[ If you prefer a white background for this reading click here ]
Staying within the law (Copyright Norbain SD Ltd)
Data Protection and Human Rights legislation are important consideration for anyone designing, installing or using a CCTV system. However, there's much more involved than is sometimes supposed. In some key respects, you may be surprised as to what the legislation specifically requires. Here we provide our step-by-step guide to 'staying within the law'.
Underpinning the Data Protection Act 1998 are eight Data Protection Principles. In summary, the principles require that data shall be:
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
5. not kept longer than necessary
6. processed in accordance with the data subjects' rights
8. not transferred to countries outside of the European Economic Area without adequate protection
There are five areas of CCTV design, installation, and operation that are directly affected by the need to uphold these principles: Registration, Signage, System Design, Recording, and Security.
The processing of personal data by means of a CCTV system is covered by the requirement to register with the Office of the Information Commissioner under the Data Protection Act 1988. The definition of 'computer' includes all electronic surveillance and storage systems whether analogue or digital, standalone, networked or IP-based. Although there are allowable exemptions to notification, no CCTV system is likely to qualify.
For most organisations, registration simply means adding an entry to an already existing registration to cover the CCTV system and providing a document that clearly states the following:
a) the subject of the surveillance
b) its purpose (such as crime reduction or monitoring of staff behaviour)
c) the person(s) responsible for processing data
d) all persons with access to the system
Everyone with access to the system (including IT staff and third parties such as the installer or maintenance company) should be identified. it is good practice to register during the early days of the installation to ensure that all system testing complies with the Act from the day of commissioning.
It is a requirement of the Data Protection Act that you must inform people that a CCTV system is in operation. It is normally sufficient to erect an appropriately sized and positioned notice that will be seen by people entering a surveillance area.
However, this should say more than 'CCTV in operation'. The Act requires three conditions of signage to be met. It should inform people:
a) The identity of the person or organisation responsible for the scheme
b) The purposes of the scheme
c) Details of whom to contact regarding the scheme
Signage is not required if the scheme is covert by design. However, covert recording is only allowed if it can be shown that informing subjects of the recording will compromise your objectives, is carried out for a limited time or is required because you have reasonable grounds to suspect specific criminal activity is taking place. Although adequate signage is a requirement of the Data Protection Act, it is not - as is often supposed - a requirement for a successful prosecution.
It may not be immediately apparent that the Data Protection Act and Human Rights Act have any bearing on the design of a CCTV system. However, a key data protection principle is that the use of data should be adequate, relevant, and not excessive. A key requirement of the Human Rights Act is the protection of personal privacy. This means that installers should be careful on a number of counts:
a) the number of cameras and camera angles should be adequate for the purpose but not excessive
b) camera coverage should not be invasive to the point of recording an unnecessary level of personal detail
c) the positioning of cameras should respect personal privacy in adjoining buildings through the appropriate use of physical screens and privacy zones; individuals must be consulted if such private areas are caught on camera.
Finally, the quality of images captured must be sufficiently clear to achieve the stated objectives.
Four data protection issues dominate the subject of recorded CCTV images - traceability, retention, access and privacy.
To ensure confidentiality, all images must be fully traceable. This means that for each image you must be able to provide the following information: date and time of recording, recording device and medium and the name of the person responsible for the recording. This need not be onerous - a written log and correctly labelled tapes can achieve this quite simply.
For recording to be used in evidence, the audit trail for the recording must be complete. This includes recording in a suitable log when images are removed from the system for use in legal proceeding, why, by whom and to where they are being moved.
It is often heard in the industry that CCTV images should be retained for no longer than 31 days. However, there is no statutory time limit except that implied in the data protection principle that images should not be 'kept longer than necessary'. The standard 31 day time period has emerged as an example of good practice and is probably derived from the net 30 day period in which retailers could expect a till transaction to be completed satisfactorily.
In reality, the appropriate time limit will vary from industry to industry. The defining concept must be one of reasonableness - what is a reasonable time period in which to expect an individual to report an incident that might require recourse to the recorded CCTV images?
In a health and safety environment such as a leisure club or factory, the period of time might be two months. In the case of retail, it may be as short as tow weeks. In the case of a public bar, it could be seven days or less.
Every individual ahs a right of access to recorded CCTV footage in which they feature. The only exception to this right of access is where such a request would compromise the detection or prevention of a crime or where it may impede the apprehension or prosecution of offenders.
Putting this principle into effect is not as straightforward as it sounds. This right of access has the potential to be an onerous and expensive burden on the CCTV user. Under the terms of the Data Protection Act, an organisation may only charge a member of the public ï¿½10.00 per application to undertake a search for their recorded image. The cost of providing the means to view it [whether recorded on printed] may be much more, for the image supplied must not disclose the identity of any third party and may therefore require editing.
Data Security is a key data protection principle. Two issue are paramount:
a) the physical security of the system, recording environment and access to it
b) the electronic security of the system, especially network and IP-based systems
Tapes should be stored in lockable cabinets and access to the recording environment, including to maintenance staff, restricted by means of a written logbook.
The Data Protection Act specifically prevents the transmission of data outside of the European Economic Area [EEA] without adequate protection. The EEA is defined as the Member States of the European Union plus Iceland, Norway and Liechtenstein. Proving that there is adequate protection in place is best provided by means of a contract between the data controller in each country. Model clauses can be found on the data protection web site. This aspect of the legislation will become increasingly important with the anticipated rapid growth in IP-based systems.
COMPLYING WITH THE LEGISLATION
The simplest way to ensure compliance with the Data Protection and Human Rights Acts is to put in place a robust and thoughtful collection of Standard Operating Procedures to govern the day-to-day operational aspects of your CCTV system. For smaller systems, the checklist provided here is sufficient.
By clearly defining who is to be under surveillance, why, how and by whom many of the requirements of modern privacy legislation will be swiftly met. Unless mentioned specifically in the SOP's, no one, other than the Police, should have any access to the CCTV system or the images it records. Once established, such watertight procedures should ensure legislative compliance with the minimum of additional burden on the organisation.
For further information:
CCTV Code of Practice available from the Information Commissioner or it may be downloaded from www.dataprotection.gov.uk
Telephone Helpline of the Information Commissioner:
Tel: 01625 545745
For more information please contact:
End of article...