Showing posts with label CCTV Data Protection 1998. Show all posts
Showing posts with label CCTV Data Protection 1998. Show all posts

Wednesday, March 14, 2012

CCTV Data Protection Act

CCTV Data Protection Act

Since the 24th October 2001 it has been a criminal offense to use an unregistered CCTV system to record people in a public or private place unless it meets certain criteria.
The introduction of the Data Protection Act 1998 and other related legislation has had far reaching consequences for those who own, manage or operate CCTV systems. Every aspect of this new legislation impacts upon your use of CCTV.

The Code of Practice contains 62 legally enforceable 'Standards' that must be met to ensure compliance with the Data Protection Act 1998. The Commissioner includes a further 30 points of good practice, which together with the standards, are designed to build and maintain public confidence in CCTV systems and to ensure that they operate within the law.
The Data Protection Act (DPA) 1998 came into force on March 1st 2000 and the Information Commissioner has issued a Code of Practice for CCTV systems. This Code was updated on July 14th 2000 and again in January 2008 and is available from us as part of our Data Protection Information Pack.

You will find at The Data Protection Act and CCTV our own interpretation and summary of the requirements of the act. This however still leaves a number of questions unanswered so we have prepared a Data Protection Information Pack for visitors to this site. This should answer most of the questions that you may have concerning The Data Protection Act and CCTV as well as providing an extensive checklist enabling you to ensure that your organization is fully complying with the requirements of the legislation.
Information Pack contains the following:
1. DPA Code of Practice from the Information Commissioner's Office. This explains what the law requires of you if you have a CCTV System.
2. DPA Self Assessment Pack providing further details on the law and a simple checklist for you to ensure that your organization is complying with the DPA.
3. DPA Catalogue of items that you may need in order to comply with the requirements of the DPA. e.g. Signs, Download CD's or DVD's, necessary forms, etc.
4. An order form should you wish to order any of the catalogue items.

Ensuring that an organization’s CCTV system is fully compliant with the Data Protection Act can often involve weeks of work. Very often this time is spent reinventing the wheel as VeriFi can conduct a full professional assessment of your system and provide full documentation and comprehensive advice on where your system meets or fails to meet current legislation and official guidelines. However, a VeriFi Assessment goes much further than this in that it sets up a complete framework on which to base your CCTV management.

The VeriFi solution
VeriFi can supply an Independent Consultant to conduct a CCTV Compliance Assessment, provide full documentation and comprehensive advice on where your system meets or fails to meet current legislation and official guidelines. However, a VeriFi Assessment goes much further than this in that it sets up a complete framework on which to base your CCTV management. The following are all covered by the VeriFi service.
Information Commissioners Office
Almost all CCTV systems must be registered with the Information Commissioners Office. VeriFi will inform you of shortcomings in regard to your ICO notification.
Policy Document
You will require a statement itemising how your CCTV system is to be managed and stating who is fulfilling the roles of Data Controller and Data Processor.
Operational Requirement
According to the Home Office an Operational Requirement should be drawn up before any CCTV system is specified and form the basis for the design of the system. This document then provides evidence for the relevance of your system in respect to the DPA. VeriFi will reverse engineer an Operational Requirement and advise you of any shortfalls or redundancy within the system.
Privacy
It is a serious infringement of the DPA for your CCTV system to invade the privacy of other people and their property. VeriFi will inform you of any such breaches and advise on the steps that should be taken to correct the situation.
CCTV Signage
You must ensure that you inform people before, or as, they enter an area where there is CCTV surveillance. As you can only use your CCTV system for the purposes which are stated on the signage it is important that the correct wording is used. VeriFi advise you on the correct wording for your organization and can arrange the purchase of all necessary signage.
Annual CCTV Audit
To comply with the Information Commissioners Office CCTV Policy Document VeriFi undertakes a manual audit on behalf of its clients and provides them with comprehensive advice on any shortcomings. This is designed to ensure that your staff for contractors will effectively manage your CCTV on a continuing basis.
Management Documentation
Clients of VeriFi receive, free of charge, a comprehensive package of the necessary documentation required under the DPA as well is training in its use.
Recording Media
To help ensure that images are usable in a court of law it is essential that any CDs or DVDs are Data Compliant (media purchased from retail outlets will not be suitable). Also supplied free of charge to VeriFi clients are the necessary compliant CD's/DVDs. Should you require more documentation or recording media this can be ordered online and is normally supplied on the next working day.
Right of Access Management
Under the DPA members of the public have a right to access of their recorded images. The VeriFi Application Form that is supplied as part of this service includes a statement of the individual's rights and how Subject Access Requests are managed. This service is designed to ensure full legal compliance.
Public Information
As you must provide for the public a statement of how you manage and operate your CCTV this can be provided to VeriFi clients in either an online or paper format.
Staff Awareness
If you have not made your workforce fully aware of the purpose of the system and how it may apply to them video evidence may be ruled inadmissible. VeriFi clients receive as part of the package, a specific sign for display in staff areas.
Public Complaints Procedure
As it is rare to receive a complaint from the public with regard to the management of CCTV companies normally have no complaints procedure put in place. Where VeriFi manage enquiries on your behalf this includes complaints logging and resolution.
Security of Images
VeriFi will provide an audit of the method you use to secure recorded images. This will include, logging of those people allowed access, the method of access & control of images taken from the system and the tracking any hard disk drives that have been removed from the site.

