At Security Group we can support you to meet your data protection obligations, which can be done by using the framework of the Surveillance Camera Code of Practice and its 12 Guiding Principles. As a SSAIB-accredited CCTV installer we believe in meeting the highest standards of compliance we can and helping customers do the same when we install a surveillance camera system for them.
The Surveillance Camera Code of Practice has been updated recently to reflect the latest legal changes around data protection law. To be compliant you must adhere to the rules of the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018 (DPA 2018). In addition, for law enforcement processing, part 3 of the DPA 2018 needs to be complied with, which is separate from the UK GDPR regime.
Take data protection seriously and register with the ICO if you have CCTV
Data protection law, which is centred on people’s right to privacy, is regulated by the Information Commissioner’s Office (ICO) in the UK. John Edwards, previously New Zealand Privacy Commissioner, became the UK Information Commissioner in January this year, succeeding Elizabeth Denham who held the office from July 2016.
If your organisation has a commercial CCTV system you will need to register with the ICO if you have not already done so. Unlike the Biometrics and Surveillance Camera Commissioner Professor Fraser Sampson the ICO has enforcement powers, including the power to issue fines.
The CCTV footage that is recorded of people is classed as their personal data and so it gives them rights over it and obligations you must follow. By following a systematic approach to that data, you can demonstrate to your customers, staff, members, and visitors how seriously you take your data protection obligations.
To help our customers ensure they are following data protection law we offer them the CCTV Logbook cloud-software. Its compliance package follows the 12 Guiding Principles of the Surveillance Camera Code of Practice. The Principles are outlined below with details of how they relate to your data protection obligations.
Principle 1 – Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
In the Code this relates to the use of cameras in a public place. Legitimate aims include national security, public safety, the economic well-being of the country, the prevention of disorder or crime, the protection of health, or the protection of the rights and freedoms of others.
Article 5 of the UK GDPR sets out seven key principles that need to be part of your approach to processing personal data. One of these principles is “purpose limitation” which means you must:
- be clear from the outset why you are collecting personal data and what you intend to do with it;
- comply with your documentation obligations to specify your purposes.
Additionally, the UK GDPR made the concept of data protection by design and default a legal requirement. For organisations the requirement includes the need to consider data protection issues as part of the design and implementation of any system and make data protection an essential component of the core functionality of processing systems. When deciding to install a CCTV system and outlining its purpose data protection must be considered.
Adhering to the “purpose limitation” requirement of the ICO the Surveillance Camera Code of Practice states that if you change the purpose you “you can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent from individuals, or you have a clear obligation or function set out in law.”
In a guide for organisations considering CCTV The ICO says, “If you plan to use CCTV but you’re worried that people might complain to the ICO when you tell them it’s there, you should probably consider other security options before making the investment.”
In further advice the ICO states CCTV shouldn’t be running in areas considered private – such as in toilets and changing room as in most cases, using CCTV here wouldn’t be fair or proportionate, meaning it wouldn’t be compliant. Additionally, if you employ staff, you should listen to any concerns they may have about being filmed.
“If you install CCTV for security reasons, it may not be fair on your staff to use it to monitor or discipline them without warning. If you want to use CCTV to monitor your staff, you’ll need to make this clear to them and have a strong reason for doing so. Staff members can complain to the ICO if they feel you’re using CCTV unfairly,” the ICO states.
Principle 2 – The user of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
The ICO states that if you are considering installing CCTV your first consideration must be about how you will respect people’s privacy and how the system will impact them.
For instance, you should also consider carefully if you need audio. While many cameras can record sound the ICO says this does not mean you should. “Some of the key concepts in data protection law concern transparency, fairness and proportionality. Because recording conversations can be particularly intrusive, capturing audio is difficult to justify in most everyday situations.”
The Code says, “This principle points to the need for a data protection impact assessment (DPIA) to be undertaken whenever the development or review of a surveillance camera system is being considered.” It adds, “A DPIA also helps assure compliance with obligations as data controller under the data protection legislation.” A Guidance and a template for carrying out a DPIA in respect of CCTV has been developed to support organisations and ensure they are meeting their legal requirements.
