Transport / Balancing Privacy and Intelligent Transport: Birmingham, UK
Case Studies
Policy Areas
Since 2010, Birmingham has been using an intelligent transport system (ITS) to improve the city’s road safety and develop traffic management-related services. The system consists of citywide surveillance cameras and closed circuit television (CCTV)-based apps. To address concerns about intrusion of privacy and data breaches, Birmingham has put in place a transparent mechanism to support the legitimate collection, processing and use of data.

Context and policy overview

Smart digital solutions involve comprehensive data collection that may impinge on people’s privacy. ITSs are one such example. They use advanced information and communications technology (ICT) – such as traffic sensors, cameras and the global positioning system (GPS) – to monitor traffic in real time and provide useful information to optimise traffic flows.

This is where data protection and privacy concerns arise. Surveillance cameras, the main component of ITS, are no longer a passive technology for capturing or retaining images. They can be used to identify and track people of interest and profile in detail the activities of individuals, for example, through automatic number-plate recognition.

The abundance of data from ITS also makes data breaches a potential problem. Between 2012 and 2013, one of the most prevalent types of data breach was unauthorised access to data, when personal data were disclosed to third parties without authorisation.

In Birmingham in the United Kingdom, where CCTV applications have become increasingly widespread, the city council has enforced more stringent regulations and rolled out measures to better protect individual privacy and data integrity.


  1. The technological framework

The United Kingdom has signed up to European and international standards for the development of the ITS sector.[1] It has a clear technical framework setting out the technical standards for the development of ITS at city level. In line with these standards, in 2010, Birmingham City Council rolled out its strategy – the Urban Traffic Management Control programme – linking different traffic management applications and allowing data to be exchanged freely between them. [2], [3] The strategy has various digital components, such as CCTV cameras, traffic-flow monitoring and automatic number-plate systems analysis to achieve its strategic objectives, including better traffic flow, road safety and freight efficiency.

There are privacy concerns associated with these technologies, however. For instance, CCTV cameras for monitoring traffic flows and parking spaces are most likely to contravene data-protection principles. Footage containing personal information, such as licence-plate numbers or faces, may impinge on privacy. Through CCTV footage, it is easy to determine another person’s whereabouts at a given point in time. If the information falls into the wrong hands, it can disrupt citizens’ lives or even facilitate criminal activity.

Live-streaming cameras allow the city to monitor how congested the roads are and enable the public to decide which road to take based on congestion levels. The cameras are sufficiently zoomed out so no individuals can be identified.

  1. Legal framework

Prior to the European Union’s (EU) General Data Protection Regulations 2016/679 (GDPR) and the UK Data Protection Act 2018 (DPA 2018), several pieces of data protection legislation were put in place to regulate the management and operation of Birmingham’s CCTV system. The city council amended local regulations on CCTV and its use in terms of privacy and data protection with the introduction of GDPR and the DPA 2018.

Published in 2016 and in force since 2018, the GDPR is a security and privacy law that places obligations on organisations collecting and processing personal data pertinent to EU citizens or residents.[5] If a company collects, processes or uses such data, they must adhere to seven protection and accountability principles[6] on: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

In compliance with the EU’s Data Protection Directive 1995, Directive 95/46/EC,[8] the United Kingdom passed the Data Protection Act 1998,[9] which specified that data must be used (i) fairly, lawfully and transparently, (ii) for specified, explicit purposes, (iii) in a way that is adequate, relevant and limited to only what is necessary, (vi) accurate and kept up to date, (v) kept for no longer than necessary and (vi) handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

In response to the GDPR, which was promulgated in 2016, the UK passed the DPA 2018 to further its protection of data and provide more comprehensive detail on immigration and crime prevention.[10] The GDPR has been incorporated into UK law and has become part of the UK’s data protection law.[11] Although the GDPR no longer applies to the data of UK citizens, companies that monitor people from the EU or receive data from the region are still bound by the GDPR.[12]

      3. Birmingham: Open and transparent mechanism for data protection

Following the GDPR and the DPA 2018, Birmingham City Council amended its 2008 CCTV strategy to tighten rules on the collection and management of data. The 2018 Code of Practice for the Birmingham City Council CCTV Scheme emphasises: (a) the hierarchy of responsibilities, (b) the subject of access requests, (c) stricter technical standards and (d) the retention of images.

