|
Data
Protection Act - Staying within the Law
Data Protection and
Human Rights legislation are important considerations for anyone designing,
installing or using a CCTV system. Underpinning the Data Protection
Act 1998 are eight Data Protection Principles. In summary, the principles
require that personal data shall be: fairly and lawfully processed processed
for limited purposes adequate, relevant and not excessive accurate not kept
longer than necessary processed in accordance with the data subjects’
rights.
There are five areas
of CCTV design, installation, and operation that are directly affected by
the need to uphold these principles: Registration, Signage, System Design,
Recording, and Security.
Registration
- The processing of personal data by means of a CCTV system is covered by
the requirement to register with the Office of the Information Commissioner
under the Data Protection Act 1998. The definition of ‘computer’ includes
all electronic surveillance and storage systems whether analogue or digital,
standalone, networked or IP-based. Although there are allowable exemptions
to notification, no CCTV system is likely to qualify. For most
organisations, registration simply means adding an entry to an already
existing registration to cover the CCTV system and providing a document that
clearly states the following: the subject of the surveillance its purpose
(such as crime reduction or monitoring of staff behaviour) the person(s)
responsible for processing data all persons with access to the system.
Everyone with access to the system (including IT staff and third parties
such as the installer or maintenance company) should be identified.
Signage - It is
a requirement of the Information Commissioner's CCTV Code of Practice that
you must inform people that a CCTV system is in operation. It is normally
sufficient to erect an appropriately sized and positioned notice that will
be seen by people entering a surveillance area. However, this should say
more than ‘CCTV in operation’. The Act requires three conditions of signage
to be met. It should inform people: The identity of the person or
organisation responsible for the scheme The purposes of the scheme Details
of whom to contact regarding the scheme Signage is not required if the
scheme is covert by design. However, under the CCTV Code of Practice, covert
recording is only allowed if the user of the scheme has identified specific
criminal activity, identified the need to use surveillance to obtain
evidence, assessed whether the use of signs would prejudice success in
obtaining evidence and assessed how long the covert monitoring shall take
place.
Design
- It may not be immediately apparent that the Data Protection Act and Human
Rights Act have any bearing on the design of a CCTV system. However, a key
data protection principle is that the use of data should be adequate,
relevant, and not excessive. A key requirement of the Human Rights Act is
the protection of personal privacy. This means that installers should be
careful on a number of counts: the number of cameras and camera angles
should be adequate for the purpose but not excessive camera coverage should
not be invasive to the point of recording an unnecessary level of personal
detail the positioning of cameras should respect personal privacy in
adjoining buildings through the appropriate use of physical screens and
privacy zones. Finally, the quality of images captured must be sufficiently
clear to achieve the stated objectives.
Recording -
Four data protection issues dominate the subject of recorded CCTV images –
traceability, retention, access, and privacy. To ensure confidentiality, all
images must be fully traceable. This means that for each image you must be
able to provide the following information: date and time of recording,
recording device and medium, and the name of the person responsible for the
recording.
A written log and
correctly labelled tapes can achieve this quite simply. For recordings to be
used in evidence, the audit trail for the recording must be complete. This
includes recording in a suitable log when images are removed from the system
for use in legal proceedings, why, by whom and to where they are being
moved. It is often heard in the industry that CCTV images should be retained
for no longer than 31 days. However, there is no statutory time limit except
that implied in the data protection principle that images should not be
‘kept longer than necessary’. The standard 31 day time period has emerged as
an example of good practice and is probably derived from the net 30 day
period in which retailers could expect a till transaction to be completed
satisfactorily.
Every individual or
‘subject’ has a right of access to recorded CCTV footage in which they
feature. The only exception to this right of access is where such a request
would compromise the detection or prevention of a crime, or where it may
impede the apprehension or prosecution of offenders. Putting this principle
into effect is not as straightforward as it sounds. This right of access has
the potential to be an onerous and expensive burden on the CCTV user. Under
the terms of the Data Protection Act, an organisation may only charge a
member of the public a maximum sum of £10.00 per application to undertake a
search for their recorded image. The cost of providing the means to view it
(whether recorded or printed) may be much more, for the image supplied must
not disclose the identity of any third party and may therefore require
editing. A carefully worded questionnaire as part of a standard procedure
will reduce nuisance requests, and will also enable the system operators to
access the information speedily. Printed digital images are more readily
modified prior to actual printing to modify, mask, or delete third parties.
Security - Data
Security is a key data protection principle. Two issues are paramount: the
physical security of the system, recording environment and access to it the
electronic security of the system, especially network and IP-based systems
Tapes should be stored in lockable cabinets and access to the recording
environment, including to maintenance staff, restricted by means of a
written logbook. The Data Protection Act specifically prevents the
transmission of data outside of the European Economic Area (EEA) without
adequate protection. The EEA is defined as the Member States of the European
Union plus Iceland, Norway and Liechtenstein. If data is transmitted outside
the EEA, proving that there is adequate protection in place is best provided
by means of a contract between the data controllers in each country. Model
clauses can be found on the data protection web site.
Complying with the
legislation -
The simplest way to ensure compliance with the Data Protection and Human
Rights Acts is to put in place a robust and thoughtful collection of
Standard Operating Procedures to govern the day-to-day operational aspects
of your CCTV system. By clearly defining who is to be under surveillance,
why, how and by whom, many of the requirements of modern privacy legislation
will be swiftly met. Unless stated in the Standard Operating Procedures no
one, other than the Police, should have any access to the CCTV system or the
images it records. Once established, such watertight procedures should
ensure legislative compliance with the minimum of additional burden on the
organisation.
Information
Commissioners Office -
The Information Commissioner is an independent official appointed by the
Crown to oversee the Data Protection Act 1998 and the Freedom of Information
Act 2000. The Commissioner reports annually to Parliament. The
Commissioner’s decisions are subject to the supervision of the Courts and
the Information Tribunal.
Please visit
http://www.informationcommissioner.gov.uk and select Data Protection
then CCTV Guidance for up to date information on current legislation and
additional guidance on CCTV operation under the Data Protection Act. |
