Balancing Privacy and Intelligent Transport: Birmingham, UK

1. The technological framework

The United Kingdom has signed up to European and international standards for the development of the ITS sector.^[1] It has a clear technical framework setting out the technical standards for the development of ITS at city level. In line with these standards, in 2010, Birmingham City Council rolled out its strategy – the Urban Traffic Management Control programme – linking different traffic management applications and allowing data to be exchanged freely between them. ^{[2], [3]} The strategy has various digital components, such as CCTV cameras, traffic-flow monitoring and automatic number-plate systems analysis to achieve its strategic objectives, including better traffic flow, road safety and freight efficiency.

There are privacy concerns associated with these technologies, however. For instance, CCTV cameras for monitoring traffic flows and parking spaces are most likely to contravene data-protection principles. Footage containing personal information, such as licence-plate numbers or faces, may impinge on privacy. Through CCTV footage, it is easy to determine another person’s whereabouts at a given point in time. If the information falls into the wrong hands, it can disrupt citizens’ lives or even facilitate criminal activity.

Live-streaming cameras allow the city to monitor how congested the roads are and enable the public to decide which road to take based on congestion levels. The cameras are sufficiently zoomed out so no individuals can be identified.

2. Legal framework

Prior to the European Union’s (EU) General Data Protection Regulations 2016/679 (GDPR) and the UK Data Protection Act 2018 (DPA 2018), several pieces of data protection legislation were put in place to regulate the management and operation of Birmingham’s CCTV system. The city council amended local regulations on CCTV and its use in terms of privacy and data protection with the introduction of GDPR and the DPA 2018.

• GDPR^[4]

Published in 2016 and in force since 2018, the GDPR is a security and privacy law that places obligations on organisations collecting and processing personal data pertinent to EU citizens or residents.^[5] If a company collects, processes or uses such data, they must adhere to seven protection and accountability principles^[6] on: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

• DPA 2018^[7]

In compliance with the EU’s Data Protection Directive 1995, Directive 95/46/EC,^[8] the United Kingdom passed the Data Protection Act 1998,^[9] which specified that data must be used (i) fairly, lawfully and transparently, (ii) for specified, explicit purposes, (iii) in a way that is adequate, relevant and limited to only what is necessary, (vi) accurate and kept up to date, (v) kept for no longer than necessary and (vi) handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

In response to the GDPR, which was promulgated in 2016, the UK passed the DPA 2018 to further its protection of data and provide more comprehensive detail on immigration and crime prevention.^[10] The GDPR has been incorporated into UK law and has become part of the UK’s data protection law.^[11] Although the GDPR no longer applies to the data of UK citizens, companies that monitor people from the EU or receive data from the region are still bound by the GDPR.^[12]

      3. Birmingham: Open and transparent mechanism for data protection

Following the GDPR and the DPA 2018, Birmingham City Council amended its 2008 CCTV strategy to tighten rules on the collection and management of data. The 2018 Code of Practice for the Birmingham City Council CCTV Scheme emphasises: (a) the hierarchy of responsibilities, (b) the subject of access requests, (c) stricter technical standards and (d) the retention of images.

1. Hierarchy of responsibilities ^[13]

• The owner

The owner, Birmingham City Council, assumes overall responsibility for the scheme. It formulates, manages and implements policies related to the CCTV scheme. It is responsible for recruiting staff to operate the CCTV system and handling complaints. The owner also has the statutory responsibility to decide how personal data should be processed, as prescribed by the GDPR and DPA 2018.

• The manager

The manager, also Birmingham City Council, is responsible for implementing policies defined by the owner. The manager’s main responsibilities include staff management, surveillance of security procedures (for example, granting third-party authorisation to access data) and liaison with the police and other municipal departments (such as law-enforcement agencies that may need certain imagery for an enquiry). The manager examines the equipment regularly to ensure that operators are complying with the 2018 code. If the code is breached, the responsibility for implementing disciplinary measures falls to the manager.

• The supervisor

The supervisor is a designated employee(s) of the city council who tends to the operational details of security surveillance and ensures that operators respect the privacy of individuals.

