CCTV Data Protection Act
Since the 24th October 2001 it has been a criminal offense to use an unregistered CCTV system to record people in a public or private place unless it meets certain criteria.
The introduction of the Data Protection Act 1998 and other related legislation has had far reaching consequences for those who own, manage or operate CCTV systems. Every aspect of this new legislation impacts upon your use of CCTV.
The Code of Practice contains 62 legally enforceable 'Standards' that must be met to ensure compliance with the Data Protection Act 1998. The Commissioner includes a further 30 points of good practice, which together with the standards, are designed to build and maintain public confidence in CCTV systems and to ensure that they operate within the law.
The Data Protection Act (DPA) 1998 came into force on March 1st 2000 and the Information Commissioner has issued a Code of Practice for CCTV systems. This Code was updated on July 14th 2000 and again in January 2008 and is available from us as part of our Data Protection Information Pack.
You will find at The Data Protection Act and CCTV our own interpretation and summary of the requirements of the act. This however still leaves a number of questions unanswered so we have prepared a Data Protection Information Pack for visitors to this site. This should answer most of the questions that you may have concerning The Data Protection Act and CCTV as well as providing an extensive checklist enabling you to ensure that your organization is fully complying with the requirements of the legislation.
Information Pack contains the following:
1. DPA Code of Practice from the Information Commissioner's Office. This explains what the law requires of you if you have a CCTV System.
2. DPA Self Assessment Pack providing further details on the law and a simple checklist for you to ensure that your organization is complying with the DPA.
3. DPA Catalogue of items that you may need in order to comply with the requirements of the DPA. e.g. Signs, Download CD's or DVD's, necessary forms, etc.
4. An order form should you wish to order any of the catalogue items.
Ensuring that an organization’s CCTV system is fully compliant with the Data Protection Act can often involve weeks of work. Very often this time is spent reinventing the wheel as VeriFi can conduct a full professional assessment of your system and provide full documentation and comprehensive advice on where your system meets or fails to meet current legislation and official guidelines. However, a VeriFi Assessment goes much further than this in that it sets up a complete framework on which to base your CCTV management.
The VeriFi solution
VeriFi can supply an Independent Consultant to conduct a CCTV Compliance Assessment, provide full documentation and comprehensive advice on where your system meets or fails to meet current legislation and official guidelines. However, a VeriFi Assessment goes much further than this in that it sets up a complete framework on which to base your CCTV management. The following are all covered by the VeriFi service.
Information Commissioners Office
Almost all CCTV systems must be registered with the Information Commissioners Office. VeriFi will inform you of shortcomings in regard to your ICO notification.
Policy Document
You will require a statement itemising how your CCTV system is to be managed and stating who is fulfilling the roles of Data Controller and Data Processor.
Operational Requirement
According to the Home Office an Operational Requirement should be drawn up before any CCTV system is specified and form the basis for the design of the system. This document then provides evidence for the relevance of your system in respect to the DPA. VeriFi will reverse engineer an Operational Requirement and advise you of any shortfalls or redundancy within the system.
Privacy
It is a serious infringement of the DPA for your CCTV system to invade the privacy of other people and their property. VeriFi will inform you of any such breaches and advise on the steps that should be taken to correct the situation.
CCTV Signage
You must ensure that you inform people before, or as, they enter an area where there is CCTV surveillance. As you can only use your CCTV system for the purposes which are stated on the signage it is important that the correct wording is used. VeriFi advise you on the correct wording for your organization and can arrange the purchase of all necessary signage.
Annual CCTV Audit
To comply with the Information Commissioners Office CCTV Policy Document VeriFi undertakes a manual audit on behalf of its clients and provides them with comprehensive advice on any shortcomings. This is designed to ensure that your staff for contractors will effectively manage your CCTV on a continuing basis.
Management Documentation
Clients of VeriFi receive, free of charge, a comprehensive package of the necessary documentation required under the DPA as well is training in its use.
Recording Media
To help ensure that images are usable in a court of law it is essential that any CDs or DVDs are Data Compliant (media purchased from retail outlets will not be suitable). Also supplied free of charge to VeriFi clients are the necessary compliant CD's/DVDs. Should you require more documentation or recording media this can be ordered online and is normally supplied on the next working day.
Right of Access Management
Under the DPA members of the public have a right to access of their recorded images. The VeriFi Application Form that is supplied as part of this service includes a statement of the individual's rights and how Subject Access Requests are managed. This service is designed to ensure full legal compliance.
Public Information
As you must provide for the public a statement of how you manage and operate your CCTV this can be provided to VeriFi clients in either an online or paper format.
Staff Awareness
If you have not made your workforce fully aware of the purpose of the system and how it may apply to them video evidence may be ruled inadmissible. VeriFi clients receive as part of the package, a specific sign for display in staff areas.
Public Complaints Procedure
As it is rare to receive a complaint from the public with regard to the management of CCTV companies normally have no complaints procedure put in place. Where VeriFi manage enquiries on your behalf this includes complaints logging and resolution.
Security of Images
VeriFi will provide an audit of the method you use to secure recorded images. This will include, logging of those people allowed access, the method of access & control of images taken from the system and the tracking any hard disk drives that have been removed from the site.
Other Services:
Although not part of the above Compliance Assessment, the Following Services Are Also Available from VeriFi:
Discreet Evidence Download Service
It is sometimes necessary that evidence be downloaded from the system by someone who is independent from the day-to-day management. A reliable and effective service can be provided by VeriFi should such an event to occur.
Professional Evidence Editing
Where substantial amounts of irrelevant information are downloaded the result is often a noble long and complicated presentation of the facts. To avoid this VeriFi can offer a professional evidence editing service.