  1. Hierarchy of responsibilities [13]
  • The owner

The owner, Birmingham City Council, assumes overall responsibility for the scheme. It formulates, manages and implements policies related to the CCTV scheme. It is responsible for recruiting staff to operate the CCTV system and handling complaints. The owner also has the statutory responsibility to decide how personal data should be processed, as prescribed by the GDPR and DPA 2018.

  • The manager

The manager, also Birmingham City Council, is responsible for implementing policies defined by the owner. The manager’s main responsibilities include staff management, surveillance of security procedures (for example, granting third-party authorisation to access data) and liaison with the police and other municipal departments (such as law-enforcement agencies that may need certain imagery for an enquiry). The manager examines the equipment regularly to ensure that operators are complying with the 2018 code. If the code is breached, the responsibility for implementing disciplinary measures falls to the manager.

  • The supervisor

The supervisor is a designated employee(s) of the city council who tends to the operational details of security surveillance and ensures that operators respect the privacy of individuals.

  • The operators

Employees of Birmingham City Council with a designated role of operator receive training to familiarise them with legal issues related to data protection and to understand and recognise privacy issues related to the CCTV systems. Only those licensed by the Security Industry Authority for the Public Space Surveillance System can operate the systems.

  • Subject access requests

Clear information is given on how individuals’ data will be processed, shared, held and secured in compliance with the GDPR and DPA 2018.[14] Individuals are also well informed of their rights and how they can exercise them. For instance, individuals have the right to know how their data are being and will be used.[15] Other rights include the right of erasure (individuals can demand to that certain data on record be deleted), the right of access (individuals can ask for a copy of the information the city council holds on them) and the right of rectification[16] (individuals can correct data that are incorrect or incomplete).

In addition, individuals whose images are recorded have a right to view those images and, unless they agree otherwise, be provided with a copy of them.[17] Before disclosing CCTV images of individuals in response to subject access requests, the city council must ensure any identifying features of other individuals are obscured to avoid intruding on the privacy of third parties.[18]

  • Technical standards

The city council has also enforced regulations to ensure that the public-space CCTV system respects individuals’ privacy. The CCTV control centre is accredited under BS7958:2015 for the “operation and management of CCTV” and the system is registered with the Information Commissioner’s office (ICO),[19] so that its CCTV footage can be used for crime prevention and the prosecution of lawbreakers.[20]

  • Retention of images

Prior to the DPA 2018, no specific minimum or maximum retention periods were in place for CCTV footage and images.[21] Per the 2018 code of practice, all recordings are retained for a minimum of 31 days. The recording will be erased if no legitimate request for retention has been made.[22]

If someone needs to obtain CCTV footage for legal purposes, this person must adhere to the code.[23] For instance, if a citizen claims to have had a road collision and needs to acquire CCTV footage, he/she can only request the footage through a solicitor or insurance company. [24]

  • Code of Practice for the Operation of Mobile CCTV

Prior to the GDPR and DPA 2018, Birmingham City Council had also introduced a code of practice to regulate the mobile CCTV system, with the primary purpose of monitoring traffic and enforcing traffic regulations. Under the code, the city council implemented the following measures to protect individual privacy and data security:

  1. Road users can easily recognise vehicles that serve as mobile CCTV posts. The vehicle will bear the Birmingham City Council logo and be marked as a camera enforcement vehicle.[25]
  2. Only licensed operators are permitted to staff CCTV vehicles. While performing their duty, the operators must constantly rearrange the cameras’ position and ensure that they do not pause on any areas irrelevant to the enforcement of traffic regulations.[26]
  3. Cameras used by the CCTV vehicles are securely linked to the recording system. Digital images must be deleted once they are no longer required; data stored on the vehicles’ hard drives are erased automatically every 24 hours if not transmitted to an encrypted memory stick.[27i]

Barriers and factors critical to success

Citizens’ trust and confidence in the city’s policy have contributed to Birmingham’s success. The city is a transport hub and its economy and development rely on the transport sector. Integrating the ITS system into the transport infrastructure has improved citizen safety and economic prosperity. The city council has openly shared its vision for the ITS sector and the application of data collected through the system with its citizens. This has allowed local small and medium-sized enterprises and communities to tap into the potential of traffic data and provide smart traffic services.

