What are the laws around using dash cams in the United Kingdom?
Samsara dash cams are designed to help promote safe driving, exonerate drivers, and protect drivers and vehicles. Like all Samsara products, the dash cam models have been built with data privacy and security in mind.
Dash cams are legal in the UK provided they are used in line with guidelines issued by the UK privacy regulators to comply with the GDPR, namely the Data Protection Act of 2018 and ICO data protection code of practice. These guidelines are aimed at protecting the privacy of individuals and their personal data captured by surveillance cameras in the UK. UK employment law further permits the use of dash cams with the protections described below with respect to the use of dash cams that capture employee information. To help customers meet the UK guidelines for proper use of dash cams, Samsara has adopted a robust data protection framework that enables customers to balance its needs to ensure safety and security with the privacy rights of those recorded by the dash cams and to meet the following UK guidelines for proper use of dash cams:
Necessity and proportionality
Customers must demonstrate that their use of dash cams is necessary and proportionate to their goals of ensuring safety and security. Samsara provides a Data Privacy Impact Assessment (DPIA) template that our customers can complete to capture this information.
From a product perspective, Samsara carefully balances the business justification behind processing personal data with the privacy rights of data subjects. Videos are uploaded to secure, encrypted cloud storage in only two instances:
- when sensors on the dash cams and any connected devices programmatically detect a harsh event, a short video clip of the harsh event is uploaded to the cloud; and
- when authorised employees manually request a specific video clip be uploaded to the cloud. Furthermore, customers install their own cameras and thereby can ensure that only relevant areas are recorded.
Governance and control
The responsibilities and obligations of organisations involved in the operation of dash cams should be clear. Moreover, there should be clear procedures in place for how the system is used, and the information captured by the system should be stored and viewed securely.
Samsara provides customizable data access controls so that only those employees determined by the customer to have a justifiable need and proper training may access the recordings and request that video clips be uploaded to the cloud. These access controls enable our customers to comply with their internal policies and DPIA commitments scoping the use of dash cams.
Customers further can review detailed audit logs of which users requested and accessed videos and what actions they performed related to such videos. Furthermore, data stored on the dash cams and in the Cloud are encrypted at rest. Data in transit from dash cams to the Cloud is encrypted using SSL / 256 bit AES. The Amazon Web Services Cloud Instance is ISO 27001 and SOC 2 Type II certified.
Disclosure and access
Samsara has processes in place to assist our customers in responding to data access requests within the required timeframe. Our technology makes it possible to easily share specific footage. Customers are in control of when they disclose recordings to third parties and ensure that any disclosures are consistent with their internal policies and DPIA commitments as well as the safety and security purposes for which they use dash cams. Samsara will only disclose recordings when required by law.
Information should be deleted when it is no longer necessary to retain it. Samsara’s technology enables customers to ensure that collected information is deleted when no longer necessary for safety and security purposes. The dash cam devices themselves only retain a maximum of 24 to 40 hours of video that is continuously overwritten in a loop. Video that is uploaded to the cloud is automatically deleted after six months, and customers can customize the retention period based on their internal policies and DPIA commitments.
Customer should make reasonable efforts to provide fair processing information. Customers can meet the requirement to take reasonable efforts to provide fair notice of the use of dash cams by posting internal and external signage and also by making the scope of use clear to employees in internal policies that are easily accessible to them.
Audio recording requires greater justification than pure video recording. Customers can demonstrate the need via a DPIA and protect privacy interests through targeted, high quality audio recording and specific notice to individuals. Samsara dash cams having audio recording capability are by default set not to record audio, and if the customer requires this functionality, it can only be turned on through the dashboard by one of its authorised employees. Samsara cameras further incorporate the “privacy by design” features described in this document, and customers can provide relevant notice by signage and by making their internal policies accessible to employees.
While not a legal requirement, customers can choose to proactively engage with unions to educate them on the use of dash cams and the robust protections in place to protect employee privacy