C.C.T.V. Data Protection
If you require more information on Data Protection contact
- The Office of the Data Protection Commissioner Tel (01625-545700)
or visit http://www.dataprotection.gov.uk
Staying within the Law
Data Protection and Human Rights legislation are important
considerations for anyone designing, installing or using a
CCTV system. However, there’s much more involved than
is sometimes supposed. In some key respects, you may be surprised
as to what the legislation specifically requires. Here we
provide our step-by-step guide to ‘staying within the
law’.
Underpinning the Data Protection Act 1998 are eight Data
Protection Principles. In summary, the principles require
that personal data (which means, broadly, data relating to
a living individual) shall be:
• fairly and lawfully processed
• processed for limited purposes
• adequate, relevant and not excessive
• accurate
• not kept longer than necessary
• processed in accordance with the data subjects’
rights
• secure
• not transferred to countries outside of the European
Economic Area without adequate protection
There are five areas of CCTV design, installation, and operation
that are directly affected by the need to uphold these principles:
Registration, Signage, System Design, Recording, and Security.
Registration
The processing of personal data by means of a CCTV system
is covered by the requirement to register with the Office
of the Information Commissioner under the Data Protection
Act 1998. The definition of ‘computer’ includes
all electronic surveillance and storage systems whether analogue
or digital, standalone, networked or IP-based. Although there
are allowable exemptions to notification, no CCTV system is
likely to qualify.
For most organisations, registration simply means adding an
entry to an already existing registration to cover the CCTV
system and providing a document that clearly states the following:
• the subject of the surveillance
• its purpose (such as crime reduction or monitoring
of staff behaviour)
• the person(s) responsible for processing data
• all persons with access to the system
Everyone with access to the system (including IT staff and
third parties such as the installer or maintenance company)
should be identified. It is good practice to register during
the early days of the installation to ensure that all system
testing complies with the Act from the day of commissioning.
Signage
It is a requirement of the Information Commissioner's CCTV
Code of Practice that you must inform people that a CCTV system
is in operation. It is normally sufficient to erect an appropriately
sized and positioned notice that will be seen by people entering
a surveillance area. However, this should say more than ‘CCTV
in operation’. The Act requires three conditions of
signage to be met. It should inform people:
• The identity of the person or organisation responsible
for the scheme
• The purposes of the scheme
• Details of whom to contact regarding the scheme
Signage is not required if the scheme is covert by design.
However, under the CCTV Code of Practice, covert recording
is only allowed if the user of the scheme has identified specific
criminal activity, identified the need to use surveillance
to obtain evidence, assessed whether the use of signs would
prejudice success in obtaining evidence and assessed how long
the covert monitoring shall take place.
Documenting and filing the above is good practice. Although
adequate signage is a requirement of the CCTV Code of Practice,
it is not – as is often supposed - a requirement for
a successful prosecution.
Design
It may not be immediately apparent that the Data Protection
Act and Human Rights Act have any bearing on the design of
a CCTV system. However, a key data protection principle is
that the use of data should be adequate, relevant, and not
excessive. A key requirement of the Human Rights Act is the
protection of personal privacy. This means that installers
should be careful on a number of counts:
• the number of cameras and camera angles should be
adequate for the purpose but not excessive
• camera coverage should not be invasive to the point
of recording an unnecessary level of personal detail
• the positioning of cameras should respect personal
privacy in adjoining buildings through the appropriate use
of physical screens and privacy zones Individuals must be
consulted if such private areas are caught on camera.
Finally, the quality of images captured must be sufficiently
clear to achieve the stated objectives.
Recording
Four data protection issues dominate the subject of recorded
CCTV images:
I. Traceability
II. Retention
III. Access
IV. Privacy.
To ensure confidentiality, all images must be fully traceable.
This means that for each image you must be able to provide
the following information: date and time of recording, recording
device and medium, and the name of the person responsible
for the recording. This need not be onerous – a written
log and correctly labelled tapes can achieve this quite simply.
For recordings to be used in evidence, the audit trail for
the recording must be complete. This includes recording in
a suitable log when images are removed from the system for
use in legal proceedings, why, by whom and to where they are
being moved.
It is often heard in the industry that CCTV images should
be retained for no longer than 31 days. However, there is
no statutory time limit except that implied in the data protection
principle that images should not be ‘kept longer than
necessary’. The standard 31 day time period has emerged
as an example of good practice and is probably derived from
the net 30 day period in which retailers could expect a till
transaction to be completed satisfactorily.
In reality, the appropriate time limit will vary from industry
to industry. The defining concept must be one of reasonableness
– what is a reasonable time period in which to expect
an individual to report an incident that might require recourse
to the recorded CCTV images?
In a health and safety environment such as a leisure club
or factory, the period of time might be two months. In the
case of retail, it may be as short as two weeks. In the case
of a public bar, it could be seven days or less.
Every individual or ‘subject’ has a right of
access to recorded CCTV footage in which they feature. The
only exception to this right of access is where such a request
would compromise the detection or prevention of a crime, or
where it may impede the apprehension or prosecution of offenders.
Putting this principle into effect is not as straightforward
as it sounds. This right of access has the potential to be
an onerous and expensive burden on the CCTV user. Under the
terms of the Data Protection Act, an organisation may only
charge a member of the public a maximum sum of £10.00
per application to undertake a search for their recorded image.
The cost of providing the means to view it (whether recorded
or printed) may be much more, for the image supplied must
not disclose the identity of any third party and may therefore
require editing.
A carefully worded questionnaire as part of a standard procedure
will reduce nuisance requests, and will also enable the system
operators to access the information speedily. Printed digital
images are more readily modified prior to actual printing
to modify, mask, or delete third parties.
Security
Data Security is a key data protection principle. Two issues
are paramount:
• the physical security of the system, recording environment
and access to it
• the electronic security of the system, especially
network and IP-based systems
Tapes should be stored in lockable cabinets and access to
the recording environment, including to maintenance staff,
restricted by means of a written logbook.
The Data Protection Act specifically prevents the transmission
of data outside of the European Economic Area (EEA) without
adequate protection. The EEA is defined as the Member States
of the European Union plus Iceland, Norway and Liechtenstein.
If data is transmitted outside the EEA, proving that there
is adequate protection in place is best provided by means
of a contract between the data controllers in each country.
Model clauses can be found on the data protection web site.
This aspect of the legislation will become increasingly important
with the anticipated rapid growth in IP-based systems.
Complying with the legislation
The simplest way to ensure compliance with the Data Protection
and Human Rights Acts is to put in place a robust and thoughtful
collection of Standard Operating Procedures to govern the
day-to-day operational aspects of your CCTV system. For smaller
systems, the Information Commissioner's checklist provided
here is sufficient.
By clearly defining who is to be under surveillance, why,
how and by whom, many of the requirements of modern privacy
legislation will be swiftly met. Unless mentioned specifically
in the SOPs, no one, other than the Police, should have any
access to the CCTV system or the images it records. Once established,
such watertight procedures should ensure legislative compliance
with the minimum of additional burden on the organisation.
Disclaimer
" This guide contains only a brief summary only of the
legislation related to CCTV systems. It is intended for informational
purposes only and is not legal advice, and any legal advice
required by you should be obtained from your legal advisers."
If you require more information on Data Protection contact-
The Office of the Data Protection Commissioner
Tel (01625-545700)
http://www.dataprotection.gov.uk
C.C.T.V Glossary
|
Homepage