14. Data Sharing

The following relates to the sharing of data between organisations other than law enforcement agencies and other public bodies.

Typically, the data will comprise CCTV and other video surveillance technology images/footage and electronic access control data that can be used to identify individuals (data subjects).

In the case of surveillance footage it could be unwise to assume that release of the data is justified just because an overarching data sharing agreement is already in place between the parties. Requests should be considered on a case by case basis.

Where a tenant shares personal data of its employees and others with a landlord for the purpose of managing an electronic access control system it would be reasonable for the tenant to ask the landlord to enter into a formal data sharing agreement, or for the landlord & tenant to enter into a joint agreement.

Find more data sharing guidance from the Information Commissioners Office.

Data sharing between data controllers in commercial premises can, broadly speaking, fall into one of three categories where a disclosing data controller considers the release of data requested by a receiving data controller:

Category 1 Where requests are from a bona-fide insurer or legal representative (receiving data controller) and relate to pursuance of their client’s interests. A written application giving assurance that the data will be used in accordance with the requirements of the UK GDPR can be considered sufficient to allow the release.

Category 2 Request for video surveillance images/footage by a tenant of a data controller’s premises. In this case the disclosing data controller will require the receiving data controller to make formal application using a *Third Party Data Subject Access Request Form which must be carefully reviewed when deciding whether or not to allow release.

Category 3 Where a receiving data controller is a tenant of a disclosing data controller it is not unusual for the tenant to require routine copies of access control data relating to their staff. In this case the disclosing data controller and receiving data controller should agree and enter into formal data sharing agreements. (A template for a data sharing agreement can be found later in this section).

Requests for video surveillance footage should be dealt with on a case by case basis using the *Third Party Data Subject Access Request Form which must be carefully reviewed when deciding whether or not to allow release. It is for the disclosing data controller to satisfy themselves of the veracity of the request and lawfulness of the data sharing, before releasing the data.

*Sample – Third Party Data Subject Access Request Form

The VeriFi Third Party Data Subject Access Request Form can be downloaded from here.

Redaction (Blurring/Pixilation) of CCTV Images

Video surveillance footage requested pursuant to a data subject access request may include personal data relating to third parties. For example, if another individual is visible in the footage.

Best practice would be to redact the footage to obscure or remove the third party’s appearance, thereby making them unidentifiable. Unredacted footage featuring third parties should only be disclosed if it is reasonable to do so or if the third party’s consent has been obtained. Often it will not be practical to obtain consent from the third party so disclosure will turn on whether the disclosure is reasonable.

In making this decision, you should consider how invasive it would be to share the unredacted footage featuring the third party. Specific factors to consider include: 

  • Whether the footage itself is confidential. This typically won’t be the case for quasi-public places, such as shopping centres, or for shared or open areas of non-governmental office spaces. 
  • The type of personal data captured about the third party. For example, disclosing a number plate is typically less invasive than disclosing an image of a person’s face.
  • The location and the third party’s behaviour which is featured in the footage. Embarrassing or potentially incriminating footage of the third party would have the greater potential for harm if shared (assuming the request does not come from law enforcement). 

Whether disclosure would be reasonable is a case-by-case assessment and you should make a written record of the decision to redact or not. It may be helpful to put yourself in the position of the third party when making the assessment. If sharing the unredacted footage would not have any negative consequences for the third party then this would be a strong indication that the sharing is reasonable.

Third party personal data is also relevant for access requests relating to personal data other than video surveillance footage. For example, building access records and ANPR records. The redaction of such records to exclude third party personal data is generally straightforward and we would expect redaction to take place by default.

Employees Right to Privacy

Where data may be used by the receiving data controller in cases that may result in employment law disputes, the following is of interest in relation to section 5 of the third party subject access request form and clause 4 of the data sharing agreement template.  The guidance refers to CCTV, but is equally applicable to Access Control and ANPR data.

The right to privacy under Article 8 of the European Convention on Human Rights (ECHR) has been invoked in cases brought by employees who have been monitored using CCTV in their workplaces.  Even where the filming took place in public areas.