The ICO states that for surveillance systems in particular, you must perform a DPIA with balanced consideration for any type of processing that is likely to result in a high risk to individuals. If you decided not to do a DPIA you would need to document your reasons and be prepared to justify why the processing is not of a type likely to result in high risk. The ICO provides guidance on when a DPIA is necessary.
In its guidance on surveillance systems the ICO states that “a failure to carry out a DPIA when required in itself infringes the UK GDPR and may leave you open to enforcement action.”
Principle 3 – There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
The Code states, “People in public places should normally be made aware whenever they are being monitored by a surveillance camera system, who is undertaking the activity and the purpose for which the associated information is to be used. This is an integral part of overt surveillance and is already a legal obligation under DPA 2018.”
“Lawfulness, fairness and transparency” form one of the Data Protection principles which states that you must have a legal basis for your data processing and that you will process it fairly. Meanwhile under the transparency requirement of the UK GDPR Individuals have the right to be informed about the collection and use of their personal data.
In order to meet your data protection obligations in respect of a surveillance system the ICO explains that, “signs should make it clear that CCTV is in operation and should be displayed in noticeable areas, such as a shop window. Your signs should be one of the first things people see when they approach your premises.”
Principle 4 – There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
“Accountability” is one of the key principles under UK GDPR which requires you to take responsibility for what you do with personal data and how you comply with the other principles.
This covers governance of the system and the ICO CCTV self-assessment checklist specifies that you need to ensure that “Your business has a policy and/or procedure covering the use of CCTV and has nominated an individual who is responsible for the operation of the CCTV system.”
Additionally, the ICO checklist makes it clear that it expects organisations to have “a process to recognise and respond to individuals or organisations making requests for copies of the images on your CCTV footage and to seek prompt advice from the Information Commissioner where there is uncertainty.”
Principle 5 – Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
The Code states there are significant benefits in having clear policies and procedures for the operation of any surveillance camera system as it will aid its effective management and use and ensure that any legal obligations affecting the use of such a system are addressed. It adds that, “where the operator is a relevant authority, their published policies will form part of the body of law under which they operate.”
Having clear rules and documentation of your data processing forms part of the accountability principles of the UK GDPR. In order to meet your data protection obligations the ICO states that, “It’s important that you update your privacy notice to reflect that you’re now using CCTV. You also need a separate CCTV policy.
“In your CCTV policy, you need to explain the reasons why you’re using CCTV, outline any staff responsibilities, and record any security measures you put in place to keep your footage secure.”
Principle 6 – No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
“Storage limitation” is a key principle under UK GDPR and therefore as highlighted in the Surveillance Camera Code is a requirement of data protection legislation.
The ICO makes it clear that, “You should only keep CCTV footage for as long as you need it.” This could be long enough for an incident, such as a theft, to be noticed and for this to be investigated.
To meet your legal obligations the ICO states that you need a policy setting standard retention periods wherever possible, to comply with documentation requirements; you should periodically review the data you hold, and erase or anonymise it when you no longer need it. Additionally, you need to consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
Principle 7 – Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
The ICO states that “If the CCTV footage that you capture falls into the wrong hands, your customers could be at risk and you may need to notify us of a personal data breach. You can avoid this by keeping the footage in a secure place.”
However, under the UK GDPR you can give access to CCTV footage to third parties as long as this is controlled and “the disclosure itself is consistent with the purpose(s) for which you set up the system.” For example, in most cases it is appropriate to disclose video surveillance information to law enforcement when the purpose of the system is to contribute to the prevention and detection of crime. Even if this is not your purpose it is still acceptable to disclose information to law enforcement agencies, if relevant as failure to do so could prejudice an ongoing investigation, the ICO states.
Separately individuals have a right to request access to footage under Article 15 of the UK GDPR. The ICO states that in order to comply with these rights organisations should:
have staff who operate surveillance systems that can recognise a request to access, erase or restrict personal data, and can help progress such requests efficiently.
- have internal procedures for the handling of requests. This includes keeping a log of the requests received and how they are dealt with within the statutory timescales.
- have procedures in place to help locate the requester’s information. This includes using the date, time and location where the footage was captured.
- be able to provide footage to individual requesters or law enforcement in a commonly used video file format.
When you give access to footage you must not affect the rights and freedoms of others so you may need to gain consent from third parties to disclosure or alternatively remove or redact particular footage. So you may choose to blur, mask, or use a solid fill to obscure parts of the footage.