The police(Globally) say that 80% of CCTV evidence is inadmissible in court. Causes of such failures include inadequate documentation, lack of audit trail and incorrect recording of evidence.
We recommend that you ensure that you are fully compliant with the DPA as having spent thousands of currency on the installation of a CCTV system it is indefensible to then have the evidence rendered unusable by the relatively small lack of investment in procedural items.
Almost all CCTV systems are required by law to register under the Data Protection Act with the Information Commissioner's Office as well as having, as a minimum, the following items:
1. A Small System Checklist. We supply this free of charge with our Management & Download Pack below.
2. When recording a Compliant CD's or DVD's for recording incidents as well as the necessary forms that you need to log system maintenance, the passing on of evidence to the Police or a third party and other items that may require an audit trail in the event of recordings being required as evidence.
3. The Correct Signage. This may need to include your organization’s name and contact details.
Since the 24th October 2001 it has been a criminal offense to use an unregistered CCTV system to record people in a public or private place unless it meets certain criteria.
The introduction of the Data Protection Act 1998 and other related legislation has had far reaching consequences for those who own, manage or operate CCTV systems. Every aspect of this new legislation impacts upon your use of CCTV.
The Code of Practice contains 62 legally enforceable 'Standards' that must be met to ensure compliance with the Data Protection Act 1998. The Commissioner includes a further 30 points of good practice, which together with the standards, are designed to build and maintain public confidence in CCTV systems and to ensure that they operate within the law.
The Data Protection Act (DPA) 1998 came into force on March 1st 2000 and the Information Commissioner has issued a Code of Practice for CCTV systems. This Code was updated on July 14th 2000 and again in January 2008 and is available from us as part of our Data Protection Information Pack.
You will find at The Data Protection Act and CCTV our own interpretation and summary of the requirements of the act. This however still leaves a number of questions unanswered so we have prepared a Data Protection Information Pack for visitors to this site. This should answer most of the questions that you may have concerning The Data Protection Act and CCTV as well as providing an extensive checklist enabling you to ensure that your organization is fully complying with the requirements of the legislation.
Information Pack contains the following:
1. DPA Code of Practice from the Information Commissioner's Office. This explains what the law requires of you if you have a CCTV System.
2. DPA Self Assessment Pack providing further details on the law and a simple checklist for you to ensure that your organization is complying with the DPA.
3. DPA Catalogue of items that you may need in order to comply with the requirements of the DPA. e.g. Signs, Download CD's or DVD's, necessary forms, etc.
4. An order form should you wish to order any of the catalogue items.
Ensuring that an organization’s CCTV system is fully compliant with the Data Protection Act can often involve weeks of work. Very often this time is spent reinventing the wheel as VeriFi can conduct a full professional assessment of your system and provide full documentation and comprehensive advice on where your system meets or fails to meet current legislation and official guidelines. However, a VeriFi Assessment goes much further than this in that it sets up a complete framework on which to base your CCTV management.
The VeriFi solution
VeriFi can supply an Independent Consultant to conduct a CCTV Compliance Assessment, provide full documentation and comprehensive advice on where your system meets or fails to meet current legislation and official guidelines. However, a VeriFi Assessment goes much further than this in that it sets up a complete framework on which to base your CCTV management. The following are all covered by the VeriFi service.
Information Commissioners Office
Almost all CCTV systems must be registered with the Information Commissioners Office. VeriFi will inform you of shortcomings in regard to your ICO notification.
Policy Document
You will require a statement itemising how your CCTV system is to be managed and stating who is fulfilling the roles of Data Controller and Data Processor.
Operational Requirement
According to the Home Office an Operational Requirement should be drawn up before any CCTV system is specified and form the basis for the design of the system. This document then provides evidence for the relevance of your system in respect to the DPA. VeriFi will reverse engineer an Operational Requirement and advise you of any shortfalls or redundancy within the system.
Privacy
It is a serious infringement of the DPA for your CCTV system to invade the privacy of other people and their property. VeriFi will inform you of any such breaches and advise on the steps that should be taken to correct the situation.
CCTV Signage
You must ensure that you inform people before, or as, they enter an area where there is CCTV surveillance. As you can only use your CCTV system for the purposes which are stated on the signage it is important that the correct wording is used. VeriFi advise you on the correct wording for your organization and can arrange the purchase of all necessary signage.
Annual CCTV Audit
To comply with the Information Commissioners Office CCTV Policy Document VeriFi undertakes a manual audit on behalf of its clients and provides them with comprehensive advice on any shortcomings. This is designed to ensure that your staff for contractors will effectively manage your CCTV on a continuing basis.
Management Documentation
Clients of VeriFi receive, free of charge, a comprehensive package of the necessary documentation required under the DPA as well is training in its use.
Recording Media
To help ensure that images are usable in a court of law it is essential that any CDs or DVDs are Data Compliant (media purchased from retail outlets will not be suitable). Also supplied free of charge to VeriFi clients are the necessary compliant CD's/DVDs. Should you require more documentation or recording media this can be ordered online and is normally supplied on the next working day.
Right of Access Management
Under the DPA members of the public have a right to access of their recorded images. The VeriFi Application Form that is supplied as part of this service includes a statement of the individual's rights and how Subject Access Requests are managed. This service is designed to ensure full legal compliance.
Public Information
As you must provide for the public a statement of how you manage and operate your CCTV this can be provided to VeriFi clients in either an online or paper format.
Staff Awareness
If you have not made your workforce fully aware of the purpose of the system and how it may apply to them video evidence may be ruled inadmissible. VeriFi clients receive as part of the package, a specific sign for display in staff areas.
