CCTV Data Protection Act
Since the 24th October 2001 it has been a criminal offense to use an unregistered CCTV system to record people in a public or private place unless it meets certain criteria.
The introduction of the Data Protection Act 1998 and other related legislation has had far reaching consequences for those who own, manage or operate CCTV systems. Every aspect of this new legislation impacts upon your use of CCTV.
The Code of Practice contains 62 legally enforceable 'Standards' that must be met to ensure compliance with the Data Protection Act 1998. The Commissioner includes a further 30 points of good practice, which together with the standards, are designed to build and maintain public confidence in CCTV systems and to ensure that they operate within the law.
The Data Protection Act (DPA) 1998 came into force on March 1st 2000 and the Information Commissioner has issued a Code of Practice for CCTV systems. This Code was updated on July 14th 2000 and again in January 2008 and is available from us as part of our Data Protection Information Pack.
You will find at The Data Protection Act and CCTV our own interpretation and summary of the requirements of the act. This however still leaves a number of questions unanswered so we have prepared a Data Protection Information Pack for visitors to this site. This should answer most of the questions that you may have concerning The Data Protection Act and CCTV as well as providing an extensive checklist enabling you to ensure that your organization is fully complying with the requirements of the legislation.
Information Pack contains the following:
1. DPA Code of Practice from the Information Commissioner's Office. This explains what the law requires of you if you have a CCTV System.
2. DPA Self Assessment Pack providing further details on the law and a simple checklist for you to ensure that your organization is complying with the DPA.
3. DPA Catalogue of items that you may need in order to comply with the requirements of the DPA. e.g. Signs, Download CD's or DVD's, necessary forms, etc.
4. An order form should you wish to order any of the catalogue items.
Ensuring that an organization’s CCTV system is fully compliant with the Data Protection Act can often involve weeks of work. Very often this time is spent reinventing the wheel as VeriFi can conduct a full professional assessment of your system and provide full documentation and comprehensive advice on where your system meets or fails to meet current legislation and official guidelines. However, a VeriFi Assessment goes much further than this in that it sets up a complete framework on which to base your CCTV management.
The VeriFi solution
VeriFi can supply an Independent Consultant to conduct a CCTV Compliance Assessment, provide full documentation and comprehensive advice on where your system meets or fails to meet current legislation and official guidelines. However, a VeriFi Assessment goes much further than this in that it sets up a complete framework on which to base your CCTV management. The following are all covered by the VeriFi service.
Information Commissioners Office
Almost all CCTV systems must be registered with the Information Commissioners Office. VeriFi will inform you of shortcomings in regard to your ICO notification.
Policy Document
You will require a statement itemising how your CCTV system is to be managed and stating who is fulfilling the roles of Data Controller and Data Processor.
Operational Requirement
According to the Home Office an Operational Requirement should be drawn up before any CCTV system is specified and form the basis for the design of the system. This document then provides evidence for the relevance of your system in respect to the DPA. VeriFi will reverse engineer an Operational Requirement and advise you of any shortfalls or redundancy within the system.
Privacy
It is a serious infringement of the DPA for your CCTV system to invade the privacy of other people and their property. VeriFi will inform you of any such breaches and advise on the steps that should be taken to correct the situation.
CCTV Signage
You must ensure that you inform people before, or as, they enter an area where there is CCTV surveillance. As you can only use your CCTV system for the purposes which are stated on the signage it is important that the correct wording is used. VeriFi advise you on the correct wording for your organization and can arrange the purchase of all necessary signage.
Annual CCTV Audit
To comply with the Information Commissioners Office CCTV Policy Document VeriFi undertakes a manual audit on behalf of its clients and provides them with comprehensive advice on any shortcomings. This is designed to ensure that your staff for contractors will effectively manage your CCTV on a continuing basis.
Management Documentation
Clients of VeriFi receive, free of charge, a comprehensive package of the necessary documentation required under the DPA as well is training in its use.
Recording Media
To help ensure that images are usable in a court of law it is essential that any CDs or DVDs are Data Compliant (media purchased from retail outlets will not be suitable). Also supplied free of charge to VeriFi clients are the necessary compliant CD's/DVDs. Should you require more documentation or recording media this can be ordered online and is normally supplied on the next working day.
Right of Access Management
Under the DPA members of the public have a right to access of their recorded images. The VeriFi Application Form that is supplied as part of this service includes a statement of the individual's rights and how Subject Access Requests are managed. This service is designed to ensure full legal compliance.
Public Information
As you must provide for the public a statement of how you manage and operate your CCTV this can be provided to VeriFi clients in either an online or paper format.
Staff Awareness
If you have not made your workforce fully aware of the purpose of the system and how it may apply to them video evidence may be ruled inadmissible. VeriFi clients receive as part of the package, a specific sign for display in staff areas.
Public Complaints Procedure
As it is rare to receive a complaint from the public with regard to the management of CCTV companies normally have no complaints procedure put in place. Where VeriFi manage enquiries on your behalf this includes complaints logging and resolution.
Security of Images
VeriFi will provide an audit of the method you use to secure recorded images. This will include, logging of those people allowed access, the method of access & control of images taken from the system and the tracking any hard disk drives that have been removed from the site.
Other Services:
Although not part of the above Compliance Assessment, the Following Services Are Also Available from VeriFi:
Discreet Evidence Download Service
It is sometimes necessary that evidence be downloaded from the system by someone who is independent from the day-to-day management. A reliable and effective service can be provided by VeriFi should such an event to occur.
Professional Evidence Editing
Where substantial amounts of irrelevant information are downloaded the result is often a noble long and complicated presentation of the facts. To avoid this VeriFi can offer a professional evidence editing service.
