The CCTV Code of Practice
As technology evolves, the law needs to keep up. The latest ICO guidance on the use of CCTV was published in 2008 and technology has since changed…
With the rapid onset of technology, the law needs to keep up with developments. The Information Commissioner's Office produced initial guidance on the use of CCTV and compliance with the Data Protection Act in 2000, which was updated in 2008. Even in that short period of time since 2008, technology has changed rapidly.
We now have portable technology such as Body Worn Video, ANPR (Automatic Number Plate Recognition), Automated Recognition Technologies and the increased use of Unmanned Aerial Systems (UAS) "drones". The latter has recently come to prominence with the amateur use of drones involved in near misses with civilian airliners. There have been concerns over their commercial use e.g. by surveyors to survey rooftops, with the potential for privacy intrusion i.e. people being recorded in their back gardens without authorisation.
CCTV itself is now being used to collect information which can inform other decisions, for instance local authorities are using it in order to determine the eligibility of a child to attend a particular school. Individuals have been using it to show poor practice within nursing homes, by leaving video recording equipment covertly within the establishment. Domestic CCTV systems can be bought for around £100, which may lead to images being taken of other people's property and activities, either deliberately or otherwise.
The increased use of CCTV and other forms of surveillance cameras have led to the strengthening of regulation through the passing of the Protection of Freedoms Act 2012 (POFA). This has led to the introduction of a new Surveillance Camera Code and the appointment of a Surveillance Camera Commissioner to promote good practice and compliance with the Code. The POFA code provides guidance on issues such as operational requirements, technical standards and the effectiveness of the systems available.
This article is primarily about the Data Protection Code of Practice for surveillance cameras and personal information. This is based on data protection principles. Since surveillance systems are used to monitor or record the activities of individuals, they process personal data. It does not cover surveillance systems for limited household purposes, e.g. a video of a child in a nativity play recorded for the family's own use; this is not covered by the Data Protection Act. The Code is primarily aimed at businesses and organisations which capture individuals' information on their surveillance systems. Covert surveillance activities of public authorities are governed by the Regulation of Investigatory Powers Act (RIPA) 2000 and not by this Code. Hence if an organisation is using surveillance systems, they need to consider the requirements of the Freedom of Information Act 2000, POFA, the Human Rights Act 1998, the Surveillance Camera Code of Practice, as well as the Data Protection Act 1998.
The code is divided into a number of sections, providing useful guidance.
Deciding when surveillance can assist and should be used
The code states that a user should decide whether such a system would be justified and is an effective solution, is it a proportionate response to whatever problem there is e.g. if cars had been damaged in a car park, should the lighting be improved as opposed to introducing CCTV? The Privacy Impact Assessment must be performed. Such a PIA would look at whether the proposed use has a lawful basis and is justified, necessary and proportionate.
The user has the responsibility for the control of the information being recorded, i.e., what is to be recorded, how information should be used and to whom it may be disclosed; i.e. the functions of the Data Controller under the Data Protection Act. This may have to be carefully considered if there are joint organisational responsibilities e.g., the use by the police of a "live feed" from a local authority owned camera. Once the division of responsibility has been agreed and the Data Controller identified, then it must be established as to who is processing the information? As always with data protection, procedures need to be carefully documented, responsibilities identified and proactive checks or audits carried out on a regular basis to ensure that procedures have been complied with. The use of the surveillance systems will need to be continually justified and reviewed.
Storage and use of recorded material
The information has to be properly protected, possibly via encryption. If data is to be stored using a cloud computing system, then the ICO's guidance on the use of cloud computing must be complied with. As always, extraneous and obsolete information must be deleted.
If appropriate law enforcement agencies are requesting access to this information then practical considerations must be addressed e.g. how easy it is to take copies off the system of the recording, can it be provided in a suitable format, would it comply with designated standards, how easy is it to use? In certain situations, particular sensitivity must be borne in mind. For example, if images have been recorded in a changing room, it may be more appropriate to only view recorded images after an incident has occurred.
A law enforcement agency may request access to surveillance information in order to prevent and detect crime. Information may be released to the media for identification purposes in criminal cases, but this should not be done by anyone other than a law enforcement agency. In any event, the Data Controller needs to consider very carefully whether identifying features of third parties, other than someone who has made a Subject Access Request, need to be obscured or not at all on CCTV to be released.
Subject Access Request
The usual £10 fee under the Data Protection Act applies and information should be supplied within 40 calendar days of receiving a request. An individual can require a copy of information in permanent form if the surveillance footage constitutes their personal data, unless they agree to simply view the footage, or to produce it is either not possible or would involve disproportionate effort. The ICO Subject Access Code makes it clear that the latter is only likely to be relevant in exceptional circumstances. Clearly, steps may need to be taken to obscure identities of third parties captured in the footage.
