About a year ago I revealed that enforcement of the Workplace Parking Levy would involve officers in a vehicle equipped with Automatic Number Plate Recognition (ANPR) tech touring the car parks of Nottingham, recording the registration numbers of cars parked there to determine how many spaces are being used by people working there. I suggested that this was a bit dodgy because, arguably such activity should be registered under RIPA and it would mean shunting quite a lot of individuals' personal data around which implies certain obligations. As the WPL rules do not include spaces used by Blue Badge holders i.e. people with disabilities, this includes what is defined as 'sensitive' personal data which requires explicit consent for processing. In other words, from a data protection point of view, this is some heavy shit.
Not surprisingly others are interested in this issue and there has been a rather illuminating response to a Freedom of Information request. Be amazed at this extract;
"We have determined that the information collected by our ANPR vehicle for the purposes of the WPL does not constitute personal data.
We have not completed the ICO self-assessment questionnaire.
We have obtained legal advice regarding all aspects of the Data Protection Act and the Workplace Parking Levy however, this information is exempt from disclosure under section 42 of this act as we feel releasing the information would breach legal professional privilege."
Ok, so they are claiming that records of thousands of individuals' number plates do not constitute personal data. They claim to have legal advice on this but they're not going to tell us. Handily this let's them off all the obligations for processing personal data fairly, including whether they pass it on to all and sundry which is another of my key concerns.
Let's have a look at the definition of personal data from the Information Commissioner's website;
"Personal data means data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual."
Now it's probably fair to say that this information doesn't count as personal data under part a), you can't identify somebody from their number plate alone. But what about part b)? We know that NCC has access to the DVLA database because there was a hoo-har about them allegedly being suspended from it a while back due to lax security procedures. The council also processes Blue Badge applications. There's probably more but from these two sources, combined with the ANPR data, individuals would be personally identifiable and the latter is thus personal data. No wonder they're unwilling to share the legal advice that says it isn't, it sounds well dodgy. That FoI exemption they used looks a lot less than watertight as well.
Later on in the response NCC appears to be saying that the ANPR vehicle has yet to be used in anger but it cost £93k so it will be at some point.
There is one other element of the response which has quite a lot of amusement value as well as being wrong. The questioner asked for the locations of signs at NCC's administrative boundaries informing people that they are entering ANPR surveyed areas. Here is the priceless response;
"These signs are in the public domain therefore this information is exempt from disclosure under section 21 of this act as it already publicly available."
Ok, there is an exemption under the Freedom of Information Act for information obtainable elsewhere but I'm really not sure that's what it means. The fact that the signs are physically viewable at the side of the road is not the same as a list of their locations. I hope that actually is a kind of a subtle 'fuck you' because if the FoI officer really believes that is the correct response, the work is only just beginning.
Thanks to 'Sanman' in the comments for the news that NCC's Data Protection Register Entry now includes vehicle registrations. See 'Purpose 7; Assessment and Collection of Taxes and Other Revenue', further description of purpose includes 'ADMINISTRATION AND ENFORCEMENT OF WORKPLACE PARKING LEVY' and 'Data Classes' includes 'VEHICLE REGISTRATION MARKS'.
This kind of implies that they do accept the vehicle reg numbers are personal data after all which in turn implies that the FoI response is incorrect.
1933 - Letter D
22 hours ago