We recently wrote about the first fine for noncompliance with the General Data Protection Regulation imposed by the president of Poland’s Personal Data Protection Office. Data protection authorities in other EU member states are also displaying notable initiative in conducting inspections and imposing fines. A few days ago the Information Commissioner’s Office in the UK imposed a fine of GBP 120,000 on a television production company for failing to provide adequate information to subjects who were filmed and recorded by devices at a healthcare facility, and failing to obtain their consent to film and record them. The case involved occurrences between July and November 2017—before the GDPR entered into force—but may nonetheless prove relevant for interpreting the obligations imposed on data controllers under the GDPR.
Type of data processed is essential
The case involved installation by the respondent of CCTV cameras and microphones in a room used for examination of female patients at a hospital. The material was recorded for a documentary on miscarriages. In the proceeding, the ICO found that the company had the hospital’s consent to install the devices at the hospital, but did not provide the patients with comprehensive information on the recording.
The ICO found that typically patients do not anticipate that they will be filmed in such settings. The material gathered contained sensitive data of patients, and the fact that the TV programme was educational in nature did not excuse the company’s actions and failings. The ICO also stressed that all entities processing personal data, regardless of the aim of their operations, must comply with applicable law, particularly when the data being processed are subject to special protection. The ICO could find no circumstances relieving the company from the obligation to provide effective notice to the subjects that they would be recorded.
Not just any notice is adequate
Significantly, the company did post a notice next to the cameras and in the waiting room with limited information about the recording, and also distributed printed notices on tables used by waiting patients. But these materials did not contain sufficient information, according to the ICO, and also erroneously indicated that the recording would not be conducted without the patients’ consent. This violated the principle of transparency of data processing, primarily because patients at a healthcare facility normally do not expect to be recorded, for example during a consultation with their doctor.
This reasoning by the ICO is also consistent with the approach taken in the GDPR: in the event of any processing of personal data, it is essential to determine the type of data processed and to select processing means and mechanisms adequate to the specific type of data. Notice of the data processing cannot be regarded as adequate when, first, it may be regarded as illusory (not providing effective notice of the processing), and second, may mislead the data subjects as to the basis for the processing.