Public Complaints Procedure
As it is rare to receive a complaint from the public with regard to the management of CCTV companies normally have no complaints procedure put in place. Where VeriFi manage enquiries on your behalf this includes complaints logging and resolution.
Security of Images
VeriFi will provide an audit of the method you use to secure recorded images. This will include, logging of those people allowed access, the method of access & control of images taken from the system and the tracking any hard disk drives that have been removed from the site.
Other Services:
Although not part of the above Compliance Assessment, the Following Services Are Also Available from VeriFi:
Discreet Evidence Download Service
It is sometimes necessary that evidence be downloaded from the system by someone who is independent from the day-to-day management. A reliable and effective service can be provided by VeriFi should such an event to occur.
Professional Evidence Editing
Where substantial amounts of irrelevant information are downloaded the result is often a noble long and complicated presentation of the facts. To avoid this VeriFi can offer a professional evidence editing service.
The police(Globally) say that 80% of CCTV evidence is inadmissible in court. Causes of such failures include inadequate documentation, lack of audit trail and incorrect recording of evidence.
We recommend that you ensure that you are fully compliant with the DPA as having spent thousands of currency on the installation of a CCTV system it is indefensible to then have the evidence rendered unusable by the relatively small lack of investment in procedural items.
Almost all CCTV systems are required by law to register under the Data Protection Act with the Information Commissioner's Office as well as having, as a minimum, the following items:
1. A Small System Checklist. We supply this free of charge with our Management & Download Pack below.
2. When recording a Compliant CD's or DVD's for recording incidents as well as the necessary forms that you need to log system maintenance, the passing on of evidence to the Police or a third party and other items that may require an audit trail in the event of recordings being required as evidence.
3. The Correct Signage. This may need to include your organization’s name and contact details.
Checklist for users of limited CCTV systems monitoring small retail and business premises
This CCTV system and the images produced by it are controlled by ………………….. who is responsible for how the system is used and for notifying the Information Commissioner about the CCTV system and its purpose (which is a legal requirement of the Data Protection Act 1998).
We (……) have considered the need for using CCTV and have decided it is required for the prevention and detection of crime and for protecting the safety of customers. It will not be used for other purposes. We conduct an annual review of our use of CCTV.
Checked (Date)
|
By
|
Date of next review
| |
Notification has been submitted to the Information Commissioner and the next renewal date recorded.
| |||
There is a named individual who is responsible for the operation of the system.
| |||
A system has been chosen which produces clear images which the law enforcement bodies (usually the police) can use to investigate crime and these can easily be taken from the system when required.
| |||
Cameras have been sited so that they provide clear images.
| |||
Cameras have been positioned to avoid capturing the images of persons not visiting the premises.
| |||
There are visible signs showing that CCTV is in operation. Where it is not obvious who is responsible for the system contact details are displayed on the sign(s).
| |||
Images from this CCTV system are securely stored, where only a limited number of authorised persons may have access to them.
| |||
The recorded images will only be retained long enough for any incident to come to light (e.g. for a theft to be noticed) and the incident to be investigated.
| |||
Except for law enforcement bodies, images will not be provided to third parties.
| |||
The organisation knows how to respond to individuals making requests for copies of their own images. If unsure the controller knows to seek advice from the Information Commissioner as soon as such a request is made.
| |||
Regular checks are carried out to ensure that the system is working properly and produces high quality images.
|
Please keep this checklist in a safe place until the date of the next review.
In some cases, covert cameras installed for one investigation may turn up evidence of other criminal behavior or disciplinary offenses. You should only make use of this where the offence is serious, for example, gross misconduct or misconduct putting others at risk. It would be unfair to use evidence obtained covertly for minor disciplinary matters.
In some cases, covert monitoring may be covered by the Regulation of Investigatory Powers Act 2000 or the Regulation of Investigatory Powers (Scotland) Act 2000 (RIPA / RIPSA). You may wish to seek advice.
Monitoring your workforce
When you install CCTV in a workplace, such as a shop, it is likely to capture pictures of workers, even if they are not the main subject of surveillance. If the purpose of the CCTV is solely to prevent and detect crime, then you should not use it for monitoring the amount of work done or compliance with company procedures.- Have the cameras been installed so they are not directed specifically to capture images of workers?
- Are the recorded images viewed only when there is suspected criminal activity, and not just for routine monitoring of workers? Cameras installed for preventing and detecting crime should not be used for non-criminal matters.
- Are images of workers used only if you see something you cannot be expected to ignore, such as criminal activity, gross misconduct, or behaviour which puts others at risk?
- If these images are used in disciplinary proceedings, is the footage retained so that the worker can see it and respond? A still image is unlikely to be enough.
Example: You suspect that your workers are stealing goods from the store room. It would be appropriate to install CCTV in this room, as it will not involve continuous or intrusive monitoring and is proportionate to the problem.
Example: You suspect that your workers are making mobile phone calls during working hours, against company policy, and you consider installing CCTV cameras on their desks to monitor them throughout the day. This would be intrusive and disproportionate. Continuous monitoring should only be used in very exceptional circumstances, for example where hazardous substances are used and failure to follow procedures would pose a serious risk to life.
- Is CCTV limited to areas which workers would not expect to be private? CCTV should not be used in toilet areas or private offices.
- Are workers made aware that the CCTV is for staff monitoring and how it will be used? How are visitors informed that CCTV is in operation?
- If CCTV is used to enforce internal policies, are workers fully aware of these policies and have they had sufficient training?
- Do you have procedures to deal appropriately with subject access requests from workers?
- Is this an exceptional circumstance, and is there is reason to suspect criminal activity or equivalent malpractice?
- Will the cameras only be used for a specific investigation, and will they be removed once the investigation is complete?
- Would it prejudice the investigation to tell workers that cameras are being used?