The most significant hurdle is privacy concerns. Although the ITS system assists the city in improving road safety and crime prevention, it may also violate individual privacy rights and breed public distrust. If left unchecked, the information may fall into the wrong hands and impinge on individual rights. The city council has adhered to the GDPR framework and introduced privacy regulations aligned with data protection principles to avoid this problem. It has also ensured that the CCTV system meets the ICO’s safety standards to avoid potential attacks from third parties.

Results and lessons learned

The robust legal framework for privacy and data protection has deepened individual trust in Birmingham’s ITS system and allowed the city to expand it. The city council owns the bulk of the 79,000 surveillance cameras deployed across the city.[28] Data collected through the CCTV and ITS system have been shared with communities to kick-start innovative projects. In addition to traffic modelling, the data are also used to make speed recommendations to drivers to avoid unnecessary stops and to cut CO2 emissions.[29]

Cities interested in establishing privacy and data protection policies for their ITS system can learn from Birmingham’s experience:

  • Citizens’ level of trust in the ITS system, especially in CCTV cameras, is fundamental to its successful implementation. Cities should communicate positively with citizens about the upsides of the system.
  • Privacy concerns about ITS systems cannot be ignored. Most importantly, cities need to introduce proper regulations to protect individuals' privacy and data.
  • Increasing data transparency facilitates the implementation of ITS policies. When citizens know how cities use the data to improve urban life, they are more willing to agree with the policies and even participate.
  • Sharing data collected through an ITS system is a win-win; while the city enhances road safety, the private sector unleashes the potential of data for research and development.

Regulation of an ITS system and technologies such as facial or plate recognition may vary in different countries; cities should adapt their implementation plans to national/local law.


[1] UK Department for Transport (2010), Intelligent Transport Systems in the UK Progress Report, London. Available at:

[2] H&T (1999), “Urban Traffic Management and Control Systems”, London. Available at:

[3] Birmingham City Council (2010), “Intelligent Transport System (ITS) Strategy for Birmingham”, Birmingham, UK. Available at:

[4] GDPR.EU (n.d.), “General Data Protection Regulation (GDPR).” Available at:

[5] GDPR.EU (n.d.), “What is GDPR, the EU’s new data protection law?” Available at:

[6i] Ibid.

[7] UK Government (2018), “Data Protection Act”, London. Available at:

[8] European Union (1995), “Data Protection Directive 1995, Directive 95/46/EC”, Brussels. Available at:

[9] UK Government (1998), “Data Protection Act 1998”, London. Available at:

[10] DPO Centre (2018), “What is the difference between the DPA 2018 and the GDPR? (and why does it matter?)”, London. Available at:

[11] Information Commissioner’s Office (ICO) (2018), “About the DPA 2018”, Wilmslow, UK. Available at:

[12] Ibid.

[13] Birmingham City Council (2018), “Code of Practice for CCTV Scheme”, Birmingham, UK. Available at:

[14] Birmingham City Council (n.d.), “Privacy Statement”, Birmingham, UK. Available at:

[15] Ibid.

[16] Ibid.

[17] “Individuals whose images are recorded have a right to view the images of themselves and, unless they agree otherwise, to be provided with a copy of the images. This must be provided within 40 calendar days of receiving a request.”
Birmingham City Council (2018), “Code of Practice for CCTV Scheme”, Birmingham, UK. Available at:

[18] ICO (2017), In the picture: A data protection code of practice for surveillance cameras and personal information, Wilmslow, UK. Available at:

[19] The ICO is the lead supervisory authority on UK data protection legislation.

[20] Birmingham City Council (n.d.), “GDPR Privacy Statement CCTV”, Birmingham, UK. Available at:

[21] ICO (2017), In the picture: A data protection code of practice for surveillance cameras and personal information, Wilmslow, UK. Available at:

[22] Birmingham City Council (2018), “Code of Practice for CCTV Scheme”, Birmingham, UK. Available at:

[23] Ibid.

[24] Birmingham City Council Control Centre (n.d.), “FAQs”, Birmingham, UK. Available at:

[25] Birmingham City Council (n.d.), “Birmingham code of practice for operation of mobile CCTV”, Birmingham, UK. Available at:

[26] Ibid.

[27] Ibid.

[28] (2018), “How many CCTV Cameras in Birmingham?” Otley, UK. Available at:

[29] Open Street Map UK CIC (2018), “Birmingham City Council: Leveraging Traffic Sensor Data.” Available at: