Brian Craig, legal director and Rika Papadopoulou, legal assistant at UK law firm TLT, look at the data protection obligations for fleets using dashcams.

Brian Craig, legal director

A dashboard-mounted camera or ‘dashcam’ has become an important piece of technology for many industries, from taxi firms and insurers to businesses running their own fleet.

One of the main benefits of dashcams for fleet managers is that they provide a relatively inexpensive way of combating vehicle accident insurance fraud, which can cost the business financially and could harm its insurance record and brand reputation.

However, these devices are subject to the General Data Protection Regulation (GDPR) – new legislation that came into force in May 2018 that confers new data protection rights on individuals and new obligations on the companies that obtain, use and store their personal data.

The penalty for breaching the GDPR can be significant, so any business that uses dashcams needs to understand how the law applies to the camera footage and what their legal obligations are, lest they face a data breach and an investigation by the data regulator, the ICO.

The image of a person recorded by a dashcam will constitute personal data under the GDPR since it allows for the identification of an individual, in the same way as CCTV and other surveillance systems. Key considerations when capturing and storing images include:

• Businesses should have a dashcam policy that identifies the lawful basis for the processing of personal data collected from dashcams, to ensure that the processing is necessary for the purpose it aims to achieve. This might be a legal obligation or a legitimate interest, as defined by the GDPR.
• There must be a clearly defined purpose for the use of personal data captured from dashcams. The purpose (together with other privacy information, such as the lawful basis for processing) should be communicated to those who operate the dashcams and, depending on how and where the dashcams are being used, to those being filmed. Notices on fleet vehicles might help with this communication to data subjects.
• Recorded material should be securely stored and access should be restricted to authorised individuals who have been trained on data protection obligations and handled in accordance with record retention policies. Image sequences must not be altered in any way, in case they are required for evidence.
• A Data Protection Impact Assessment (DPIA) should be conducted for the processing of personal data that is likely to result in a high risk to individuals. Businesses should consider how long it is necessary to keep the recorded material and not store it for longer than this period.

The Surveillance Camera Commissioner’s Buyers’ Toolkit contains information that will be relevant for purchasers of dashcams and other surveillance camera systems.

More information on the use of surveillance equipment can be found on: the ICO guide to the GDPR; the ICO code of practice for surveillance cameras and personal information (this relates to the Data Protection Act 1998 but according to the ICO, it is still useful to refer to while this is being updated); and the Surveillance Camera Commissioner’s guidance in relation to the use of surveillance equipment which can be found on its website.