Inquiry into Kildare County Council - January 2023
(05/SIU/2018)
Date of Decision: 16 January 2023
This inquiry sought to assess whether Kildare County Council was processing personal data in compliance with the GDPR and the Data Protection Act 2018. The inquiry examined a number of the Council’s processing operations including its use of CCTV cameras in public places used for the purposes of prosecuting crime or other purposes.
The findings made in the decision include:
- The Council had no legal basis for personal data collected via CCTV cameras at two locations for the purposes of the prevention of criminal offences.
- The Council had no legal basis for personal data collected via CCTV cameras for the purposes of traffic management.
- The Council infringed Article 5(1)(a) GDPR by sharing the live feed of traffic management CCTV cameras with An Garda Síochána without a valid legal basis.
- The Council lacked a lawful basis to carry out surveillance with CCTV cameras which employed Automatic Number Plate Recognition technology.
- The Council did not fulfil its transparency obligations under Article 13 by failing to erect signage in respect of its CCTV processing operations.
- The Council infringed Article 32(1) of the GDPR by failing to maintain a data log that recorded user specific accesses of the CCTV camera views and recorded footage from Naas Garda Station.
- The Council infringed its obligations under Sections 71(1)(f), 72(1) and 78 of the 2018 Act by failing to implement technical or organisational security measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage of personal data collected via the camera feeds from the CCTV systems at two locations.
- The Council infringed Section 82(2) of the 2018 Act by failing to maintain a data log that recorded the identity of any individual who consulted personal data contained in the CCTV camera views and recorded footage from two locations.
- The Council infringed Section 71(1)(c) and Section 76(2) of the 2018 Act by recording CCTV of private properties, in the absence of any privacy masking technology, at one location.
- The Council infringed Section 71(10) of the 2018 Act by failing to be in a position to demonstrate that its processing of personal data via CCTV cameras at one location was not excessive to its purpose of preventing anti-social behaviour.
- The Council infringed its obligations under Sections 71(1)(f), 72(1) and 78 of the 2018 Act in connection with arrangements surrounding the transfer of personal data to An Garda Síochána using unencrypted USB sticks.
Corrective Powers Exercised:
- A temporary ban on the processing of personal data with CCTV cameras at a number of locations used for the purposes of criminal law enforcement until a legal basis can be identified.
- A temporary ban on the processing of personal data with CCTV cameras used for traffic management purposes until a legal basis can be identified.
- An order for Kildare County Council to bring its processing of personal data into compliance taking certain actions specified in the decision.
- An administrative fine of €50,000.
For more information, you can download the full decision at this link: Inquiry into Kildare County Council - January 2023 (PDF, 2.9mb).