Thursday, 11 March 2010
Home |About Us |News |Guestbook |Contact Us |Register |Log in
Fire
Fire
Safety
Safety
Security
Security
Defence
Defence
Go

Search:

Advanced Search
Print Page|Send Page

Data Protection Act 1998 - CCTV Code Of Practice

The United Kingdom has now, for the first time, introduced legislation covering the use and management of Closed Circuit TV (CCTV) surveillance systems.

There was no statutory basis for systematic legal control of CCTV surveillance over public areas until 1st March 2000 when the Data Protection Act came into force including a CCTV Code of Practice.

As with any new legislation various interpretations of the Act will no doubt occur and the Act will be revised on a regular basis to take account of technical developments and interpretations.

The following information is therefore given as a brief overview and general guide to the Act in relation to CCTV however CCTV users and data controllers should not rely solely on this brief overview and should acquaint themselves with the full provisions of the Act. Full details can be found at http://www.ico.gov.uk/

Note: Follow the sections "Guidance and other Principles" then "Codes of Practice our Responses and other Papers" and finally "CCTV Code of Practice".

The Code of Practice is intended to provide guidance to good practice and applies to all systems regardless of size or purpose with the exception of the following:

  • Targeted and intrusive surveillance activities, which are covered by the provisions of the forthcoming regulations of Investigatory Powers Act.
  • The use of surveillance techniques by employers to monitor their employees' compliance with their contracts of employment (to be covered by the Code of Practice on use of employee personal data).
  • Security equipment (including cameras) installed in homes by individuals for home security purposes.
  • Use of cameras and similar equipment by broadcast media for the purposes of journalism, or for artistic or literary purposes.

It follows therefore that the act will require compliance by most CCTV users e.g. shops, offices, business', factories, schools, industrial sites, town centres, passenger vehicles, public houses, shopping centres, sports grounds, entertainment centres etc.

The Code of Practice is drafted in two parts.

Part 1 Sets out the standards which must be met if the requirements of the 1998 Act are to be complied with.

Part 2 Sets out the interpretation of the 1998 Act and should be cross referenced with Part 1 to clarify how different parts of the act apply.

DATA PROTECTION PRINCIPLES

The Act lays down eight Data Protection 'principles' by which any relevant CCTV system must comply.

  • Requires that "personal data be fairly and lawfully processed" e.g. with the subjects' consent or because it is necessary to do so for the purposes of the prevention and detection of unlawful acts.
  • Requires that "personal data be obtained only for one or more specific and lawful purposes and not further processed for incompatible purposes" e.g. - video of incidents obtained for the prevention or detection of crime may not be released to a third party for entertainment purposes.
  • Requires that "personal data be adequate, relevant and not excessive" e.g. a camera sited to record vehicles in a car park should not obtrusively overlook private residences.
    Please note: This principle requires recorded images etc. to be 'adequate' and it follows therefore that blurred or indistinct images from degraded tapes or poorly maintained equipment will not prove legally sound evidence and may well fail this principle by therefore being inadequate for the purpose.
  • Requires that "personal data be accurate and where necessary kept up to date" e.g. any time, date or location reference recorded and stored with the data in question (video tape etc.) must be accurately maintained and only good quality tapes etc. used for recording and which are 'cleaned' prior to use so that recordings are not made over existing images.
    Once again proper maintenance of equipment is essential in this respect.
  • Requires that "personal data will not be kept for longer than is necessary" e.g. recorded images of an incident may be kept only so long as is necessary to conclude all matters relating to that incident. In general recorded images do not need to be retained longer than 31 days.
  • Requires that "personal data be processed in accordance with the rights of the data subject under the Data Protection Act 1998" e.g.
    The right to be provided, in appropriate circumstances, with a copy of the information consisting the personal data held about them.
    The right to prevent processing which is likely to cause damage or distress (see Section 2 of the 1998 Act).
    The rights in relation to automated decision taking (see Section 12 of the 1998 Act).
  • Requires that "appropriate technical and organisational measures be taken to prevent unauthorised/unlawful processing of data or accidental loss or destruction of/or damage to, personal data". e.g. Proper care and control of recorded data is important including controlled access to CCTV control areas, use of log books recording details of video usage, use of a well thought out and secure storage facility of recorded data etc.
  • Requires that personal data not be transferred to a country or territory outside of the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

 

USER RESPONSIBILITIES

1. Initial Assessment
Before installing and using CCTV and similar surveillance equipment, users will need to establish the purpose(s) for which they intend to use the equipment, who is responsible for the scheme and what documentation needs to be put into place in order to comply with the act.