Principle 8 – Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards
This principle relates to the system functionality, the installation and maintenance of the system and it is recommended that independent certification is obtained so you can be sure of the ongoing standard of the system. This would be based on the standards of the manufacturer and ensuring that the installer has a professional accreditation.
Additionally, the system operator should adhere to high standards and the ICO stipulates that organisations should train their staff in how to operate the CCTV system and cameras and how to recognise requests for CCTV information/images.
If your CCTV equipment is of good quality, you can also ensure that the CCTV images are clear and of a high quality as required by the ICO.
Principle 9 – Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
The “Integrity and confidentiality” principle of the UK GDPR – also known as the security principle – states that you must ensure that you have appropriate security measures in place to protect the personal data you hold.
Under the UK GDPR you must process personal data securely by means of ‘appropriate technical and organisational measures’ and “doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.”
The Surveillance Camera Code of Practice states that under data protection obligations, those operating surveillance camera systems or who use or process images and information obtained by such systems must have a clearly defined policy to control how images and information are stored and who has access to them.
In its guidance on video surveillance the ICO provides the following checklist to help CCTV operators comply with their data protection obligations:
- Demonstrate that appropriate technical and organisational measures are in place that maintains the confidentiality, integrity and availability of the information captured from our surveillance systems.
- Ensure that access to footage is restricted only to authorised individuals.
- Obtain copies of footage from the system in a timely manner, in a suitable format without losing image quality or time and date information.
- Able to retrieve footage from the CCTV systems efficiently if it is requested for disclosures or for further examination, within relevant statutory timescales.
- Demonstrate that the information collected complies with designated technical standards.
Principle 10 – There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
The Code recommends a review of the policies should take place at least annually. It adds, “In reviewing the continued use of a surveillance camera system, a system operator should consider undertaking an evaluation to enable comparison with alternative interventions with less risk of invading individual privacy, and different models of operation (to establish for example any requirement for 24 hour monitoring).”
This is also a reminder that accountability obligations under the UK GDPR are ongoing which state that you must, “review and, where necessary, update the measures you put in place.”
The ICO suggests that “if you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation.”
Principle 11 – When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
If the stated purpose of the CCTV system is to support law enforcement the Code states the CCTV system must be capable, through processes, procedures and training of system users, of delivering images and information that is of evidential value to the criminal justice system. However, when storing or if data is compressed its quality must not be reduced to an extent that it is no longer suitable for its intended purpose.
In order to continue to protect the data the Code states, “the medium on which the images and information are stored will be important, and access must be restricted. A record should be kept as an audit trail of how images and information are handled if they are likely to be used as exhibits for the purpose of criminal proceedings in court. Once there is no longer a clearly justifiable reason to retain the recorded images and information, they should be deleted.”
The legal obligations in relation to the processing of personal data for law enforcement purposes are separate from the UK GDPR regime and are instead covered by part 3 of the Data Protection Act 2018 (DPA 2018). The ICO has produced a separate Guide to Law Enforcement Processing to aid compliance with the law.
Principle 12 – Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.
This Principle relates to ensuring the integrity of data used by the Police or other bodies, for example when a CCTV system is using live facial recognition (LFR) to find people on a watchlist, or when automatic number plate recognition technology is being used and checked against vehicle registration number records.
In this case if external reference data is being used it should not be retained for longer than necessary to fulfil the purpose for which it was originally added to a database.
Under the UK GDPR all data is subject to the “accuracy principle” which obliges all organisations to ensure the accuracy of any personal data created and to have appropriate processes in place to check the accuracy of the data collected and record the source of that data.
We can give you the peace of mind that you have data protection covered
While it is easy to overlook the Surveillance Camera Code of Practice as only applying to local authorities or the Police as it makes clear parts of the Code requirements are actually now legal requirements under the DPA 2018. We offer all of our customers the CCTV Logbook cloud software service which gives users a step-by-step process to follow the Code if you subscribe to its compliance package.
If you are based in Bristol, Bath or elsewhere in south-west England and you want advice on how you can ensure you are meeting your data protection obligations or more information on the Surveillance Camera Code of Practice we would delighted to help so please contact us if you want to have a chat.