• The operators

Employees of Birmingham City Council with a designated role of operator receive training to familiarise them with legal issues related to data protection and to understand and recognise privacy issues related to the CCTV systems. Only those licensed by the Security Industry Authority for the Public Space Surveillance System can operate the systems.

• Subject access requests

Clear information is given on how individuals’ data will be processed, shared, held and secured in compliance with the GDPR and DPA 2018.^[14] Individuals are also well informed of their rights and how they can exercise them. For instance, individuals have the right to know how their data are being and will be used.^[15] Other rights include the right of erasure (individuals can demand to that certain data on record be deleted), the right of access (individuals can ask for a copy of the information the city council holds on them) and the right of rectification^[16] (individuals can correct data that are incorrect or incomplete).

In addition, individuals whose images are recorded have a right to view those images and, unless they agree otherwise, be provided with a copy of them.^[17] Before disclosing CCTV images of individuals in response to subject access requests, the city council must ensure any identifying features of other individuals are obscured to avoid intruding on the privacy of third parties.^[18]

• Technical standards

The city council has also enforced regulations to ensure that the public-space CCTV system respects individuals’ privacy. The CCTV control centre is accredited under BS7958:2015 for the “operation and management of CCTV” and the system is registered with the Information Commissioner’s office (ICO),^[19] so that its CCTV footage can be used for crime prevention and the prosecution of lawbreakers.^[20]

• Retention of images

Prior to the DPA 2018, no specific minimum or maximum retention periods were in place for CCTV footage and images.^[21] Per the 2018 code of practice, all recordings are retained for a minimum of 31 days. The recording will be erased if no legitimate request for retention has been made.^[22]

If someone needs to obtain CCTV footage for legal purposes, this person must adhere to the code.^[23] For instance, if a citizen claims to have had a road collision and needs to acquire CCTV footage, he/she can only request the footage through a solicitor or insurance company. ^[24]

• Code of Practice for the Operation of Mobile CCTV

Prior to the GDPR and DPA 2018, Birmingham City Council had also introduced a code of practice to regulate the mobile CCTV system, with the primary purpose of monitoring traffic and enforcing traffic regulations. Under the code, the city council implemented the following measures to protect individual privacy and data security:

1. Road users can easily recognise vehicles that serve as mobile CCTV posts. The vehicle will bear the Birmingham City Council logo and be marked as a camera enforcement vehicle.^[25]
2. Only licensed operators are permitted to staff CCTV vehicles. While performing their duty, the operators must constantly rearrange the cameras’ position and ensure that they do not pause on any areas irrelevant to the enforcement of traffic regulations.^[26]
3. Cameras used by the CCTV vehicles are securely linked to the recording system. Digital images must be deleted once they are no longer required; data stored on the vehicles’ hard drives are erased automatically every 24 hours if not transmitted to an encrypted memory stick.^[27i]

The robust legal framework for privacy and data protection has deepened individual trust in Birmingham’s ITS system and allowed the city to expand it. The city council owns the bulk of the 79,000 surveillance cameras deployed across the city.^[28] Data collected through the CCTV and ITS system have been shared with communities to kick-start innovative projects. In addition to traffic modelling, the data are also used to make speed recommendations to drivers to avoid unnecessary stops and to cut CO₂ emissions.^[29]

Cities interested in establishing privacy and data protection policies for their ITS system can learn from Birmingham’s experience:

• Citizens’ level of trust in the ITS system, especially in CCTV cameras, is fundamental to its successful implementation. Cities should communicate positively with citizens about the upsides of the system.
• Privacy concerns about ITS systems cannot be ignored. Most importantly, cities need to introduce proper regulations to protect individuals' privacy and data.
• Increasing data transparency facilitates the implementation of ITS policies. When citizens know how cities use the data to improve urban life, they are more willing to agree with the policies and even participate.
• Sharing data collected through an ITS system is a win-win; while the city enhances road safety, the private sector unleashes the potential of data for research and development.

Regulation of an ITS system and technologies such as facial or plate recognition may vary in different countries; cities should adapt their implementation plans to national/local law.