Other Services:
Although not part of the above Compliance Assessment, the Following Services Are Also Available from VeriFi:
Discreet Evidence Download Service
It is sometimes necessary that evidence be downloaded from the system by someone who is independent from the day-to-day management. A reliable and effective service can be provided by VeriFi should such an event to occur.
Professional Evidence Editing
Where substantial amounts of irrelevant information are downloaded the result is often a noble long and complicated presentation of the facts. To avoid this VeriFi can offer a professional evidence editing service.

The police(Globally) say that 80% of CCTV evidence is inadmissible in court. Causes of such failures include inadequate documentation, lack of audit trail and incorrect recording of evidence.
We recommend that you ensure that you are fully compliant with the DPA as having spent thousands of currency on the installation of a CCTV system it is indefensible to then have the evidence rendered unusable by the relatively small lack of investment in procedural items.
Almost all CCTV systems are required by law to register under the Data Protection Act with the Information Commissioner's Office as well as having, as a minimum, the following items:
1. A Small System Checklist. We supply this free of charge with our Management & Download Pack below.
2. When recording a Compliant CD's or DVD's for recording incidents as well as the necessary forms that you need to log system maintenance, the passing on of evidence to the Police or a third party and other items that may require an audit trail in the event of recordings being required as evidence.
3. The Correct Signage. This may need to include your organization’s name and contact details.

Checklist for users of limited CCTV systems monitoring small retail and business premises
This CCTV system and the images produced by it are controlled by ………………….. who is responsible for how the system is used and for notifying the Information Commissioner about the CCTV system and its purpose (which is a legal requirement of the Data Protection Act 1998).
We (……) have considered the need for using CCTV and have decided it is required for the prevention and detection of crime and for protecting the safety of customers. It will not be used for other purposes. We conduct an annual review of our use of CCTV.


Checked (Date)
By
Date of next review
Notification has been submitted to the Information Commissioner and the next renewal date recorded.



There is a named individual who is responsible for the operation of the system.



A system has been chosen which produces clear images which the law enforcement bodies (usually the police) can use to investigate crime and these can easily be taken from the system when required.



Cameras have been sited so that they provide clear images.



Cameras have been positioned to avoid capturing the images of persons not visiting the premises.



There are visible signs showing that CCTV is in operation. Where it is not obvious who is responsible for the system contact details are displayed on the sign(s).



Images from this CCTV system are securely stored, where only a limited number of authorised persons may have access to them.



The recorded images will only be retained long enough for any incident to come to light (e.g. for a theft to be noticed) and the incident to be investigated.



Except for law enforcement bodies, images will not be provided to third parties.



The organisation knows how to respond to individuals making requests for copies of their own images. If unsure the controller knows to seek advice from the Information Commissioner as soon as such a request is made.



Regular checks are carried out to ensure that the system is working properly and produces high quality images.



Please keep this checklist in a safe place until the date of the next review.