Freedom of Information Act
If the Data Controller is a public authority, they may receive a request under the FOIA. When such a request is received then the Data Controller will have to ask:-
- Is the information personal data of the requestor? If so then it should be treated as data protection Subject Access Request; or
- Is the information personal data of other people? If so then it can only be disclosed if to do so would not breach the data protection principles. It may be possible to obscure the images of third parties, which would allow disclosure.
This will depend upon how the information is being used. For example, a small CCTV system in a pub may only need to retain images for a short period of time because often incidents come to light very quickly, unless of course a crime has been reported to the Police, and it may need to be retained until collected by the Police.
Staying in control
Individuals will need to be told how they can make a Subject Access Request, be given a copy of the Code or details of the IOC website, and details of how to make a complaint if they are affected by the system in place. Staff clearly need to be properly trained in respect of handling information securely, dealing with Subject Access Requests and with requests from law enforcement agencies. The information also must be clearly stored.
Selecting and siting surveillance systems
It is important that unnecessary images are not reviewed or recorded. For example, has the camera location been carefully chosen to minimise viewing spaces that are not of relevance for the purposes for which CCTV is being used?
Surveillance technology other than CCTV systems
Automated Number Plate Recognition
The Data Controller must ensure that the system in use is appropriate. For example, is the system just recording vehicle registration marks, or is it recording images of vehicles' occupants ?
Body Worn Video
It is likely be more intrusive than normal CCTV because of its mobility. It is unlikely that continuous recording could be justified i.e. because it may be recording people going around their daily business in addition to the individual who is the focus of your attention. The presence of audio recording adds further to the privacy intrusion, and hence can be more difficult to justify. Care must be taken when using such devices in private dwellings, schools and care homes.
Unmanned Aerial Systems (UAS)
They are often referred to as drones. If they are used purely for domestic purposes by "hobbyists" they will be treated differently from organisations using the devices for professional or commercial purposes. The latter operators will need to comply with data protection obligations, and although it is good practice if domestic users are aware of the potential privacy intrusion which the use of UAS can cause, and to make sure they are used in a responsible manner. It is important that the recording technology can be turned on and off, in order to limit the potential for the cameras to capture large numbers of individuals from a significant height.
One challenge is to provide fair processing information i.e. informing individuals that they are being recorded. UAS operators may have to wear high visible clothing to identify themselves, place signage in the area that the UAS is operating, and place a privacy notice on a website to which they can direct people.
Automated Recognition Technologies
Such technology is used to identify individuals' faces, the way they walk or their eye movements, when for example looking at advertisements. If this is to be used then the operator must provide fair processing information to data subjects.
As previously mentioned, this could be difficult if the surveillance system is airborne or in the case of ANPR, if it is not visible at ground level; the user must make all reasonable efforts to provide fair processing of information. An individual will have a right of subject access and need to be informed as to how to make such a request.
Using the equipment
The Code states it is important that the surveillance system produces information that is of a suitable quality to meet the purpose for which it is installed, and must not have excessive technological capabilities e.g., to record conversations between members of the public as this is likely to be highly intrusive and unjustifiable, and only justifiable in a very small percentage of circumstances. The ICO issued an enforcement notice to Southampton City Council ordering it to stop requiring taxis to carry out continuous video and audio recording . This decision was supported by the First Tier Tribunal (Information Rights) as they considered it to be a breach of the First Principle of DPA, and not justifiable under Article 8 of the Human Rights Act.
Letting people know
Prominently placed signs are to be placed at the entrance to the surveillance system zone. As a general rule, signs should be more prominent and frequent in areas where people are less likely to expect that they will be monitored by a surveillance system. Such signs should be large and visible, contain details of the organisation operating the system and how to contact them. This can be particularly important on roads with signage being able to be read by the driver at high speed.
Staff need to be aware that they should be able to recognise a request from an individual, to prevent processing likely to cause substantial and unwarranted damage or distress (Section 10 DPA) ,and one to prevent automated decision taking in relation to the individual (Section 12 DPA).
This is a rapidly developing area of the law due to increase in use and sophistication of surveillance technology, and its possible infringements upon individuals' privacy. The message from the ICO appears to be that yes, these can be useful tools in various organisations, but they must be used with care, observing the data protection principles, in particular ensuring that the use is proportionate and justifiable, and that people are made aware that such surveillance and storage of information is taking place.