As technological advancements accelerate and find their ways into various aspects of modern life, they also prompt important questions about how our society should navigate the intersection of innovation and privacy.
Nowadays, in the realm of surveillance, traditional CCTV systems have evolved into advanced systems, some of which are powered by artificial intelligence. Meanwhile, the use of video cameras on drones and vehicles has brought greater effectiveness and efficiency to areas such as transport safety, building management, and public order. With surveillance tools being increasingly used, whether mounted on buildings, deployed via drones, or installed in vehicles, it has become more important than ever to ensure that such tools are used in a manner in compliance with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO).
Recognising this challenge, my Office has published updated guidelines on the use of CCTV surveillance along with a new guidance on the use of video cameras on drones and vehicles. These publications aim to provide data users with practical recommendations on the responsible use of CCTV systems as well as camera-equipped drones and in-vehicle cameras in compliance with the PDPO to ensure that personal data privacy is adequately protected.
This article seeks to set out, and explain, the recommendations made to safeguard personal data privacy as contained in the new guidelines.
Collection of personal data
Our new guidelines depict the general position on the situations when the PDPO applies and factors that data users should consider when using CCTV systems and video cameras on drones and vehicles. Generally, if a CCTV system is equipped with recording functions that capture and store images and/or videos of individuals for identification purposes, its use would involve the collection of personal data1, and the data user must comply with the PDPO, including the six data protection principles (DPPs) enumerated in Schedule 1 thereof.
Similarly, where camera-equipped drones and in-vehicle cameras capture the facial images of individuals, data users are also required to comply with the PDPO when handling recorded footage that contains personal data.
Given the distinct attributes of camera-equipped drones and in-vehicle cameras and their associated risks, operators should be particularly mindful of the need to respect individuals’ privacy. For instance, given their portability and mobility, drones may be misused to persistently monitor targeted individuals across wide areas without being detected. Their remote operation also makes it difficult for the public to anticipate the shooting range and scope of the camera or to identify the operator of a drone. Furthermore, when equipped with advanced features such as telephoto lenses or infrared sensors, drones may be used to capture personal data from a distance, further heightening privacy concerns.
On the other hand, in-vehicle cameras often record both video and audio data, capturing the faces and conversations of the vehicles’ drivers and passengers. Continuous recording of this nature without adequate justification and proper notification would be intrusive, and any misuse of the recordings, such as any unauthorised disclosure, could expose individuals to harm, including doxxing, harassment, or cyberbullying.
Lawfulness, fairness and necessity
The requirements of lawfulness and fairness are crucial to the use of surveillance technologies. Under DPP1 of the PDPO, data users must ensure that personal data is collected for a lawful purpose directly related to their functions or activities. For example, installing CCTV cameras or flying camera-equipped drones in crime “black spots” may be justified for the prevention and detection of illegal activities.
However, as mentioned in our new guidelines, placing cameras in places where individuals have a reasonable expectation of privacy, such as changing rooms or bathrooms, or conducting covert CCTV surveillance via pinhole cameras without strong justification may be considered unfair. Such practices may not only violate DPP1 of the PDPO but may also involve the commission of criminal offences such as voyeurism under the Crimes Ordinance (Cap. 200).
Furthermore, it is important for data users to consider whether the use of surveillance technologies is necessary in the circumstances of the case and whether there are less privacy-intrusive alternatives that could achieve the intended purpose. This involves identifying the problem at hand and evaluating whether the use of CCTV or other surveillance tools is a proportionate response to the problem, taking into consideration the potential intrusion on personal data privacy. For instance, if a property management company intends to tackle the issue of objects being thrown from heights, it should first gather relevant information such as incident records and assess whether installing a CCTV system is a necessary and effective solution.
Careful consideration should also be given to the scope and extent of the surveillance. Specifically, data users should determine whether continuous recording is necessary and identify the technical specifications required to achieve the intended purpose of the surveillance. In some cases, low-resolution video recording may suffice, while in other cases, high-resolution video recording may be justified. Our new guidelines have also outlined other steps that data users may take when considering whether to install CCTV, for example, consult potentially affected individuals to understand and address their concerns.
In addition, to identify the key privacy risks at an early stage, data users are encouraged to carry out a privacy impact assessment. Conducting a comprehensive privacy impact assessment not only facilitates compliance with the PDPO but also demonstrates an organisation’s accountability and commitment to protecting personal data privacy.
Notice and transparency
Informing individuals that they are under surveillance is a fundamental aspect of fairness in the handling of personal data. When individuals are made aware that they are being monitored, they can better understand how their personal data may be collected, held, processed, and used. Such transparency could foster trust and ensure compliance with the PDPO, in particular DPP1(3) and DPP5 of the PDPO.
Regarding the installation of CCTV cameras, an effective way to notify potentially affected individuals is to place clear and prominent notices in the monitored areas. This is particularly important when the cameras are not obvious or are in places where people may not expect to be subject to surveillance. Likewise, in the case of in-vehicle cameras, passengers should be informed of the existence and recording functions of the cameras through conspicuous notices placed inside the vehicle compartments.