Monitoring your workforce

When you install CCTV in a workplace, such as a shop, it is likely to capture pictures of workers, even if they are not the main subject of surveillance. If the purpose of the CCTV is solely to prevent and detect crime, then you should not use it for monitoring the amount of work done or compliance with company procedures.
  • Have the cameras been installed so they are not directed specifically to capture images of workers?
  • Are the recorded images viewed only when there is suspected criminal activity, and not just for routine monitoring of workers? Cameras installed for preventing and detecting crime should not be used for non-criminal matters.
  • Are images of workers used only if you see something you cannot be expected to ignore, such as criminal activity, gross misconduct, or behaviour which puts others at risk?
  • If these images are used in disciplinary proceedings, is the footage retained so that the worker can see it and respond? A still image is unlikely to be enough.
In some cases, it may be appropriate to install CCTV specifically for workforce monitoring. You should go through the decision making process in section 4 of this code and consider whether it is justified. In particular, consider whether better training or greater supervision would be a more appropriate solution.

Example: You suspect that your workers are stealing goods from the store room. It would be appropriate to install CCTV in this room, as it will not involve continuous or intrusive monitoring and is proportionate to the problem.

Example: You suspect that your workers are making mobile phone calls during working hours, against company policy, and you consider installing CCTV cameras on their desks to monitor them throughout the day. This would be intrusive and disproportionate. Continuous monitoring should only be used in very exceptional circumstances, for example where hazardous substances are used and failure to follow procedures would pose a serious risk to life.
  • Is CCTV limited to areas which workers would not expect to be private? CCTV should not be used in toilet areas or private offices.
  • Are workers made aware that the CCTV is for staff monitoring and how it will be used? How are visitors informed that CCTV is in operation?
  • If CCTV is used to enforce internal policies, are workers fully aware of these policies and have they had sufficient training?
  • Do you have procedures to deal appropriately with subject access requests from workers?
Workers should normally be aware that they are being monitored, but in exceptional circumstances, covert monitoring may be used as part of a specific investigation. Covert monitoring is where video or audio recording equipment is used, and those being monitored are unaware that this is taking place. Before approving covert monitoring, you should ask yourself:
  • Is this an exceptional circumstance, and is there is reason to suspect criminal activity or equivalent malpractice?
  • Will the cameras only be used for a specific investigation, and will they be removed once the investigation is complete?
  • Would it prejudice the investigation to tell workers that cameras are being used?
  • Have you taken into account the intrusion on innocent workers?
  • Has the decision been taken by senior management?
Cameras and listening devices should not be installed in private areas such as toilets and private offices, except in the most exceptional circumstances where serious crime is suspected. This should only happen where there is an intention to involve the police, not where it is a purely internal disciplinary matter.
In some cases, covert cameras installed for one investigation may turn up evidence of other criminal behavior or disciplinary offenses. You should only make use of this where the offence is serious, for example, gross misconduct or misconduct putting others at risk. It would be unfair to use evidence obtained covertly for minor disciplinary matters.
In some cases, covert monitoring may be covered by the Regulation of Investigatory Powers Act 2000 or the Regulation of Investigatory Powers (Scotland) Act 2000 (RIPA / RIPSA). You may wish to seek advice.











Tuesday, March 15, 2011

CCTV Illegal (90%) Ineffective (80%)


Whether CCTV is an existing element of your security/management strategy or you are considering investing in CCTV, you need to be sure that the system will provide unequivocal evidence.

Imagine your frustration at having your CCTV evidence rejected in a health & safety claim or employment law dispute due to poor quality images or procedural mistakes. The financial impact of such cases could amount to tens if not hundreds of thousands of currency; by comparison most instances of theft can appear almost inconsequential in terms of loss.

The quality of images as seen on TV News and crime reporting programmers is a damning indictment of CCTV standards. Consider the numbers quoted in the headline, 90% Illegal stated by CameraWatch is based on ‘initial research’ and refers to total or partial shortfall in Data Protection Act compliance. 80% Ineffective refers to the efficacy of CCTV evidence examined by the Police and is stated in the Home Office National CCTV Strategy.

These statistics are largely based on anecdotal evidence, nevertheless practical experience of those professionally involved in the assessment of CCTV systems would broadly agree with these estimates.

Another interesting number is the 3.2 to 4.2 million CCTV surveillance cameras employed in the India. Which figure is closest to reality no one knows, but there is probably 1 camera for every 15 members of the population, capturing our images as we go about our lives.