- Have you taken into account the intrusion on innocent workers?
- Has the decision been taken by senior management?
In some cases, covert cameras installed for one investigation may turn up evidence of other criminal behavior or disciplinary offenses. You should only make use of this where the offence is serious, for example, gross misconduct or misconduct putting others at risk. It would be unfair to use evidence obtained covertly for minor disciplinary matters.
In some cases, covert monitoring may be covered by the Regulation of Investigatory Powers Act 2000 or the Regulation of Investigatory Powers (Scotland) Act 2000 (RIPA / RIPSA). You may wish to seek advice.
33 comments:
Any data for Employment Law Versus Human Rights Law - CCTV Cameras / CCTV system
As i think this info can used in globally not your India...
great good job ahead.
The Data Protection Act CCTV Code of Practice Revised Edition 2008 provides clear guidance on how a CCTV System is to be operated in-conjunction with The Data Protection Act 1998 and also to help build and maintain public confidence in CCTV Systems that both installers and operators are operating to a common code.
This Code of Practice contains legal enforceable standards to ensure compliance with the act.
The revised 2008 Edition will assist you in deciding to utilise CCTV or not, ensuring effective administration of the system, selecting and siting of cameras, using the equipment, looking after the recording material and using the images and also disclosure.
The Code is not intended to apply to:
Targeted and intrusive surveillance activities that can only be issued in specified circumstances by the intelligence agencies, police or customs.
Surveillance used by employers to monitor employees' compliance with their employment contracts.
Home security.
Cameras used by the broadcast media for journalistic, artistry or literary purposes.
The introduction of the Data Protection Act means that most CCTV installations designed to provide either crime prevention, crime detection or to enhance the safety of the public will now have to comply with the requirements of the Act.
The Act applies to commercial and public CCTV systems only, so if your system is for your own private residence you do not need to comply with it.
If your CCTV system includes a video recorder (analogue or digital), it is now a legal requirement that you operate the system in accordance with the Data Protection Act.
Basic Requirements of the Act
You display warning signs to show that CCTV cameras are recording
You log all of your recordings, as well as who changes tapes and when
You label each tape
You keep all your recorded tapes and video recorders secure
Deciding whether to use CCTV or continue using CCTV
Using CCTV can be privacy intrusive, as it is capable of putting a lot of law-abiding people under surveillance and recording their movements as they go about their day to day activities. You should carefully consider whether to use it; the fact that it is possible, affordable or has public support should not be the primary motivating factor. You should take into account what benefits can be gained, whether better solutions exist, and what effect it may have on individuals.
Example: Cars in a car park are frequently damaged and broken in to at night. Consider whether improved lighting would reduce the problem more effectively than CCTV.
You should consider these matters objectively as part of an assessment of the scheme’s impact on people’s privacy. This does not have to be an extensive or time-consuming process in all cases. The extent of assessment necessary will depend on the size of the proposed scheme and the level of impact it is likely to have on people’s privacy1.
You should use the results of the impact assessment to determine whether CCTV is justified in all the circumstances and if so how it should be operated in practice.
The things to cover in any impact assessment include:
What organisation will be using the CCTV images? Who will take legal responsibility under the Data Protection Act (DPA)?2
What is the organisation’s purpose for using CCTV? What are the problems it is meant to address?
What are the benefits to be gained from its use?
Can CCTV technology realistically deliver these benefits? Can less privacy-intrusive solutions, such as improved lighting, achieve the same objectives?
Do you need images of identifiable individuals, or could the scheme use other images not capable of identifying the individual?
Will the particular equipment/system of work being considered deliver the desired benefits now and remain suitable in the future?
What future demands may arise for wider use of images and how will you address these?
What are the views of those who will be under surveillance?
What could you do to minimise intrusion for those that may be monitored, particularly if specific concerns have been expressed?
Where the system will be operated by or on behalf of a public authority, the authority will also need to consider wider human rights issues and in particular the implications of the European Convention on Human Rights, Article 8 (the right to respect for private and family life). This will include:
Is the proposed system established on a proper legal basis and operated in accordance with the law?
Is it necessary to address a pressing need, such as public safety, crime prevention or national security?
Is it justified in the circumstances?
Is it proportionate to the problem that it is designed to deal with?
If this is not the case then it would not be appropriate to use CCTV.
1 If you are establishing a large system, or considering a use of CCTV which could give rise to significant privacy concerns, you may wish to consider using the ICO’s Privacy impact assessment handbook.
2 If CCTV is used by a business or organization, then it is the body that is legally responsible under the DPA (the “data controller”), not an individual member of staff.
The Data Protection Act 1998: data protection principles
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Thanks all Anonymous...........
Considering the pressing need for video surveillance to address national security issues, India surprisingly has no laws on the same. In this regard, India needs to draw from the experience of the United Kingdom and Canada. The first step is to enact laws permitting video surveillance. These laws should be tightly worded and strictly connoted, considering the encroachment on civil liberties.
CCTV schemes that process data about a known person are obliged to conform to certain legislation, most importantly the Data Protection Act, 1998 (DPA), the Human Rights Act, 1998 (HRA) and the Freedom of Information Act. BSI’s standards are designed to supplement that legislation. They give recommendations for the operation and management of CCTV and assists owners of CCTV schemes to follow best practices in obtaining reliable information that may be used as evidence.
