Who can submit video DSARs?
The short answer? Anyone can submit DSARs.
While requests from customers tend to be common, DSAR requests are not limited to these circumstances. Employees, contractors, job candidates, and contractors are all people who can submit a DSAR to an organisation. Furthermore, members of the public can make submissions to public bodies and local authorities.
Individuals: Through a ʻsubject access requestʼ individuals can request all the video footage a business has on them - ʻCan you send me the footage you have of me in the bar from Friday night? ʼ
Police: For incidents, Police access CCTV video footage to help with their investigations; data that can then be reviewed by legal teams under legal privilege and potentially supplied to court as evidence.
Business functions: More demands are being made on security video as a source of valuable business data for analytics in retail and other environments.
Why might someone want to request video footage?
People may make video DSARs because of a course of legal action whereby the data subject requires evidence to support whatever case or claim they might be pursuing. It may also be necessary to acquit or prove wrongdoing. Because of this, a common recipient of video DSARs is law enforcement departments, such as the police. Additionally, transport services, retail stores, employment sites, or educational institutions are likely to receive video DSARs.
For example, in the transport industry, a common reason CCTV is requested is for evidence when making personal injury claims through insurance. COVID restrictions being lifted in transport has meant DSARs have risen almost as high as pre-pandemic levels. Likewise, as body-worn cameras are being increasingly used in the retail sector to help combat staff abuse since the COVID pandemic, retailers may find an increase in video DSARs from employees and customers.
How do you receive DSARs?
DSARs can come in several different forms including letters, emails, phone calls, social media, or even in person. Video DSARs are often made due to personal injury and individuals wanting video evidence for legal proceedings.
In certain cases, individuals can also submit DSARs on behalf of another person. In these type of situations, this includes:
A legal representative requesting on behalf of a client
A friend or relative of the data subject (with the consent of the data subject)
A parent or guardian requesting on behalf of a child
If someone is submitting on behalf of someone else, there is extra emphasis on the recipient of the DSAR to make sure that the request is both genuine and has sufficient material provided as evidentiary material. In these cases, written authorisation from the data subject will be required to authenticate the request.
This is the “right of access” - where individuals are entitled to ask organisations whether they are using or storing their personal information and the right to ask for copies of this information. This right is also a way to help data subjects feel empowered to ensure their data is being processed and shared lawfully, and is reinforced in the Data Protection Act 2018.
Legally, data controllers/processors who receive DSARs have 30 days from the day they receive a request to respond.
This means they have to inform the data subject of how their data is used and why and locate and share the data they hold (unless stated exceptions apply). These requests can be submitted orally, in writing, or through social media.
For video, this means individuals can request access to CCTV footage, body-worn camera footage, or other forms of video footage the data subject is in (provided no exemptions apply).
DSARs exist to give people increased data rights. But, they also need to be carried out in a way that is respectful of the data privacy rights of all parties involved.
When video captures more than the data subject, organisations have to consider how to protect the personal information and privacy of others. This is when redaction comes in.
The redaction process is vital, as before you release any data to the data subject, you need to remove all personal data not belonging to them. Of course, there are different exceptions depending on the use case - e.g. journalistic documents, court cases, criminal cases, etc. - but knowing how to properly redact data is fundamental.