This initial assessment should also ensure that the notification logged with the Data Protection Commissioner covers the purpose for which the system is to be used.

2. Siting of Cameras
It is essential that the location of equipment is carefully considered in order that any captured images will comply with the Act including:-

  • Equipment should be sited in such a way that it only monitors those areas which are intended to be covered (1st and 3rd Principle).
  • If domestic areas or other areas not intended to be covered by the scheme will, by virtue of the scope of observation, fall within the area covered, the user should consult with the owner or occupier of such areas (1st and 3rd Principles).
  • Operators must be aware of the purpose(s) of the scheme (2nd and 7th Principles).
  • Operators must be aware that they are only able to use the equipment in order to achieve the purpose(s) for which it was installed (1st and 2nd Principles).
  • If cameras are able to be adjusted (Pan/Tilt/Zoon) by operators such adjustment should be limited to restrict observation of areas not intended to be covered by the scheme (1st and 3rd Principles).
  • If it is not possible to restrict the adjustment as in 'c' above then operators should be trained in recognising privacy implications of those areas (1st and 3rd Principles).
  • Signs should be placed so that the public are aware that they are entering an area covered by surveillance equipment (1st Principle).
  • The signs need to be of an appropriate size e.g. signs on an entrance door to a building need only be A4 if at eye level to those entering whereas signs on a fence to a car park would need to be A3 or larger depending on viewing distance.
  • The signs should contain the following information:
    The identity of the person or organisation responsible for the scheme.
    The purpose of the scheme.
    Details (including telephone number) of who to contact regarding the scheme.
  • In exceptional cases, if it is assumed that the use of signs would not be appropriate e.g. in a covert surveillance situation, the user of the scheme must ensure that they have:
    Identified specific criminal activity.
    Identified the need to use surveillance to obtain evidence of that criminal activity.
    Assessed whether the use of signs would produce success in obtaining such evidence.
    Assessed how long the covert monitoring should take place to ensure that it is not carried out for longer than is necessary.
  • Information obtained circumstances as at 'j' above must only be used for the prevention or detection of criminal activity or the apprehension and persecution of offenders and not for civil proceedings or disciplinary matters.

3. Quality of Images
It is important that the quality of images from any scheme are as clear as possible in order that they are effective for the purpose(s) intended. For this reason it is essential the purpose of the scheme is clearly identified.

The following considerations are specifically identified within the Act.

  • Upon installation checks should be made to ensure the equipment operates correctly.
  • If tapes are used to record images they must be of good quality (3rd and 4th Principles).
  • The medium (e.g. tape or digital storage) upon which images are captured should be 'cleaned' prior to use so that images are not recorded over previously recorded images (3rd and 4th Principles).
  • The medium upon which images are captured must not be used if the quality of recorded image has deteriorated e.g. due to old or worn tapes etc. (3rd Principle).
  • If the system is recording features such as time and date etc. these must be accurate and a procedure put in place to verify this (3rd and 4th Principle).
  • Cameras should be sited so as to capture images relevant to the purpose e.g. if a camera is installed to simply monitor traffic flow - it would not be appropriate to capture details of the drivers (3rd and 4th Principle).
  • If an automatic facial recognition system is used to match captured images against a database of images, then both sets of images should be clear enough to ensure an accurate match (3rd and 4th Principles).
  • If an automatic facial recognition system as in 'G' above is used, procedures should be set up to ensure the 'match' is also verified by a human operator who will determine what action should be taken. This should be documented (1st and 7th Principles). (Automated decision taking is an issue here).
  • Consideration must be given to the physical conditions in which cameras are located which may effect the image quality e.g. in poorly lit areas I.R. lamps or other illumination may be required.
  • Consideration should be given as to whether constant recording is required or whether the purpose for which the system is installed is only relevant at given times e.g. out of working hours (3rd and 4th Principles).
  • Cameras should be protected against vandalism where possible (7th Principle).
  • A maintenance log should be kept (3rd, 4th, 5th and 7th Principles).
  • If a camera is damaged there should be procedures for:
    a) Defining who is responsible for making arrangements for the repair.
    b) Ensuring that the camera is fixed within a specific time period.
    c) Monitoring the quality of maintenance work.
    (3rd and 4th Principles)

4. Processing of Images
Images, which are not required for the purpose(s) of the scheme should not be retained for longer than is necessary. However whilst images are retained it is essential that their integrity is maintained.

