According to press reports in Canada, controversial airport scanners that “see-through” the clothes of travellers have received the blessing of Canada's Privacy Commissioner. An assistant Federal Privacy Commissioner has told the press that Canada’s National Air Security Agency has successfully answered all questions about individual privacy.
The proposal has stirred controversy in the UK because the scanners produce a three-dimensional outline of an individual’s naked body. However, under the plans approved by Canada’s Federal Privacy Commissioner, the officer viewing the image would be in a separate room and never see the actual traveller. Only people singled out for extra screening would be scanned, and even then, there would be the option of having a physical pat-down instead.
In the UK, therefore, one can expect similar procedures. Note that the Data Protection Act is engaged because each ghostly image will be associated with other identifying information already in the possession of the data controller (e.g. the boarding card identification details of the data subject). This means the data controller has to be fair – so not only has there to be signage (which alerts each data subject to the purpose of the scan and other information to make the processing fair) but also the outcome of the processing has to be fair (in this case, by allowing travellers an alternative to the scan so that personal data are not processed). In relation to Schedule 2, the processing has to be “necessary” in terms of the legal provisions that surround airport security.
In relation to Third and Fifth Principles, if the scan of a particular individual does not show any airport security problem, one would expect that the images would be deleted expeditiously, if not immediately. Staff would get the necessary training (Seventh Principle) so disclosures of images to staff other that the observing officer in a separate room would have to be limited to those circumstances where there was a security issue. One would expect a Privacy Impact Assessment to be undertaken by the airport in order to identify other issues prior to implementation of the scanner.
In other words, if any ghostly image of a celebrity appeared in the press, the data controller would have a lot of data protection questions to answer; evidence of malfeasance by a particular member of staff should engage the section 55 offence. If a breach were to be the result of a failure on the part of the data controller to demonstrate that the correct procedures were in place, the risk of a Monetary Penalty Notice (when they eventually arrive) would be considerable.