According to current folklore our image is captured 300 times a day and stored for a month or more. Should we be worried?
Provided that CCTV images are managed in accordance with Data Protection Act principles and you are a law abiding citizen, there should be no concern and in countless high profile cases CCTV has proven to be an invaluable aid to investigation. Evidence of the immediately preceding terrorist bombings was of fundamental importance to the Police investigation.

Data Protection Act legislation is at the very core of protecting our Human Rights when it comes to the use of CCTV, so are we safe to assume we are protected from its misuse? The law is certainly adequate and has been since the 1998 Data Protection Act encompassed CCTV images. The Information Commissioner is responsible for enforcement and serious cases of non compliance can result in a substantial fine or even a custodial sentence.

You must let people know that they are in an area where CCTV surveillance is being carried out. The most effective way of doing this is by prominently placed signs at the entrance to the CCTV zone and reinforcing this with further signs inside the area. The signs should contain details of the organization responsible for operating the system, the purposes for using CCTV and contact details.

The Data Protection Act does not prescribe any specific minimum or maximum periods which images should be retained for, the archive period should reflect the organization’s own purposes although 30 days is the accepted norm.
A little known aspect of DPA law is Right of Subject Access, you have a legal right to request a copy of your images captured on CCTV and subject to certain reasonable conditions the organization responsible for the CCTV system (the Data Controller) must provide a copy.

You will need to make the application in writing: stating where you were, the time & date and provide photographic identity so that the relevant images can be searched for. The Data Controller is entitled to charge something for the search including the cost of providing a CD or DVD. The images must be provided to the applicant within 40 days of the date of application or a valid reason for not being able to comply must be given within 21 days.

Legislation is weighted in favor of the applicant and the Data Controller can incur substantial costs in producing the copy recording, particularly if it is found to include images of third parties as well as the applicant. These third party images must be masked in order to protect the identities of others.
A frequent dilemma faced by Security / Facilities Managers of multi tenanted buildings is when a tenant demands access to recordings that may assist them in criminal or civil law matters. In the case of criminal investigation the response is clear cut, the tenant must report the matter to the Police who will request a copy of any video evidence they may require.

Non criminal cases are more complex and disclosure of images directly to the tenant may result in a breach of Data Protection Act law, on the other hand refusal may result in bad feeling if tenant holds the reasonable view that; ‘security is included in the service charge that I am paying and I should be allowed access to CCTV recordings that relate to my business’.

A reasonable response would be to establish the parameters of the recording; date, time and cameras. Then download images in the same manner as for a criminal investigation, but without allowing the applicant to view the images. You have at this point protected the required images from being overwritten by the recording equipment. The next move is to suggest that the tenant instruct their lawyer to request a copy, subject to an undertaking that the law firm becomes Data Controller for the issued copy.
In this article we refer to digital recording only, on the basis that video tape is redundant technology that is no longer serviceable and unlikely to be effective.

Digital images are primarily recorded to hard drive and are only downloaded on demand, the recording equipment should be held in a secure enclosure fixed to the building fabric or located in a security control room. Access to the system to download images should be password protected and only available to nominated Data Processors.

Images should be downloaded to non rewritable media such as CD or DVD and be playable on any video enabled PC or laptop without the need for additional software. It is good practice to download two copies of an incident, one being the Working Copy for issue and the other being an Archive copy held securely on site for backup or verification purposes. It is vital that a robust audit trail is created by means of Unique Reference Numbers printed on the disc during the printing process. The audit trail should be supported by suitable documentation. Download to memory stick, re-recordable media or the internet without secure encryption will compromise the veracity of the evidence.

If CCTV is an existing element within your security & management strategy, make sure that you have a CCTV policy in place describing how it should be managed in compliance with Data Protection Act law. Don’t then file and forget, but ensure that your security staff are issued with a copy and carry out an annual assessment of management and equipment performance, thereby ensuring that your CCTV continues to meet current needs and best practice.

If you are considering the installation of CCTV get a professional to assess your risks and system requirements in the form of an Operational Requirement based on the Home Office model. This is in effect a performance specification that can be issued to those responsible for the technical design and bid process, you can thus be sure of obtaining comparable quotations on which to base your buying decision. Furthermore you will have created a benchmark against which performance can be objectively assessed as a part of an effective professional handover process that will include; System Operating Manual, CCTV Policy, Management Documentation, Statutory CCTV Warning Signs and training of those responsible for managing the system.