The following considerations are specifically mentioned in the Act:

  • Images should not be retained longer than is necessary e.g. images recorded in a normal shop environment may be kept reasonably for 31 days unless needed longer for evidential purposes, however images protecting ATM's might need to be retained for three months in order to resolve customer disputes about cash withdrawals (5th Principle).
  • Once the retention period has expired the images should be removed or erased (5th Principle).
  • If images are retained for evidential purposes, they should be retained in a secure environment and access to them be controlled (5th and 7th Principles).
  • On removing the medium (e.g. tapes) on which images have been recorded for the use in legal proceedings, the operator should ensure that they have documented:-
    The date images were removed.
    The reason why.
    Any crime incident number.
    The location they were removed to (e.g. the collecting Police Officer and their Police Station.
    The signature of the person collecting.
    (3rd and 7th Principles)
  • Monitors displaying images from areas in which individuals would have an expectation of privacy should not be able to be viewed by anyone other than authorised persons (7th Principle).
  • Access to recorded images should be restricted to authorised personal who will in turn control requests for access by third parties in accordance with documented polices (7th Principle).
  • Viewing of recorded images should take place in restricted areas e.g. out of site of other non-involved persons (7th Principle).
  • All persons with access to images should be aware of the procedures to be followed when accessing images (7th Principle).
  • All operators should be trained in their responsibilities under this Code of Practice namely:-
    The Users Access Policy and Procedures
    The Users Disclosure Policy
    Rights of individuals in relation to their recorded images.
    (7th Principle)

5. Access to and Disclosure of Images to Third Party's
It is important that access to and disclosure of CCTV surveillance images is strictly and carefully controlled to ensure the individual's privacy rights are maintained and also to ensure the chain of evidence remains intact.

All users should be aware of the restrictions set out in this Code of Practice including:-

  • Access to recorded images should be restricted to those staff who need to have access to achieve the 'purpose' of the scheme (7th Principle).
  • All access to the medium on which images are stored (e.g. tapes) should be documented (7th Principle).
  • Disclosure of the recorded images to third parties should only be made in limited and prescribed circumstances and in accordance with the 'purpose' of the scheme (2nd and 7th Principles).
  • All requests for access or disclosure should be recorded. If access or disclosure is denied, the reason should be documented (e.g. if disclosure was prejudicial to criminal enquiries). If access was allowed the following should be recorded.
    The date and time of access.
    The identity of those given access.
    The reason for allowing access.
    The extent of access.
    (7th Principle).
  • Recorded images should not normally be made more widely available e.g. not given free access to the media or the internet (2nd, 7th and 8th Principle).
  • If it is intended that images will be made more widely available, that decision should be made by the Manager or designed member of staff and the reason documented (7th Principle).
  • It if is decided that images will be disclosed to the media (other than in circumstances outlined above) the images of individuals will need to be blurred or otherwise disguised so they are not readily identifiable (1st, 2nd and 7th Principles).
  • If images need to be disguised as in (g) above and this is undertaken by a third party specialist then the following considerations should apply.
    A contractual relationship exists between the Data Controller and the editing company.
    The editing company gives appropriate guarantees regarding security of images.
    The Data Controller is satisfied any such guarantees are met.
    A written contract makes it explicit that the editing company may only use the images in accordance with the Data Controllers instructions.
    A written contract makes the security guarantees explicit.
    (7th Data Principle).

