Security industry concerned about Data Protection Bill

Security Industry bodies have expressed concerned about the proposals in the Data Protection and Digital Information Bill, which abolishes the post of Biometrics & Surveillance Camera Commissioner (BSCC) and removes the needs for the government to publish a Surveillance Camera Code of Practice (SCC Code).

The British Security Industry Association (BSIA) has called for clarity from the government about whether there are any plans to continue any of the work that is carried out by the BSCC that involves partnership with the security industry to encourage high standards across the surveillance camera sector.

The current holder of the BSCC post, Professor Fraser Sampson (pictured), wrote to the Home Secretary, Suella Braverman, tendering his resignation last month, and she replied in early September thanking him for his work. He will step down at the end of October but this leaves a gap before the Bill is likely to become law. Originally, he had planned to stay on until the Bill had passed through Parliament and attained Royal Assent.

However, Fraser Sampson had already told officials he would be out of the country for a substantial period towards the end of 2023 for personal reasons. With the Bill now not expected to become law until spring 2024 he said he would not be able to fulfil the functions of the BSCC role beyond 1st November and therefore tendered his resignation.

Disappointment over the abolition of the Biometrics & Surveillance Camera Commissioner Role

Dave Wilkinson, Director of Technical Services, BSIA, said: “We are both disappointed and concerned about the proposed abolition of the B&SCC. Given the prolific emergence of biometric technologies associated with video surveillance, now is a crucial time for government, industry, and the independent commissioner(s) to work close together to ensure video surveillance is used appropriately, proportionately, and most important, ethically.

“We are therefore, on behalf of our industry asking for clarity on how the government intends to fill the void. The B&SCC was a sterling example of a government and private sector partnership with tangible outcomes of benefit to all; failure to continue in a similar vein would be detrimental to any progress in future implementation of codes of conduct.”

Prior to Professor Sampson’s resignation, the CCTV User Group told its annual conference in April that it had written a letter of concern to the Home Secretary Suella Braverman, about the changes, according to Professional Security Magazine. A comment piece, by the magazine’s editor Mark Rowe suggested that a lot of time and hard work given voluntarily by members of the security industry would have been wasted if the current plans go ahead.

He wrote: “They have got no thanks from anyone in authority. The documents they worked on if unrefreshed will inevitably soon fall out of date and even become dangerous to use. It makes a sad and peculiar contrast with all the (paid) work Home Office and police are putting into the Protect Duty. Presumably all the ‘publicly accessible locations’ that will fall under the Duty could be more secure thanks to public space CCTV? But to what standards any more?”

Already part of the work carried out by the BSCC has stopped with no new certification under its third-party accreditation scheme being issued after 31 July 2023. This scheme, allowed third parties to certify organisations against the SCC Code. In his letter to the accreditation bodies, the SSAIB, the NSI and IQ Verify, Professor Fraser Sampson said clients that were due reaccreditation between 1 August and the commencement of the Bill, should be offered an extension until that commencement date. 

Data Protection and Digital Information Bill: Aiming to remove complexity

The Data Protection and Digital Information (No.2) Bill was introduced to the House of Commons in March by Michelle Donelan, Secretary of State for Science, Innovation and Technology, and it had its second reading debate in April.

This replaced an earlier version of the Bill introduced by Nadine Dorries in July 2022 when she was Secretary of Department for Digital, Culture, Media & Sport, which was subsequently withdrawn. This followed the changes of Prime Ministers from Boris Johnson, to Liz Truss and subsequently Rishi Sunak last year, and a change in department remits.

In March Michelle Donelan stated: “This new Bill is being introduced following a detailed co-design process with industry, business, privacy and consumer groups to determine how we could improve the Bill further.”

The Government said it will reduce compliance costs and burdens on business in the way they process data but will continue to maintain high data protection standards and protect the privacy of individuals. It stated that “the current oversight arrangements for police use of biometrics and surveillance cameras to help identify and eliminate suspects are complex and confusing for the police (as controllers) and the wider public.”

Changes in governance of data protection rules

The Bill transfers functions of the Biometrics Commissioner to the Investigatory Powers Commissioner. Meanwhile the government stated that under the Data Protection Act (DPA) 2018, the Information Commissioner provided independent oversight of all controllers’ use of all personal data, which included the use of biometrics and surveillance cameras and had extensive regulatory powers. Therefore, the government suggests that while the Surveillance Camera Commissioner position and the Surveillance Camera Code of Practice would be abolished, the overview of CCTV use would continue through data protection regulation.

Fraser Sampson, previously argued when responding to government consultation held in the run up to the Bill in 2021, that his role goes far beyond data protection, and related to achieving public trust for surveillance by bodies like the police. These include ethical concerns about a technology like facial recognition and the use of CCTV in ways that could violate human rights. For example, the BSCC has been calling for public bodies to consider where they procure their CCTV from after ethical concerns about Chinese manufacturers.

Under the Bill the Information Commissioner’s Office (ICO) is to be abolished and will be replaced by an Information Commission, with a board and chief executive. The current, Information Commissioner John Edwards, would become chair of the board. Separately there are amendments to the UK General Data Protection Regulation (UK GDPR) and the DPA 2018, including provisions to minimise differences across the GDPR and the law enforcement processing regimes as some public bodies may need to process data under both. The changes are aimed to remove burdens from organisations where the government could see little value in the requirements.

Professor Fraser Sampson noted previously in his consultation response that while regulators like the ICO have enforcement powers they rarely used them in respect of surveillance compliance. He stated: “IPVM recently found that, over the first three years of the GDPR being in place, the ICO had issued zero surveillance fines, in common with the majority of national data regulators, while only one country’s data regulator – Spain – had imposed more than seven GDPR video surveillance fines over that three-year period”

Look out for the Bill becoming law

The Bill is currently at its Report Stage in Parliament and will be undergoing further scrutiny in the Lords once Parliament returns in the autumn. This may mean there are further changes made to the Bill.

We have produced a number of blogs and videos covering data protection compliance including on specifying the purpose of your CCTV, use of redaction, and embedding data protection by design and default. According to legal blogs organisations already compliant with the current UK GDPR will not be forced to make changes to comply with the new Bill.

This means if you are already processing personal data, and meeting your compliance for operating CCTV cameras then you may need to make few changes. For those organisations which adopted the Surveillance Camera Code of Practice they will also be complying with data protection best practice.

If you are based in Bristol, Bath or elsewhere in south-west England and you want support or information as a CCTV operator, take a look out our news page or YouTube channel and we will provide further updates once the legal changes take effect or if change are made to reflect the concerns of the security industry.