A couple was recently awarded £8,634 each in damages after a court held that their neighbours’ surveillance system breached the Data Protection Act 1998. The Sheriff found no justification for the recording of their neighbours’ property for over two and a half years.
The pursuers (Mr and Mrs Wooley) and the defender (Mrs Nahid Akbar or Akram) fell out in 2013. In October 2013, the defender installed video and audio equipment to the external walls of their property. The CCTV cameras were deliberately set to cover Mr and Mrs Wooley’s property. They recorded every person who entered their home as well as their garden, and the audio boxes were capable of picking up conversations well beyond the Wooley’s premises. In total, there were four cameras and four audio boxes operating twenty-four hours a day. The data could be remotely accessed and was stored for periods of up to five days. The system was installed without notice, consultation, or information and Mrs Akbar only registered as a data controller in March 2015.
The video and audio recordings were personal data for the purposes of the Act. Mr and Mrs Wooley’s rights were breached as they were not informed that their data was being processed; they did not receive copies of their data; and they were unable to prevent or moderate the processing. Mrs Akbar failed in her duties as a data controller in so far as she:
- failed to register as a data controller from October 2013 to March 2015; and
- failed to comply with the first, third and fifth data-protection principles.
In relation to the first principle – that personal data should be processed fairly and lawfully – the Sheriff found multiple breaches including Mrs Akbar’s refusal to notify what data was being processed; why it was being processed; and the identity of the data controller.
The third principle is that data processing should be adequate, relevant, and not excessive. At no point did Mrs Akbar attempt to justify her surveillance system, but there were suggestions (in correspondence) that it was installed to monitor any potential incidents between the parties. The Sheriff found that Mrs Akbar’s coverage went far beyond anything she had attempted to justify, describing the measures as “extravagant, unjustified and highly visible” and “an effort to oppress”.
Finally, in relation to the fifth principle – that data processed shall not be kept for longer than necessary – the Sheriff found that the five-day retention was excessive; and that even if the alleged purpose was legitimate, Mrs Akbar should have deleted the data on a daily basis. Having found multiple breaches, the Sheriff accepted the Mr and Mrs Wooley’s calculation of damages at £10 per day per person as an appropriate remedy for the distress caused.
The Sheriff reminded anyone setting up a surveillance system to consult the ICO codes of practice and consider whether that system will intrude upon the lives of private individuals. Interestingly, the Act itself does not give any guidance as to compensation, but the Sheriff referred to the Court of Appeal case, Google v Vidal-Hall. That case established a right to compensation for distress only where there are breaches of the Act. The Sheriff explained that the sum of £10 per day per head was “probably moderate”. In doing so, the Sheriff left scope for pursuers to apply for greater compensation in future claims. It goes without saying that setting up a surveillance system should involve more than just installing CCTV equipment. Individuals should carefully consider their duties under the Act and the data protection principles in determining how their surveillance system should operate.