 

Lawfulness and Transparency

The Court acknowledged that Mr Woodward had a legitimate interest in using the cameras to prevent crime.  However, with regards to transparency, the court found that Mr Woodward had tried actively to mislead Dr Fairhurst about how and whether the cameras operated and what information they captured. 

Necessity/Proportionality

The fact that Mr Woodward collected data outside of the boundaries of his property meant that the onus was on him to satisfy the court that such data processing was necessary for the purpose of his legitimate interests.  Mr Woodward argued that his use of the security cameras was reasonable due to his having been scared by an attempted theft of his vehicles. 

The Court decided: 

• the processing of data from the front doorbell did find the right balance between the parties interests as Dr Fairhurst was only likely to be recorded if she walked past and Mr Woodward had a legitimate interest to protect his home which was not overridden by Dr Fairhurst’s right to avoid such incidental data collection on a public street, even if it was near to her home;
• the camera which was trained on Dr Fairhurst’s property was not necessary for the purposes of Mr Woodward’s legitimate interest as it was not focused on his land or vehicles; and
• the audio personal data collected by the devices was held to be unreasonable for crime prevention purposes. 

Conclusion

The Court found that Mr Woodward had breached the provisions of UK data protection law and that Dr Fairhurst was entitled to compensation and orders preventing Mr Woodward from continuing to breach her rights in the same or a similar manner in the future.  However, before making a decision, the court asked for further submissions from the parties in relation to both the data protection and harassment claims. It is not yet known what remedies Dr Fairhurst will be granted.

So what does this mean for those who are using CCTV systems on their properties?  This will depend on what data is being captured by the system.  If the system only captures images within the property boundary then the data protection laws will not apply.  However, if the wider area is captured, for example the pavement, or a neighbour’s home or garden then the data protection laws will apply and the person responsible for that CCTV system will be a data controller. 

It is therefore advisable to carefully consider whether the CCTV system is actually needed, and, if so why.  The position of the cameras is also important and whether the images need to be recorded or whether a live feed only is sufficient.  In relation to those systems with the ability to record audio, recording audio is more intrusive than capturing images alone and therefore if it can be disabled then this may be a better option. 

As a data controller, there is an obligation to ensure that those captured by the CCTV system (or may be captured) are informed of the fact that recording is taking place, keeping the data recorded secure, only keeping the data for as long as it is needed, and ensuring that it is used appropriately.  The data controller will also need to respond to certain requests from those captured by the CCTV system, including if they make a request for a copy of their data (a subject access request), if they ask for the footage to be deleted, and considering if they object to the data being captured.  

The Information Commissioner’s Office (ICO) has issued helpful guidance. 

If you have any issues in relation to the above, please do not hesitate to contact Graham Mead, a Partner in our firm’s commercial litigation team or Emma Loveday-Hill, a Senior Associate in the Data Protection Team.