BS 7958:2009
Closed-circuit television (CCTV). Management and operation. Code of practice
BS 8418:2003
Installation and remote monitoring of detector activated CCTV systems. Code of practice
BS EN 50132-5:2001
Alarm systems. CCTV surveillance systems for use in security applications. Video transmission
January 28 was European Data Protection Day,
Closed circuit television (CCTV) surveillance is an increasing feature of our daily lives. There is an ongoing debate over how effective CCTV is in reducing and preventing crime, but one thing is certain, its deployment is commonplace in a variety of areas to which members of the public have free access. We might be caught on camera while walking down the high street, visiting a shop or bank or traveling through a railway station or airport. The House of Lords Select Committee on Science and Technology expressed their view that if public confidence in CCTV systems was to be maintained there needed to be some tighter control over their deployment and use (5th Report - Digital Images as Evidence).
There was no statutory basis for systematic legal control of CCTV surveillance over public areas until 1 March 2000 when the Data Protection Act came into force. The definitions in this new Act are broader than those of the Data Protection Act 1984 and so more readily cover the processing of images of individuals caught by CCTV cameras than did the previous data protection legislation. The same legally enforceable information handling standards as have previously applied to those processing personal data on computer now cover CCTV. An important new feature of the recent legislation is a power for me to issue a Commissioner's Code of Practice (section 51(3)(b) DPA '98) setting out guidance for the following of good practice. In my 14th Annual Report to Parliament I signalled my intention to use this power to provide guidance on the operation of CCTV as soon as those new powers became available to me. This Code of Practice is the first Commissioner's Code to be issued under the Data Protection Act 1998.
This code deals with surveillance in areas to which the public have largely free and unrestricted access because, as the House of Lords Committee highlighted, there is particular concern about a lack of regulation and central guidance in this area. Although the Data Protection Act 1998 covers other uses of CCTV this Code addresses the area of widest concern. Many of its provisions will be relevant to other uses of CCTV and will be referred to as appropriate when we develop other guidance. There are some existing standards that have been developed by representatives of CCTV system operators and, more particularly, the British Standards Institute. While such standards are helpful, they are not legally enforceable. The changes in data protection legislation mean that for the first time legally enforceable standards will apply to the collection and processing of images relating to individuals.
This Code of Practice has the dual purpose of assisting operators of CCTV systems to understand their legal obligations while also reassuring the public about the safeguards that should be in place. It sets out the measures which must be adopted to comply with the Data Protection Act 1998, and goes on to set out guidance for the following of good data protection practice. The Code makes clear the standards which must be followed to ensure compliance with the Data Protection Act 1998 and then indicates those which are not a strict legal requirement but do represent the following of good practice.
Before issuing this Code I consulted representatives of relevant data controllers and data subjects, and published a draft copy of the Code on my website. I am grateful to all those consultees who responded and have taken account of their comments in producing this version.
Our experience of the Codes of Practice which were put forward under the 1984 Act was that they needed to remain relevant to the day to day activities of data controllers. They need to be 'living' documents, which are updated as practices, and understanding of the law develops.
This code will therefore be kept under review to ensure that it remains relevant in the context of changing technology, use and jurisprudence. In this context it is likely that the Human Rights Act 1998, which comes into force on 2 October 2000, and provides important legal safeguards for individuals, will lead to developments in legal interpretation which will require review of the Code.
It is my intention that this Code of Practice should help those operating CCTV schemes monitoring members of the public to do so in full compliance of the Data Protection Act 1998 and in adherence to high standards of good practice. There does seem to be public support for the widespread deployment of this surveillance technology, but public confidence has to be earned and maintained. Compliance with this Code will not only help CCTV scheme operators' process personal data in compliance with the law but also help to maintain that public confidence without which they cannot operate.
Kind Attn: demello
There are No such Act in india for CCTV.
The Information Technology Act of 2000 is India's principal law relating to information technology usage and information security in the country. Till recently the Information Technology Act was mostly vague and ineffective with reference to its treatment of information security. One of the key missing ingredients in the law was the protection of sensitive personal information, a description of reasonable security measures for protection of sensitive information, and penalties for companies neglecting to secure sensitive personal information.
On 11th April 2011, the government of India released a new set of rules as part of the Indian IT Act. These rules are specifically meant to address the reasonable security practices that are to be adopted by anybody corporate, business entity.
The Act defines sensitive personal information or SPI as personally identifiable information like a person's name in conjunction with other information like password, financial information like bank account information, credit card information, medical information and history and biometric information among others.
One of the most important sections of these rules are the rules relating to collection of sensitive information. The rules specify that whenever sensitive personal information is collected from a person by a corporate body, the person is duly informed of the reason for collection of information, the intended recipients of the information and the names of the agencies collecting and retaining the said information. The rules also mandate the need to not store information longer than necessary or lawfully required. The rule also requires that the corporate body should also provide the option to the person of not providing the sensitive personal information.
One of the most controversial aspects of these rules is related to the disclosure of information. The last clause of this section was highly opposed; forcing the government to withdraw it. The last clause stated that a third party receiving sensitive information from a corporate body shall not disclose it further.
The rules relating to collection and disclosure of sensitive personal information attracted severe reactions from the BPO industry and other service providers; including hosting providers, as they are constantly receiving sensitive personal information of individuals and business from their clients who are the actual owners of the data, disclosing it to their service providers. However, on the 24th of August, the government issued a clarification stating that the companies providing services to other companies relating to storage, processing and handling of sensitive personal information, are not subject to the rules of collection and disclosure of information. In fact, these rules would continue to apply to companies that directly collected the information from the individual.
Cont...
The section of the act that has been least debated - but in my opinion the most significant - relates to the issue of data protection and ‘reasonable security measures'. The rules mention that the entity should take reasonable measures to ensure that the sensitive personal information stored, processed and transmitted by them is secure against internal and external threats. The rules have specified adopting a documented information security program encompassing technical security (networks, applications, endpoints, servers, etc), managerial and physical security measures. The rules go on to specify that in the event of a breach, the entity must be able to demonstrate the effective working and documentation of these security controls. The rules have also indicated that the ISO-27001 is a standard that can be used to meet the requirements of the rules.
In my experience, this is the most critical rule that should have most companies shaking in their boots, quite simply because the security implementation that is present in most companies, large or small is quite poor and wanting for a great deal of monitoring, management and in some cases, a start. These rules apply to any corporate body (any entity) storing, processing or transmitting an individual's sensitive personal information. This could very well apply to any organization, because they have employees and/or customers where they would be storing, processing and transmitting sensitive personal information. In case of an information security breach, they would be liable under a court/government order to demonstrate effectiveness of security measures and documentation. ISO-27001 is not a panacea against these rules.
ISO-27001 is an information security framework. It is a framework of information security requirements against which the organization maps its controls. It is a self-directed compliance by the organization which is derived from the organization's understanding of its risks. Most organizations don't perform an effective risk assessments. Which means sensitive personal information of Individuals in many cases doesn't appear as a critical information asset that has to be protected. So, by that margin, even an entity that is ISO-27001 certified may not be able to avail of a ‘safe harbour' clause just by being ISO certified.
JAPAN ACT:
The Constitution of Japan does not contain any express provisions guaranteeing the right to privacy. Till 2003, even statutory law in the field of data protection was nonexistent and the Government followed a policy of self regulation. It was only in 2003 that the Japanese Parliament enacted the Protection of Personal Information Act. The law underlying privacy in Japan protects only personal information that is obtained and held by administrative agencies, and private agencies.It seeks to set forth penal provisions in order to curb leakage of personal information by the government. The subsequent amendments to this act have widened its scope to cover data that is paper based as well as computerized. Therefore, it can be said that the instant legislation is broad enough to encompass video surveillance data as well.
In this regard it is set forth that there exist no consolidated law to govern video-surveillance systems. Nevertheless, Japan uses video surveillance systems in order to assist the law enforcement agencies. The National Police Agency uses a video surveillance system called the “N system” in order to record license plate numbers of vehicles on roads, highways etc. This facilitates effective and efficacious law enforcement in Japan. Furthermore, Tokyo police have been operating surveillance cameras on utility poles and buildings to monitor pedestrians in the several densely populated districts of the city. However, this mechanism has been challenged severely by litigants and many privacy groups in the court of law.
AUSTRALIA ACT:
Neither the Australian Federal Constitution nor the Constitutions of the six States and two Territories contain any express provisions relating to privacy. However, there are several State and Federal privacy Laws governing specific sectors and aspects. The primary Federal statute is the Privacy Act of 1988 (PA). This statute was enacted in a bid to give effect to Australia‟s commitment to the International Covenant on Civil and Political Rights and the Organization for Economic Cooperation and Development (OECD). There are four key areas of application of the Act out of which only two are relevant in the context of video surveillance. The first is the eleven Information Privacy Principles (IPPs), based on the OECD Guidelines. These principles are applicable to federal government agencies. The second is the National Privacy Principles (NPP) which regulate private sector organizations. However, private organizations can set forth their own “code of practice” and get it approved by the Privacy Commissioner as long as it does not go against the broad framework laid down by the NPPs.
Apart from the PA, each state or territory may have its own laws or practices regarding video surveillance. For instance, covert video surveillance in New South Wales is governed by the Workplace Video Surveillance Act 1998. The Government of New South Wales also published a report on CCTV in public places. Similarly, Victoria is governed by the Surveillance Devices Act 1999 and Western Australia by the Surveillance Devices Act 1998. However, South Australia, Tasmania, Northern Territory and Australian Capital Region have no legislation dealing with the use of video surveillance
UNITED STATES OF AMERICA:
Statutory laws governing the regulation of video surveillance in America are scarce. While there are some State Laws which regulate aspects of public video surveillance, there are virtually no Federal Laws which directly deal with it. However, video surveillance implicates certain constitutional doctrines – especially the First and the Fourth Amendments. Although it cannot be denied that the liberties enshrined by these amendments can be severely affected by continuous surveillance, so far, the American courts and jurisprudence on the subject have been very permissive. Another important directive is the “Fair Information Practices‟ (FIP) originating from the recommendations written by the United States Government which provide certain rights to individuals with respect to the use and dissemination of personal information. Although these guidelines do not have the force of law, they can prove to be a valuable guide for the treatment of any governmental-held record containing personally identifiable information. The rights of individuals listed by the FIP, in their most basic form, have been given below:
“Notice and awareness of the purpose of data collection, and how such information is used;
Consent to the collection of personal information, and choice concerning how it is used;
Access to and participation in the process of data collection and use, including the right to correct errors;
Integrity and security adequate to protect the information against loss or misuse;
Redress and accountability for injury resulting from loss or misuse of personal information.’
Also, the American Bar Association, in 1999, published standards for technologically-assisted physical surveillance, including video surveillance. Some of the key points of these guidelines are given below:
While regulating the use of video surveillance for law enforcement purposes, certain factors should be kept in mind. For example, the nature of the law enforcement objective or objectives sought to be achieved, the extent to which the surveillance will achieve the law enforcement objectives, the nature and extent of the crime involved etc.
The extent to which the surveillance invades privacy should be assessed. While conducting such an assessment, care should be taken to enhance the privacy of the location being surveilled by taking into consideration the nature of the place, activity, condition, or location to be surveilled.
Alternate measures should be preferred over video surveillance in order to maintain a balance between the right to privacy and the need for surveillance.
Notice of the surveillance should be given when appropriate.
