A cyclist whose bike was stolen says that data protection rules are letting the thief get away with the crime, even though security staff identified the perpetrator through CCTV footage.
Kerry Barratt had cycled into Navan town centre in County Meath on the afternoon of Tuesday 16 last week to buy school uniform for her son when her Escaper bike was stolen, reports the Sunday World.
But despite security staff believing they know the identity of the thief, the Gardai [police] are not so sure, meaning that due to what she described as “bizarre” General Data Protection Regulation (GDPR), they are unable to tell her the name of the suspect and the victim has been left frustrated despite numerous attenpts to chase officers.
Ms Barratt told the newspaper: “First of all I spoke to one of the security guards who was extremely helpful but when I asked him would he view the CCTV footage he told me he had to get Garda permission to do so as that was the rule under GDPR.
“I went straight round to the Garda station and spoke with a Ban Garda [female police officer] who gave me the go ahead for him to look at it and I went back and told him.
“In the meantime my dad came down and drove me around for a while hoping we might spot the bike but we had no luck.
“The following day the management and security staff of the centre very kindly rang me and told me they could identify the thief by their clothing but were precluded from telling me who it was because of GDPR.
“Apparently they were entitled to and have told the Gardai, but the feeling there was that the ID wasn't clear.
“One way or another I am still without any transport four days later but the whole thing seems bizarre to me,” she continued.
“It means that people are certain they know who stole my bike but legally they cannot tell me.
“It's a huge inconvenience as I sold my car three years ago to try and do my bit for the environment and now I am left without a pedal to push.
“What's even more frustrating is that I have rang the Garda station dozens of times and sent loads of emails asking them if there have been any developments but nobody answered the phone or replied to my emails,” said Ms Barratt.
“So those who should be helping me seem to be doing nothing and those who want to help me can’t. You couldn't make it up,” she added.
Adopted on 14 April 2016 and enforceable since 25 May 2018, the European Union legislation aims, among other things, to protect and control the rights of individuals in terms of the use of their personal data by commercial organisations, including capturing images through CCTV.
Law enforcement is not specifically included within GDPR, and is therefore considered to be exempt from it, as are personal or household activities and organisations related to national security.
Add new comment
9 comments
Law enforcement is specifically not included within GDPR control, and is therefore considered to be exempt from it, because they are assumed to be trustworthy and subject to specific controls, for UK, the Police and Criminal Evidence act (PACE), though IE will have their own act..
Assuming that the Gardai are being honest in their statement that they can't be sure of the identity of the thief in the CCTV footage, they nonetheless have a suspect who has been identified by the security staff who they could visit and question. Soemthing doesn't sound right here.
I do think people are being a bit harsh on the security staff (presumably security staff of the unnamed shop with CCTV covering Ms Barratt's bike?)
The security staff "were entitled to and have told the Gardai" - so the information has been disclosed to the authorities.
What the security staff are unwilling to do is disclose the name of the (suspected) perpetrator directly to the victim, because "the ID wasn't clear."
Seems fair enough to me. The Gardai have been made aware of all the relevant information (including the suspected ID). Not handing out names to members of the public (who are going to do what with that information exactly?) when there is a strong degree of doubt over the ID seems reasonable and in line with balancing the privacy rights of the suspected perpetrator with the various exemptions for legitimate interest and law enforcement.
It appears that GDPR is also used as a dodge in Ireland. Lancashire Constabulary is 'an outlier' for dodging like this, hiding behind really stupid 'interpretations' of GDPR. I have shown this one before- the statement you have to agree before a case is accepted by OpSnapLancs. My statement always includes something which contradicts this load of tripe- I have never seen, except in photos on t'net, any such a notification on a car or a bike
I wouldn't bet on it being an outlier, the Met won't tell you outcomes, citing GDPR, you basically have to threaten them with an FOI request to find out what happened to your submissions.
Over-zealous interpretation of GDPR seems to be a general effect of each Service being responsible with their own Data Protection Officer who hasn't achieved the required education and understanding that their Service people need to know.
To be fair, this is common in private enterprise too, who are subject to 5% of annual turnover in fines. Sadly the self-reporting mechanism provides discounts so that it gets pushed under the carpet as an IT problem..
Seems unlikely that there would be much appetite to fine a public service so under the carpet it goes!
(Putting aside the virtue signalling of gov.uk departments that self-report: we are SO compliant)
Absolute BS, under GDPR there is a "legitimate interest" provision; there is no reason that this information cannot be released. The law was also not designed to protect criminal activity.
When it comes to bureaucratic obstructionism, "Data Protection" is the new "Health & Safety". Close behind comes "our insurance", followed by "company policy". I await the day my doctor can't tell me my ailment for fear of "Data Protection".
Fortunately Doctors are in the top 5% academically and used to handling complexity. So there's a great chance that they will have read ico.gov.uk/gdpr and understood it..