An Garda Síochána - August 2019

• Year: 2019
• Date: 23 August 2019
• Section: Decisions made under data protection act 2018

Decision of the Data Protection Commission under Section 124 of the Data Protection

Act 2018 in the Case of 01/SIU/2018

Own-Volition Inquiry under Section 123 Data Protection Act, 2018

on foot of Data Protection Audit Conducted under

Section 136 of the Data Protection Act 2018 regarding

CCTV Schemes Authorised under

Section 38(3)(a) of the Garda Síochána Act 2005

Commission Decision-Maker(s):

Helen Dixon (Commissioner for Data Protection), sole member of the Commission

Date of Decision: 23 August 2019

1 | P a g e

INDEX:

1. Background………………………………………………………………………………..2

2. Applicable legal regime pertaining to the inquiry and this decision………………………3

2.1 Legal Basis – Applicable Regime………………………………………………..3

3. Materials Considered………………………………………………………………………4

4. Relevant Data Controller……………………………………………………......................5

5. Personal Data………………………………………………………………………………6

6. Analysis and Findings……………………………………………………………...............7

6.1 Governance and Oversight…………………………………………......................8

6.1.1: No restriction on bringing smart phones into CCTV monitoring

rooms and excessive access to monitoring rooms……………….…………………..8

6.1.1 – Findings…………………………………………………..……….................10

6.1.2: Governance issues in relation to access logs, auditing of

access logs, record-keeping regarding downloads, excessive retention

of footage, privacy by design and default and training of

Garda members on the use of the Garda authorised CCTV systems………………...11

6.1.2 Findings………………………………………………………………………...15

6.2 Privacy and Accountability………………………………………........................17

6.2.1 Appropriate Signage and General Transparency………………….……………17

6.2.1 Findings……………………………………………………………...................20

6.2.2 Absence of written contracts between AGS and third party data

processors…………………………………………………………………………….21

6.2.2 Finding………………………………………………………………................23

6.2.3 AGS accessing live feeds from local authority CCTV Scheme…...…………...24

6.2.3 Finding……………………………………………………………..…………..26

6.2.4 Use of ANPR cameras……………………………………………….................27

6.2.4 Findings………………………………………………………………………...29

7. Corrective Measures……………………………………………………………………….30

8. Right of Appeal…………………………………………………………………………….34

2 | P a g e

1. Background

Two officers of the Data Protection Commission (‘DPC’) were authorised on 14 June 2018 to

conduct a connected series of own-volition inquiries under section 123 of the Data Protection

Act 2018 (‘the 2018 Act’) into a broad range of issues pertaining to surveillance technologies

deployed by State authorities, in particular An Garda Síochána (‘AGS’) and the various local

authorities. In initiating the inquiries, the DPC wished:

 to establish whether any data processing that takes place in this context is in

compliance with relevant data protection laws (considered in Section 2) and

 in advance of further investment and deployment of newer surveillance technologies,

ensure that full accountability measures for the collection and processing of personal

data are in place.

Surveillance in public places has the potential to affect most if not all persons in the State. A

permanent tension exists between surveillance measures to deliver security versus other civil

liberties such as the ability to go about one’s daily business free from unnecessary supervision.

In this State, the legislature has provided for a system of authorisation by AGS of CCTV

schemes that are to operate in public places to help to deter, prevent, detect and prosecute

offences. Thirty-eight schemes have been authorised by the Garda Commissioner under section

38(3)(a) of the Garda Síochána Act 2005 (‘the 2005 Act‘).1

The inquiry leading to this decision was conducted initially by means of an audit under section

136 of the Data Protection Act 2018. This facilitated the DPC Authorised Officers in compiling

facts in relation to the operational deployment of surveillance technologies under the various

authorised schemes. The Authorised Officers made follow-up inspections at five selected

Garda Stations (corresponding to four discrete approved CCTV schemes) over a four-week

period commencing in mid-January 2019. In general, the technologies at issue in this report

relate to CCTV live feeds and recording systems and to Automatic Number Plate Recognition

Technology (“ANPR”) linked to certain of those CCTV systems.

This decision makes findings only in relation to a some of the schemes authorised by the Garda

Commissioner under section 38(3)(a) of the 2005 Act. The focus of this decision is on

operational issues pertaining to the schemes as operated by AGS. The DPC did not examine

either the criteria used to assess and approve the schemes nor whether the approval process

administered by the Garda Commissioner was correctly the undertaken. As a consequence, this

decision does not address these matters.

The Inquiry Report presents a range of issues by reference to four different approved CCTV

schemes, namely those at Tullamore, Co Offaly, Limerick, Dublin South Central and Duleek

and Donore, Co Meath. However, my decision is addressed to AGS as the relevant data

controller for all four schemes rather than to the Garda “member in charge” at the individual

locations of the schemes.

1 Section 38(3) of the Garda Síochána Act 2005 Act, Security in Public Places, states that (3) Authorisation may be given to

any or all of the following: (a) members of the Garda Síochána;