The scope of the surveillance should be limited to its authorized objectives and be terminated when those objectives are achieved
CANADA:
Canada has two federal laws which deal with privacy – the Privacy Act, 1985 and the Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA). The former protects privacy rights by limiting the collection, use and disclosure of personal information by federal government departments and agencies. The latter deals with the collection, use and disclosure of personal information by private sector organizations. In addition to these two legislations, every province or territory has their own privacy legislations. A Privacy Commissioner is appointed to receive and investigate complaints filed by Canadian citizens pertaining to allegations of violation of the Acts. They also conduct research into privacy issues and promote awareness. The Privacy Commissioner reports directly to the House of Commons and the Senate. Every province or territory may also have its own commissioner or ombudsman authorized to investigate complaints. The Office of the Privacy Commissioner of Canada (OPC) published two sets of guidelines in order to define and circumscribe the use of video surveillance and ensure that the impact on privacy is minimized. The first set of guidelines is meant to guide the regulation of video surveillance (by law enforcement agencies) in public spaces i.e. in places where there is free and unrestricted access to everyone. These guidelines were drawn up after extensive discussions between the OPC and the Royal Canadian Mount Police (RCMP). However, these guidelines are to be considered merely as an aid and notwithstanding anything stated in the guidelines, the RCMP has the right to carry out its functions as it deems fit. Some of the important pointers are:
1. Video surveillance should only be used to address a “real and pressing problem” which is of sufficient in magnitude so as to warrant the overriding of the privacy rights of citizens. Hence, there should be “real and verifiable” instances of crime or concern for public safety.
2. Video surveillance should be conducted only as a last resort i.e. in circumstances where there in no other less privacy-intrusive alternative.
3. A “Privacy Impact Assessment” should be conducted beforehand to assess the degree of interference that will result due to the video surveillance.
4. Relevant stakeholders (for example: members of the communities that will be affected by the surveillance systems) should be considered before arriving at a decision.
5. Video surveillance must comply with all applicable laws including over arching laws such as the Canadian Charter of Rights and Freedoms.
6. The video surveillance should be conducted in such a way that impact on the privacy rights of citizens in minimized. For example, limited use of video surveillance (e.g., for limited periods of day, public festivals, peak periods) should be preferred to always-on surveillance if it will achieve substantially the same result.
7. The public should be informed that they are under surveillance. Clear signs should be put up mentioning the perimeter of the surveillance areas, the person responsible for surveillance and his contact details in case of any queries.
8. Security of the equipment and images should be assured.
9. People whose images are recorded should be able to request access to their recorded personal information
Cont....
The second set of guidelines is with respect to video surveillance in private sector organizations. These Guidelines apply to overt video surveillance of the public by private sector organizations in publicly accessible areas. These Guidelines do not apply to covert video surveillance nor do they apply to the surveillance of employees.
1. “Determine whether a less privacy-invasive alternative to video surveillance would meet your needs.
2. Establish the business reason for conducting video surveillance and use video surveillance only for that reason.
3. Develop a policy on the use of video surveillance.
4. Limit the use and viewing range of cameras as much as possible.
5. Inform the public that video surveillance is taking place.
6. Store any recorded images in a secure location, with limited access, and destroy them when they are no longer required for business purposes.
7. Be ready to answer questions from the public. Individuals have the right to know who is watching them and why, what information is being captured, and what is being done with recorded images.
8. Give individuals access to information about themselves. This includes video images.
9. Educate camera operators on the obligation to protect the privacy of individuals.
10. Periodically evaluate the need for video surveillance.”
EUROPEAN UNION
The Data Protection Directive1of 1995 (“the Directive”)[1] was issued by the European Union (“EU”) in order to regulate the processing and free movement of personal data. In pursuance with this Directive, every country of the EU has passed a legislation to govern the protection of personal data. In this regard, the United Kingdom (“UK”) enacted the Data Protection Act (“DP”) in 1998 and the same was bought into force in the year 2001.
The DPA sets forth eight Data Protection Principles (DPP) in order to protect personal data in the public sphere. Although video surveillance has not been explicitly referred to in the legislation, the definition given by the DPA is broad enough to encompass it. The application of these principles to video surveillance has been made explicit through the publication of the CCTV Code of Practice (CoP) by the Information Commissioner. The CoP does not apply to surveillance cameras used for household purposes. Images captured for recreational purposes, such as with a camera, video recorder etc are also exempt. The main features of the CoP have been summarized below:
It is important to ascertain who has the responsibility for the control of the images i.e. deciding what is to be recorded, how the images should be used and to whom they may be disclosed. The body which makes these decisions is called the data controller and is responsible for the compliance with the DPA. The body has to notify the Information Commissioner as to who the data controller is.
An Impact Assessment should be done in order to evaluate the scheme‟s impact on the privacy rights of the public. While conducting such an assessment, the data controller should take into account what benefits can be gained, whether better solutions exist, and what effect it may have on individuals. The results of the assessment should be used to determine whether video surveillance is justified and if so, how it should be operated.
The camera equipment should be chosen so as to fulfill the purposes for which the surveillance is being carried out. They should have the necessary technical specification so that the images are of appropriate quality. The cameras should be positioned in such a way that only those areas which are intended to be the subject of surveillance are covered.
Viewing of live feed should be restricted to authorized personnel only. The data controller should try and protect the images from public view. Disclosure of recorded images should also be controlled and limited to the purpose for which the surveillance was set up. All other requests for viewing images should be considered carefully and balanced against the privacy rights of other individuals who may be affected by the disclosure of the images.
The DPA does not prescribe any minimum or maximum period of retention. That should be ascertained keeping in mind the purpose for which the surveillance system was set up. However, the images should not be kept for longer than is strictly necessary.