The police(Globally) say that 80% of CCTV evidence is inadmissible in court. Causes of such failures include inadequate documentation, lack of audit trail and incorrect recording of evidence.
We recommend that you ensure that you are fully compliant with the DPA as having spent thousands of currency on the installation of a CCTV system it is indefensible to then have the evidence rendered unusable by the relatively small lack of investment in procedural items.
Almost all CCTV systems are required by law to register under the Data Protection Act with the Information Commissioner's Office as well as having, as a minimum, the following items:
1. A Small System Checklist. We supply this free of charge with our Management & Download Pack below.
2. When recording a Compliant CD's or DVD's for recording incidents as well as the necessary forms that you need to log system maintenance, the passing on of evidence to the Police or a third party and other items that may require an audit trail in the event of recordings being required as evidence.
3. The Correct Signage. This may need to include your organization’s name and contact details.
Checklist for users of limited CCTV systems monitoring small retail and business premises
This CCTV system and the images produced by it are controlled by ………………….. who is responsible for how the system is used and for notifying the Information Commissioner about the CCTV system and its purpose (which is a legal requirement of the Data Protection Act 1998).
We (……) have considered the need for using CCTV and have decided it is required for the prevention and detection of crime and for protecting the safety of customers. It will not be used for other purposes. We conduct an annual review of our use of CCTV.
|
Checked (Date)
|
By
|
Date of next review
|
Notification has been submitted to the Information Commissioner and the next renewal date recorded.
|
|
|
|
There is a named individual who is responsible for the operation of the system.
|
|
|
|
A system has been chosen which produces clear images which the law enforcement bodies (usually the police) can use to investigate crime and these can easily be taken from the system when required.
|
|
|
|
Cameras have been sited so that they provide clear images.
|
|
|
|
Cameras have been positioned to avoid capturing the images of persons not visiting the premises.
|
|
|
|
There are visible signs showing that CCTV is in operation. Where it is not obvious who is responsible for the system contact details are displayed on the sign(s).
|
|
|
|
Images from this CCTV system are securely stored, where only a limited number of authorised persons may have access to them.
|
|
|
|
The recorded images will only be retained long enough for any incident to come to light (e.g. for a theft to be noticed) and the incident to be investigated.
|
|
|
|
Except for law enforcement bodies, images will not be provided to third parties.
|
|
|
|
The organisation knows how to respond to individuals making requests for copies of their own images. If unsure the controller knows to seek advice from the Information Commissioner as soon as such a request is made.
|
|
|
|
Regular checks are carried out to ensure that the system is working properly and produces high quality images.
|
|
|
|
Please keep this checklist in a safe place until the date of the next review.
Monitoring your workforce
When you install CCTV in a workplace, such as a shop, it is likely to capture pictures of workers, even if they are not the main subject of surveillance. If the purpose of the CCTV is solely to prevent and detect crime, then you should not use it for monitoring the amount of work done or compliance with company procedures.
- Have the cameras been installed so they are not directed specifically to capture images of workers?
- Are the recorded images viewed only when there is suspected criminal activity, and not just for routine monitoring of workers? Cameras installed for preventing and detecting crime should not be used for non-criminal matters.
- Are images of workers used only if you see something you cannot be expected to ignore, such as criminal activity, gross misconduct, or behaviour which puts others at risk?
- If these images are used in disciplinary proceedings, is the footage retained so that the worker can see it and respond? A still image is unlikely to be enough.
In some cases, it may be appropriate to install CCTV specifically for workforce monitoring. You should go through the decision making process in section 4 of this code and consider whether it is justified. In particular, consider whether better training or greater supervision would be a more appropriate solution.
Example: You suspect that your workers are stealing goods from the store room. It would be appropriate to install CCTV in this room, as it will not involve continuous or intrusive monitoring and is proportionate to the problem.
Example: You suspect that your workers are making mobile phone calls during working hours, against company policy, and you consider installing CCTV cameras on their desks to monitor them throughout the day. This would be intrusive and disproportionate. Continuous monitoring should only be used in very exceptional circumstances, for example where hazardous substances are used and failure to follow procedures would pose a serious risk to life.
- Is CCTV limited to areas which workers would not expect to be private? CCTV should not be used in toilet areas or private offices.
- Are workers made aware that the CCTV is for staff monitoring and how it will be used? How are visitors informed that CCTV is in operation?
- If CCTV is used to enforce internal policies, are workers fully aware of these policies and have they had sufficient training?
- Do you have procedures to deal appropriately with subject access requests from workers?
Workers should normally be aware that they are being monitored, but in exceptional circumstances, covert monitoring may be used as part of a specific investigation. Covert monitoring is where video or audio recording equipment is used, and those being monitored are unaware that this is taking place. Before approving covert monitoring, you should ask yourself:
- Is this an exceptional circumstance, and is there is reason to suspect criminal activity or equivalent malpractice?
- Will the cameras only be used for a specific investigation, and will they be removed once the investigation is complete?
- Would it prejudice the investigation to tell workers that cameras are being used?
- Have you taken into account the intrusion on innocent workers?
- Has the decision been taken by senior management?
Cameras and listening devices should not be installed in private areas such as toilets and private offices, except in the most exceptional circumstances where serious crime is suspected. This should only happen where there is an intention to involve the police, not where it is a purely internal disciplinary matter.
In some cases, covert cameras installed for one investigation may turn up evidence of other criminal behavior or disciplinary offenses. You should only make use of this where the offence is serious, for example, gross misconduct or misconduct putting others at risk. It would be unfair to use evidence obtained covertly for minor disciplinary matters.
In some cases, covert monitoring may be covered by the Regulation of Investigatory Powers Act 2000 or the Regulation of Investigatory Powers (Scotland) Act 2000 (RIPA / RIPSA). You may wish to seek advice.