Eye in the sky

There’s nothing that says ‘Silly Season’ more than a Twitterstorm about a photograph of the top of a comedian’s head. After the National Police Air Service (NPAS) tweeted an image of the comedian Michael McIntyre, inviting their followers to guess who it was (it was Michael McIntyre), a variety of human rights lawyers, legal commentators, data protection experts and morons weighed in to give their view. In itself, the incident was not significant and seemingly no harm was done to Mr McIntyre. However, there are serious questions to be answered here. While I could forgive the Information Commissioner for brushing it off as a lot of fuss about nothing, they shouldn’t.

Firstly, it is a Data Protection breach to tweet a photograph of an individual in such circumstances. If you are new to this blog (Hi, how are you, that’s a lovely item of clothing you have on), then you might not understand my impatience with the argument that McIntyre was in public and therefore DP does not apply, McIntyre has no expectations of privacy, blah, blah, stupid blah. I’ve dealt with it many times before. Data Protection applies whenever personal data is gathered: filming someone in the street is less intrusive and therefore less likely to breach the DPA fairness and excessive provisions than filming someone in the shower, but the law still applies.Data Protection always requires the person gathering the data to meet a data protection condition. Nothing in the Act removes this requirement if the data is gathered from a public place, which is why the Information Commissioner has published detailed codes of practice on public space CCTV since the current DPA’s inception, and has had to revise it significantly twice because of CCTV’s complexity. If you don’t agree, tell me in the comments which section of the Act says that I am wrong.

While I am writing this, Radio 4’s Today programme is covering the story, and John Humphrys has just asked the crucial question: “what on earth does this have to do with policing?“. That’s what makes it a breach, because the answer is ‘nothing’. Policing organisations have wider scope to process personal data than other bodies, but only for national security and crime prevention & detection. Celeb-spotting comes under neither heading. NPAS would need to demonstrate that tweeting a picture of McIntyre was fair, lawful, and was necessary for a legitimate interest causing no unwarranted harm to McIntyre’s interests (the only data protection condition for processing that would apply here. They would have to show that the use of personal data outside the original policing purpose (which is what they’re up there for) was not incompatible. They would need to demonstrate that the use of McIntyre’s image was relevant to the policing purpose and not excessive. If you’re wondering, what I’m doing here is simply running through the Data Protection principles, and I’ve got multiple breaches just from the first three.

Even this innocuous image could have caused harm. The woman standing next to McIntyre in the picture is his publicist and they were leaving Global Radio’s studios after an interview. But what if NPAS inadvertently tweeted a picture of a celebrity and the person they were having an affair with? In 1995, CCTV operators in Brentwood Council once saw a man walking down the street carrying a knife and contacted the police. After the incident was resolved, Brentwood proudly shared images of the man to show how their CCTV system had tackled a dangerous individual, and his identity was subsequently revealed in the media. Except that Mr Peck wasn’t a danger to anyone but himself, and the Council obliged Mr Peck to reveal the details of his suicide attempt to family and friends who may not otherwise have known, as well as effectively libelling him. After eight years, Mr Peck rightly won a privacy case at the European Court of Human Rights. Bodies with the power to watch and record us should not casually toss images of us around without a proper justification.

I have wider concerns. If NPAS are merrily spotting celebrities and tweeting the results to thousands of people, what else are they doing? What do they do if they spot someone that they know? Will we get down-top shots of young women? Fat-shaming tweets if they see someone who is massively obese? The ICO’s CCTV Code of Practice places a strong emphasis on the requirement for CCTV operators to receive detailed training, but this casually intrusive incident doesn’t suggest that it’s working. In fact, I suspect that this incident is the tip of an iceberg that goes very deep. We’ve already seen police CCTV operators jailed for voyeurism; if the police don’t treat their surveillance with single-minded professionalism, that’s where this will end up. The tweet has been deleted, but if someone somewhere isn’t investigating what else has gone wrong, they should be.

The question of who should be doing that is a good one. NPAS describes itself as “a truly national (England and Wales) policing service“. It is hosted by West Yorkshire Police, but provides air support to all police forces in England and Wales. When scouring the skies of London for stand-up comedians, it is clearly providing a service to the Metropolitan Police. There are therefore a range of possibilities as to who is responsible, in Data Protection parlance, who is the Data Controller? Is NPAS a data processor for each force, in which case Met Police should answer for what happened here (and more importantly for the other more serious breaches of DP that I suspect have occurred). Is NPAS a data controller jointly with the Met Police, so they are both responsible? This is my guess, but my esteemed colleague Jon Baines has already noted that NPAS hasn’t completed a Data Protection notification, which if they are a Data Controller would be a criminal offence. If NPAS is a processor for the forces, each one of them would need to subject NPAS to a legally binding contract meeting all of the requirements of the 7th Data Protection principle. It’s a mess, but not one that the forces and Information Commissioner should be allowed to ignore.

I have already met a few people on Twitter whose knee-jerk understanding of Data Protection convinces them that this is nonsense. It’s not a breach, it’s not even personal data. It’s all in the public domain, and there’s nothing to see here but Michael McIntyre’s head. If those people are happy with this, they’re saying that the next time they furtively pick their nose, adjust their balls or their boobs while nobody is looking, or just walk down the street minding their own business, the police can record it and broadcast it to the world, and that’s just fine. I don’t think they should be allowed to make that decision for everyone else.