The case of Lopez Ribalda v Spain set out the following guidance on factors to be considered in deciding whether employee surveillance is proportionate under Article 8 ECHR:

  1. Whether the employee has been notified of the possibility of video-surveillance measures being adopted by the employer and of the implementation of such measures.  While in practice employees may be notified in various ways, depending on the particular factual circumstances of each case the notification should normally be clear about the nature of the monitoring, and be given prior to implementation.
  2. The extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy.  In this connection, the level of privacy in the area being monitored should be taken into account, together with any limitations in time and space and the number of people who have access to the results.
  3. Whether the employer has provided legitimate reasons to justify monitoring and the extent of the monitoring.  The more intrusive the monitoring, the weightier the justification that will be required.
  4. Whether it would have been possible to set up a monitoring system based on less intrusive methods and measures.  In this connection, there should be an assessment in the light of the particular circumstances of each case as to whether the aim pursued by the employer could have been achieved through a lesser degree of interference with the employee’s privacy.
  5. The consequences of the monitoring for the employee subjected to it. Account should be taken, in particular, of the use made by the employer of the results of the monitoring and whether such results have been used to achieve the stated aim of the measure.
  6. Whether the employee has been provided with appropriate safeguards, especially where the employer’s monitoring operations are of an intrusive nature.  Such safeguards may take the form, among others, of the provision of information to the employees concerned or the staff representatives, as to the installation and extent of the monitoring, a declaration of such a measure to an independent body or the possibility of making a complaint.

Data Sharing Agreement Template

VeriFi provide Data Sharing agreements in template form (see below) upon request. It is for the disclosing and receiving data controllers to consult with their legal advisors regarding content and specific requirements before engrossment of the agreement.

Prior to December 2021 VeriFi issued generic Data Sharing Agreements, existing agreements can be allowed to continue although the agreements will no longer be supported by VeriFi and no further generic agreements will be issued.

Alternatively you can respond to requests by providing Third Party Subject Access Request Forms in the case of requests from insurers, legal representatives and others approved by the Data Controller, a copy can be found above. Copies of these completed and signed requests must be held in a secure file and any release will be properly recorded in a Data Release Log or by Secure File Sharing.

 

This Agreement is between;

  1. [name of company] of [registered office or principal place of business] who is registered with the ICO as a data controller with registration number [insert] (the “disclosing data controller”); and
  2. [name of company] of [registered office or principal place of business] who is registered with the ICO as a data controller with registration number [insert] (the “receiving data controller”).

This information must be checked against the Data Protection Public Register at www.ico.org.uk to ensure that it is current, prior to release of any data.

Failure to comply may result in an infringement of Data Protection Legislation.

The “Premises” are [address of the premises subject of this Agreement].

Whereby:

  1. The receiving data controller accepts the terms of this Data Sharing Agreement and undertakes to ensure that personal data obtained from the disclosing data controller for the Premises is processed in accordance with the requirements of current Data Protection Legislation applicable in the UK.
  2. The receiving data controller undertakes to take all reasonable steps to ensure the safe custody of any personal data released to it by the disclosing data controller.
  3. Subject to the terms of this Agreement, and upon receipt of a written application stating the receiving data controller’s intended use of the requested data, the disclosing data controller may permit the receiving data controller to have access to CCTV surveillance and other security related personal data connected with the Premises.  CCTV footage may only be released subsequent to completion of a third party subject access request form provided by the disclosing data controller.
  4. Data sharing requests relating to HR issues will not be fulfilled unless the receiving data controller can demonstrate, to the disclosing data controller’s satisfaction, that the affected data subjects had been previously informed that the surveillance and security systems operated by the disclosing data controller may be used to monitor those data subjects when carrying out work duties.  The disclosing data controller’s decision on this matter shall be final.
  5. Data/images will only be released in the form of controlled media or secure file sharing decided by the disclosing data controller. 
  6. Release/transfer of the personal data to the receiving data controller by physical media, such as USB flash memory device, will be by recorded in the disclosing data controller’s data release log and signed for by the Representative of the receiving data controller (see clause 8) or a Nominated Deputy (see clause 9).
  7. The receiving data controller accepts that its representatives may be required to provide photographic ID in the form of a drivers licence, passport or company ID badge before they are permitted to view or receive personal data from the disclosing data controller.
  8. “Representative” of the receiving data controller:
    [Title | Full name | Position]
  9. “Nominated Deputies” of the receiving data controller:
    [Title | Full name | Position]
    [Title | Full name | Position]
    [Title | Full name | Position]

SIGNED BY the receiving data controller acting by its authorised signatory:

Signature

Name

Date

SIGNED BY the disclosing data controller acting by its authorised signatory:

Signature

Name

Date