 

6. Access by Data Subjects
This is a right which is provided by Section 7 of the 1998 Act the outline standards of which are as follows:-

  • All staff involved in operating the equipment must be able to recognise a request for access to recorded images by data subjects (6th and 7th Principles).
  • Data subjects requesting access should be provided with a standard subject Access Request form which:-
    Indicates the information required to locate images requested (e.g. date and time etc.)
    Indicates the information required to identify the data subject (e.g. a photograph, details of clothing etc.)
    Indicates any fee that may be charged (max £10.00).
    Asks if the data subject would be satisfied with merely viewing the recorded images.
    Indicates the request will be dealt with promptly and in any event within 40 days of receiving the information and fee as above.
    Explains the rights provided by the 1998 Act.
  • Individuals should be provided with a leaflet which describes the types of images, how they are recorded and retained, together with the Disclosure Policy. This information should be provided at the same time as the Access Request form in (b) above.
  • The access request should be dealt with by a Manager or other designated member of staff who will also be responsible for locating the images required.
  • The Manager or designated member of staff should determine whether disclosure to the individual would entail disclosing images of third parties and if so whether such images are held under a Duty of Confidence (1st and 6th Principles).
  • If third party images are not to be disclosed then arrangements as in 4h above will need to be considered (7th Principle).
  • If the Manager or designated member of staff decides that a subject Access Request is not to be complied with the following should be documented:
    The identity of the person making the request.
    The date of the request.
    The reason for refusing to supply the images requested.
    The name and signature of the person making such a decision.
  • All staff should be aware of individual's rights under this section of the Code of Practice (7th Principle).

7. Other Rights

  • All staff involved in operating the equipment must be able to recognise a request for an individual to:-
    -Prevent processing likely to cause substantial and unwarranted damage to the individual (see Section 10 of the 1998 Act).
    -Relevant automated decision taking in relation to that individual (see Section 12 of the 1998 Act).
  • All staff must be aware of the Manager or designated member of staff who is responsible for responding to such requests.
  • In relation to a request by an individual to prevent processing likely to cause substantial and unwarranted damage the Manager or designated person should indicate whether they will comply with the request.
  • The Manager or designated person must provide a written response to the individual's request within 21 days of receiving the request setting out their decision.
  • If the request is not to be complied with the reasons must be given.
  • A copy of the request and response should be retained.
  • If an automated decision is made (e.g. in facial recognition systems) about an individual that individual must be informed.
  • If, within 21 days of that notification, the individual requires, in writing, the decision to be reconsidered the Manager or designated person will reconsider the automated decision.
  • On receipt of a request to reconsider an automated decision the Manager or designated person will respond within 21 days setting out the steps they intend to take to comply with the request and the following should be documented.
    -The original decision.
    -The request details from the individual.
    -The response given to the request.

8. Monitoring Compliance with the Code of Practice

  • The contact point indicated on the sign should be available to members of the public during office hours. Persons staffing the contact point should be aware of the policies and procedures governing the system.
  • Enquiries should be provided on request with one or more of the following:-
    -The leaflet which individuals receive when they make a Subject Access request.
    -A copy of the Data Protection Act Code of Practice.
    -A Subject Access form if required or requested.
    -The complaints procedure to be followed if they have concerns about the use of the system or any non compliance with the Act.
  • A complaints procedure should be clearly documented.
  • A record of the number and nature of complaints or enquires received should be maintained together with an outline of the action taken.
  • A report should be periodically produced collating the information in 'd' above to assess public reaction and opinion on the use of the system.
  • A Manager or designated person should undertake regular reviews of the documented procedures to ensure that the provisions of the Code of Practice are being met (7th Principle).
  • A report on item 'f' above should be provided to the Data Controller(s) in order that compliance with legal obligations can be monitored.
  • An internal annual assessment should be undertaken to evaluate the effectiveness of the system and assessed against the purpose of the scheme.

Enquire about this item
Downloads
Fire Safety
Anti-Terrorism
Perimeter & Border Control
Sign our Guestbook

© 2009 Westminster International Ltd., All rights reserved.

Westminster International Ltd., Westminster House, Blacklocks Hill, Banbury, Oxfordshire, OX17 2BS, United Kingdom

Telephone: +44 (0)1295 756300    Fax: +44 (0)1295 756302

Testimonials - Terms - Employment - Mission Statement - Disclaimer - Privacy - Accessibility - Downloads - Sitemap

A subsidiary of Westminster Group Plc

Fire Detection, Prevention & Suppression | Security Systems & Equipment | Marine & Maritime Security | Airport Security | Border Security | Baggage Scanners