There should be prominently placed signs to let people know that they are in an area which is under video surveillance. This can be supplemented by an audio announcement in places where public announcements are already being used, such as in stations. Systems in public spaces and shopping centers should have signs giving the name and contact details of the company, organisation or authority responsible
Staff operating the system need to be aware of the rights of the individual under the DPA.
• “1998 Act” means the Data Protection Act 1998.
• “2000 Act” means the Regulation of Investigatory Powers Act 2000.
• “2012 Act” means the Protection of Freedoms Act 2012.
• “Overt surveillance” means any use of surveillance for which authority does not fall under the 2000 Act.
As the new code comes into force, we answer some frequently asked questions about who will be impacted and what you'll have to do.
To whom does the Surveillance Code of Practice apply?
The code applies only to public bodies such as the police and local governments in England and Wales. Private companies are not bound by it, but they are encouraged to use it as guidance in operating their own systems.
Why has the code been introduced?
The code was introduced under the 2012 Protection of Freedoms Act 2012. The act included a provision for a new surveillance camera commissioner, who would help draft the code, review its operation, and provide advice.
The government wanted to address concerns over the potential for misuse of video surveillance in public places. It also wanted to help engender a culture of "surveillance by consent."
Who is the surveillance camera commissioner
The first commissioner is Andrew Rennison, who is also the government's forensic science regulator. Before that, he was the interim CCTV regulator.
Who will enforce the code?
The surveillance camera commissioner has no enforcement or inspection powers, so public bodies will be expected to be self-regulating. Rennison told an IFSEC International audience in May that he was not worried self-regulation would fail.
The ministers wanted a light-handed regulation. Those that have regard to the Code will have no liability. However, I can comment that anyone who is under this code are people of integrity, so I am not worried about it.
What punishment could breachers face?
The law does not contain any criminal consequences for authorities that fail to comply with the code. A failure to comply will not make a person or authority liable to either criminal or civil proceedings. However, the code is admissible in evidence, so it could be used to show that video surveillance images had been obtained in breach of the code.
How does the code define a surveillance camera system?
The surveillance camera commissioner has kept the definition of a surveillance camera system deliberately vague, because changes in technology could leave any definition outdated. In the response to consultations, the Home Office wrote:
Technological advance will continue, and is expected to move rapidly. As a consequence, there is the risk that new technology, which may have a greater potential to interfere with the right to privacy, could fall outside the scope of a detailed definition.
However, in general the code refers to any camera system that overtly monitors a public place, including body-worn cameras and automatic number place recognition systems. It does not cover covert surveillance systems. If there is any doubt as to whether a specific technology is within the scope of the code, people are encouraged to consult the surveillance camera commissioner for advice.
Cont Previous comment;
What are the chances of the code being broadened to include private companies?
Pretty slim. Although private companies and individuals are being advised to use the code as the basis for operating their own video surveillance systems, the government's ongoing Big Society strategy precludes the idea of increased regulation in this space. However, some individuals and groups, including Big Brother Watch, are still campaigning for the code to apply to all CCTV cameras. As it is, the Surveillance Camera Code of Practice applies only to about 3 percent of CCTV cameras in the UK.
How do I contact the surveillance camera commissioner?
The Office of the Surveillance Camera Commissioner can be reached at SCC@homeoffice.gsi.gov.uk.
A new code of practice for the use of surveillance cameras in England and Wales has come into force.
The new rules - introduced by the British Home Office - state that CCTV cameras should be used to protect and support people, not to spy on them.
The code states that: 'The purpose will be to ensure that individuals and wider communities have confidence that surveillance cameras are deployed to protect and support them, rather than spy on them.
'The Government considers that wherever overt surveillance in public places is in pursuit of a legitimate aim and meets a pressing need, any such surveillance should be characterised as surveillance by consent.'
But campaigners say the code does not go far enough in ensuring CCTV systems are not misused.
Emma Carr, from civil liberties group Big Brother Watch, told Sky News: 'We're getting an increasing amount of phone calls and letters from people who are concerned about their neighbours putting up CCTV cameras in their gardens, which cover their own private areas and sometimes look into their houses.
'And then there's also the technological development in terms of CCTV. Facial recognition and HD CCTV cameras. These are all available online to pretty much anybody.'
Britain's first town centre CCTV system was installed in King's Lynn in 1987.
Since that time the use of CCTV and Automatic Number Plate Recognition (ANPR) in England and Wales has grown rapidly.
Some 51,600 CCTV cameras are controlled by local authorities, while 2,107 schools operate a further 47,806 cameras.
http://www.skynews.com.au/tech/article.aspx?id=895923
Amazing post. Thanks for sharing.
Ener-J WiFi Indoor IP Camera
Thanks for sharing CCTV bus solutions in dubai
THANKS FOR SHARING SUCH A AMAZING CONTENT
GREAT PIECE OF WORK!!!
REALLY APPRECIATE YOUR WORK!!!
best hd cctv in dubai
Totally agree with the post. CCTV cameras are very important. It will also help in avoiding the crime. We are safety signs dealers which also make cctv sign stickers. Thanks for the wonderful post.
Intercom System Accessories are stand-alone voice communications systems. An intercom system is a device that contains a circuit that is used for transmitting and receiving audio or video. The intercom systems are available in different varieties depending upon the placement and usage of the intercom systems such as office intercoms systems, apartment entry systems, and window intercom systems, etc. Unikcctv provides all types of Intercom systems for offices and societies with industry-best products as well as installation services.
The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018. The motive behind introducing such a regulation was to provide data subjects with more control over their personal data.
cctv policy template
Your post is very informative! Thanks for sharing it! If you're looking for the best CCTV Installation Services in Abu Dhabi, I suggest you to go for Swiftit.ae,where you will get all kinds of it solutions in one round. Do check it out!
Post a Comment