Are data controllers required to acquire the means to appropriately redact data for disclosure to subjects?

Question

Bob appears in CCTV footage that is held by all of ACME, BCME & CCME, but also features Alice and Charles. He requests access to the footage from all of the companies and receives three different responses from each:

ACME painstakingly goes through spending several hours and using special processing software blurs the faces of Alice and Charles before disclosing the redacted footage to Bob. That ACME took the pains to comply with this formality suggests that they are obligated to under the law, but are they in fact so?

BCME states that they cannot disclose the footage to Bob due to its featuring other individuals, and lack the requisite technological capabilities to suitably redact it for disclosure per Bob’s request. Bob cites the response from ACME and points out that in 30s of googling he was able to find 5 different software solutions for doing this, but BCME maintain their position that they do not wish to pay for new software and feel they are not obligated to, so maintain their refusal of disclosure on the grounds of the personal data implicating others’ (Alice & Charles’) privacy. Is this refusal proper?

CCME also lack the means to redact the footage and so refuse disclosure on these grounds, yet offer Bob the opportunity to make an appointment to come into their office to view the footage on the condition that he will not be able to save a copy of it or view it outside of their shop. Is it proper to allow one subject to study unredacted personal data of another albeit under the controller’s presence/supervision, if the data is not disclosed and given to the first subject?

Of the various elements of these three responses, which are permitted and/or required by the law?

• spending employee time preparing the data for disclosure by redacting other subjects’ personally identifiable data from it
• spending money to acquire the technological means to do that
• refusing disclosure outright
• permitting Bob to view, but not obtain, data from which other individuals may be clearly recognised

Answer 1

australia

One of the grounds for refusing access under the Privacy Act has “an unreasonable impact on the privacy of other individuals“

Whether giving Bob access to the footage (permanently or temporarily) would have such an “unreasonable impact” is a fact dependant analysis based on facts not given in the question. Each of the organisations would need to have conducted their own analysis and each might have reasonably reached different conclusions on whether giving Bob access had an “unreasonable impact”.

The legal obligation is to determine if the access request will be granted in the way the Bob wants, if it will be granted in a different way or, to state the grounds for refusal. It is possible that all of the organisations complied with the law, it is possible that none of them did (for example, even with the blurring, ACME may have revealed Alice or Charle’s personal information), or that some did and some didn’t.

If Bob is not satisfied, he has the right to request a review by the Privacy Commissioner who can uphold the organisations’ decisions or require something different. Bob has no other rights beyond that.

It is worth noting that organisations are allowed to recover their reasonable costs of complying with access requests. So, BCME could have responded “not unless you pay for the redaction”, which would have been a more robust response.