Data privacy and virtual tours

As a seller or tenant, having a series of complete strangers arriving to poke around your property can feel like a serious intrusion. Add to that the current Covid restrictions, and suddenly the advantages of being able to show residential or commercial property to prospective purchasers or tenants online via a 3D virtual tour, rather than in person, are pretty self-evident. However, estate agents and their clients seeking to take advantage of this tool need to give serious thought to the security and data protection implications that arise from recording and displaying such video footage – or indeed any still photograph of a private or commercial space. Data on show The BBC recently reported an incident which affected the sellers of a house in Devon, where the estate agent’s 3D video of their property left a large amount of personal data clearly visible, due to a lack of adequate security measures. Under the UK General Data Protection Regulation, the estate agent which collected the personal data in the video will be regarded as the data controller. It has a primary responsibility to protect the privacy of a client’s personal data, not least because it is unclear whether the instructions received from the client specifically addressed data privacy issues. In this case, anyone visiting the agent’s website and taking the virtual tour was given high-resolution access to the seller’s personal information, ranging from family photographs on display to bank and insurance documents, share dividend cheques, an asthma inhaler and even an invoice for the stairlift they had purchased. We do not know what the seller of this property, in agreeing to allow the estate agent to create the virtual tour and then giving their “verbal permission” for it to be shared with potential buyers, was told or assumed about the security of their private information. However, it is relatively easy to arrange for such details to be obscured or blurred, as is the case, for example, on Google Streetview. The personal information disclosed not only puts the seller at increased risk of identity theft, it also constitutes a breach of data protection legislation. UK data privacy laws state that any information that can identify a living individual is personal data, and therefore subject to the provisions of the UK GDPR.  Personal or household activities are exempt, so if an individual was to record a video of their own home, or allow a friend to do so, and then post it on social media, this would not be caught by UK GDPR. However, the exemption does not apply to professional or commercial activities and in this case, the estate agents were clearly making and using the video in order to advertise the client’s house for sale. More seriously, certain “special category” data was also discernible from the tour. This includes personal data relating to an individual’s health or political views. Special category data must be treated with additional care and security to prevent unauthorised disclosure, since the consequences of a breach could be even more damaging. The images of inhalers and the stairlift invoice should therefore be regarded as even more serious breaches. This story highlights how alarmingly easy it is to breach personal data rights without necessarily even realising that you are doing it. Action must be taken This incident has been reported to the Information Commissioner’s Office as a data breach. Any estate agent responsible for a similar breach must do the same. There is a strict time limit of 72 hours from the time of discovering a breach in which a report needs to be made to the ICO. Any delay beyond this time period can result in stronger enforcement measures, possibly including a fine. The fact the homeowners knew the video had been taken – and presumably also knew that they had left all of this data in plain sight – might be regarded by the ICO as a mitigating factor, particularly if the video had been sent to the client for approval before it was uploaded. In those circumstances, the agent could try to argue the client was at least in part to blame for the breach – but this probably won’t help to mend the relationship with their client. It is easy to see how in a commercial property context similar issues might arise, for example if footage is taken of individuals inside the building at the time of filming without their consent, or where an employee’s personal photographs or other personal data might be on display in an office space and captured in the virtual tour. Although not covered by UK GDPR, similar security considerations should apply to other confidential materials. This is a cautionary tale highlighting that agents need to be aware of their obligations under UK GDPR regarding clients’ personal data, and take active precautionary measures to hide or obscure anything that could identify their clients. One way to approach this might be to undertake a data privacy impact assessment together with the client before the footage is captured to work through what might need to be removed or obscured. And as for property owners, they should ensure that all sensitive and confidential papers or other materials be cleared away before a virtual tour is recorded (or any photographs taken). This is equally important before inviting a prospective purchaser or tenant to view a property in person. In addition, they should also be asked to check and approve any material that their agent wishes to post on its website so that, if any personal or confidential data still appears, it is either with the express consent of the relevant data subject(s) or it is obscured before the image/footage is published. Patrick Wheeler is a partner and Mette Marie Kennedy is a senior associate at Collyer Bristow LLP Image © Mohamed Hassan/Pixabay