Such notices should specify the purpose of the surveillance, the identities of the data users operating the CCTV or in-vehicle cameras, and relevant contact information for enquiries relating to personal data privacy.
In the case of drone operations, considering the potential wide coverage and mobility of drones, relying solely on the placement of physical notices near a drone’s launch site or in the area being surveilled may not be sufficient. Reasonably practicable steps that data users may take on notification are suggested in the new guidelines. When operating in public areas, data users may consider announcing the drone operations via public channels in advance. Additional visibility measures, such as using flashing lights to indicate active recording, displaying corporate logos on drones, and requiring crew members to wear clothing that identifies the responsible organisation, can increase awareness of the surveillance and help individuals identify the data users responsible for the drone operations.
Data retention and security
Regarding data retention, the longer a data user keeps recorded footage and the more sensitive the data being collected is, the higher is the risk that such data is susceptible to leakage. Under DPP2 of the PDPO, data users must take all reasonably practicable steps to ensure that personal data is not kept longer than is necessary for the purpose (or any directly related purpose) for which the data is or is to be used. For example, CCTV footage collected for security purposes should be regularly deleted if no security-related incidents are reported. Similarly, in-vehicle camera recordings should be erased in a timely manner if no relevant safety or traffic incidents have occurred.
In addition to such purging, under DPP4, data users must take all reasonably practicable steps to ensure that personal data is protected against unauthorised or accidental access, processing, erasure, loss, or use. Therefore, data users should implement adequate security measures, such as encrypting recorded footage, securing physical storage devices, and maintaining access control and relevant logs, to safeguard any recorded footage that contains personal data.
When recorded footage is stored physically (which is commonly the case with in-vehicle cameras), non-removable, solid-state storage media are preferable to removable storage devices (such as memory sticks or cards), as they reduce the risk of theft or tampering. On the other hand, if recorded footage is stored in the cloud, data users remain responsible for ensuring that the cloud service provider offers adequate security protection for the data. Data users may refer to our new guidelines for more examples and best practices to strengthen data security.
Use limitation
In terms of restrictions on the use of recorded footage, DPP3 of the PDPO stipulates that personal data shall not, without the prescribed consent (i.e., express consent given voluntarily) of the data subject, be used (which includes the transfer or disclosure of the data concerned) for a new purpose, namely, a purpose other than the purpose for which the data was to be used at the time of collection or a directly related purpose. If prescribed consent is not obtained in advance, recorded footage containing personal data should not be used for a new purpose unless any of the exemptions under Part 8 of the PDPO apply.
Given that surveillance technologies are often deployed for security purposes, it is relevant to consider the exemption under section 58(2) of the PDPO. We have highlighted in the new guidelines how this section operates such that in certain circumstances, such as for the prevention and detection of crime or for the prevention or remedying of unlawful or seriously improper conduct or dishonesty, if a data user has reasonable grounds for believing that failure to use the data would likely prejudice the aforementioned matters, the data user may use the personal data for a new purpose without obtaining the prescribed consent of the data subject.
A typical scenario illustrating this exception involves the police’s requesting CCTV footage from a building management company in connection with a criminal investigation. In these circumstances, the company may consider invoking the exemption under section 58(2) of the PDPO and disclose the relevant footage to the police without first obtaining the relevant data subject’s prescribed consent.
However, the fact that surveillance technologies are deployed for the prevention and detection of crime does not mean that any subsequent disclosure of recorded footage will automatically trigger the exemption under section 58(2) of the PDPO. Each case must be assessed on its own merits, and it is for the data user to consider whether there are reasonable grounds to believe that the failure to use the data in the circumstances would likely prejudice the prevention or detection of crime or other specified matters under section 58(1) of the PDPO.
Furthermore, if recorded footage containing personal data is disclosed without the relevant consent of the data subject, and such disclosure is made with the intent to cause, or being reckless as to whether such disclosure would cause or would likely cause, any specified harm to the data subject or a member of their family, such disclosure may constitute a “doxxing” offence under section 64(3A) or (3C) of the PDPO.
Conclusion
As Hong Kong pursues its smart city vision and explores emerging opportunities in the low-altitude economy, it seems inevitable that surveillance technologies such as CCTV systems, camera-equipped drones, and in-vehicle cameras would be increasingly deployed in enhancing operational efficiency, service delivery and public safety. Such development, however, underscores the growing importance of safeguarding personal data privacy in a tech-driven world and the need to ensure that technological advancements are kept within guardrails. I believe that the new guidelines would help operators of the aforesaid surveillance technologies to use such technologies in a responsible, accountable and lawful manner in compliance with the requirements of the PDPO. The new guidelines can be found at my Office’s website at https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cctv_surveillance.pdf and https://www.pcpd.org.hk/english/resources_centre/publications/files/guidance_cameras_vehicles.pdf.
1 Under the PDPO, “personal data” is defined as any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable.