|
|
DATA PROTECTION GUIDANCE ON CCTV
INTRODUCTION
The increasing power and use of information technology and its concomitant ability to collate and store increasing amounts of personal data led to the introduction of the Data Protection Act l984. This Act places obligations and responsibilities on people and organisations who hold and use personal data in order to balance the privacy of the individual with the advantages that information technology creates for every member of society. Similar concerns have been raised with the increasing use of closed circuit television (CCTV). This technology has been hailed as an important asset in many areas such as in the fight against crime, but has also led to fear of encroaching surveillance. However, although some developments in the sophistication of the technology brings some elements of CCTV within the provisions of the Data Protection Act, for the most part CCTV is unregulated.
However, this position is likely to change in the very near future for two reasons:-
a) the rapidly advancing sophistication of the technology itself means that it will soon fall within the definitions and provisions of the Data Protection Act l984;
and
b) By October l998 the UK's legislation will have to be amended to take into account the requirements of a European Directive on Data Protection which seeks to regulate the increasing use of recorded sound and image data.
Therefore, the Registrar recommends that people and organisations who wish to set up CCTV systems take into account these requirements now rather than having to amend their practices at a later but inevitable date, thus it is recommended that Codes of Practice on use will help ensure compliance with the Data Protection Act l984. A Code of Practice is particularly significant for a multi-agency project or partnership because it can set out responsibilities and obligations in relation to the system thus assisting in resolution of any future dispute about such matters.
1. DOES THE DATA PROTECTION ACT 1984 APPLY TO MY CCTV USE?
As mentioned above, not all CCTV technology will be covered by the definitions in the Data Protection Act l984. In order to ascertain whether your own system falls within those provisions and therefore needs to be registered, ask yourself the following questions:-
I) Am I Collecting Data?
For the purposes of the Data Protection Act l984 (hereinafter DPA), "data" has a specific meaning:-
"'data' means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose"
It should be noted that this definition is not limited to information processed by computer, but extends to other types of equipment which respond to instructions thus the recording of images on video tape or disc via the medium of a camera and video is no different from conventional methods of recording and storing data on magnetic media in computers. Therefore all CCTV systems, which record images, will be collecting data.
II) Am I collecting Personal Data?
Again "personal data" has a specific definition for the purposes of the Data Protection Act l984:
"means data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user) ..."
Thus only information about individuals who can be identified will be covered by the Act. If the person collecting the information can identify individuals from a combination of the recorded information and information they have elsewhere in their possession, then that too will fall within the definition of "personal data". Thus it may be that the images that are being recorded will come within the term "personal data":-
a) If your CCTV system records images of unknown individuals eg records images of a street scene, then your system may still be collecting "personal data", but it will not need to be registered unless that data is processed by reference to the individual (see later).
b) If you have introduced your CCTV system in order to monitor employees' behaviour and activities, and the images relate to them, then because your staff are known to you, that will constitute "personal data" and your system may need to be registered.
c) If your system records image of unknown people, can you identify those people by cross-referencing the image with other information you have in your possession? For example at football stadia cameras can focus on one individual in one seat - at that point, that person is unidentified. However, their identity may become known when the seat number is matched against a list of season ticket holders. In that case your system does record personal data, and it may need to be registered.
d) If your system records images of unknown people in an area where an incident occurs, can you identify the images of any of those involved in the incident? It may be that you cannot identify the perpetrator(s) of the incident, but you will be able to identify the victim or the witnesses. In that case, your system will be recording personal data even though the focus of attention of the system is, in fact, an unknown individual.
III) Is the Personal Data Automatically Processed by Reference to the Individual?
The Act defines processing as:-
"amending, augmenting, deleting or re-arranging or extracting the information constituting the data"
Although this definition does not specifically refer to operations such as transmission, display or printing of the information contained in the data, in order to
perform these operations, extraction must have taken place, and therefore the data must have been processed.
The Act requires that the equipment used to record or store the personal data must be capable of responding to instructions which require it to locate and process information about the individual. Thus a CCTV system will only fall within the provisions of the Act if it can automatically locate particular information stored on the video tape. Therefore, whether your system will need to be registered will depend on the level of the sophistication of your equipment:-
a) If you can only locate, on the tape, the image of a known person by pressing the fast-forward or rewind buttons on the play-back facility of your equipment, then this will not constitute automatic processing, because in essence you are relying on the human eye to locate the individual.
BUT
b) If your system can be programmed to search for a specific time or frame reference on the tape at which it is known that personal data about a known individual is recorded, then your equipment will be capable of automatically processing.
IF YOU HAVE ANSWERED "YES" TO QUESTIONS I, II AND III, THEN YOUR USE OF A CCTV SYSTEM SHOULD BE REGISTERED WITH THE OFFICE OF THE DATA PROTECTION REGISTRAR.
2. WHAT ARE THE IMPLICATIONS OF REGISTRATION?
If you have answered "yes" to the three questions above, then you should be registered with the Office of the Data Protection Registrar; failure to do so constitutes a criminal offence. Once you have registered, you will be obliged to comply with legally enforceable data protection principles (please see below). It is these principles that you will need to take into account when designing your CCTV system and developing a Code of Practice for its use, thus ensuring compliance with the Data Protection Act.
A. REGISTRATION
When you register your use of a CCTV system you will be required to state the purpose(s) for which you are using it. The Registrar recommends that you are specific about your uses of CCTV and personal data because this will enable you to ensure that the principles are also complied with (see later).
It may be that you are already registered to hold and use personal data for the purposes for which you are proposing to use your CCTV system eg you may already be registered for Personnel/Employee Administration or Crime Prevention, thus it may be that your existing register entry need only be amended to take account of this new category of data that you intend holding. Further guidance on registration is provided in Appendix l.
Return to top
B. THE DATA PROTECTION PRINCIPLES
I) THE FIRST PRINCIPLE
This requires that:-
"information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully"
This has been interpreted to mean that people should be made aware that they are providing personal data about themselves, and that they should be notified of any non-obvious uses or disclosures of that information. Thus appropriately sized signs should be placed in and around the area where CCTV cameras are to be located, notifying people of the existence of the cameras. These signs should also identify the owner/operator of the system so that people can exercise their rights under the Act (see Seventh Principle - the right to subject access). If you are going to publish any material in relation to the CCTV scheme, it should include a description of the purposes for which the information will be obtained and used, and should accurately reflect the uses and disclosures that you are registered for.
In limited and exceptional cases, covert use of cameras (ie use without the appropriate signs) may be justified where the cameras are being used to in an attempt to put a stop to a specific criminal activity involving specific individuals. Section 28 (4) of the Data Protection Act provides an exception to the First Principle, provided it can be shown that to notify the individuals concerned of the existence of the cameras would result in the substantial risk of prejudice to the prevention or detection of crime, or the apprehension or prosecution of offenders. However, this is not a blanket exception which can be used to justify non-compliance with the principle's requirements, unless in the specific circumstances of the exception.
With regards to fair processing, a balance must be struck between the uses of the system and the concerns of the individual. If information is processed or used in a way which is outside the use for which it was intended, and which is detrimental to the individual, then it is likely that that activity will be deemed unfair, for example where CCTV footage, obtained for the purposes of crime prevention and detection, is sold to a commercial film company who use the material in a salacious video.
The First Principle also requires that information be obtained and processed lawfully. This is not limited to a requirement that criminal provisions should not be broken in the obtaining and processing of the data, but has been interpreted to extend to civil law principles such as the law of confidence. For example, cameras in a doctor's surgery would be deemed to be processing data unlawfully if the information was being recorded and made more widely available because this would breach the law of confidence that exists between doctor and patient.
II) THE FOURTH PRINCIPLE
This requires that the personal data stored must be adequate for and relevant to the purpose for which it is to be used. Thus consideration must be given to the situation of the cameras so that they do not record more information than is necessary for the purpose for which they were installed, for example cameras installed for the purpose of recording acts of vandalism in a car park should not overlook private residences. Furthermore, if the recorded images on the tapes are blurred or indistinct, it may well be that this will constitute inadequate data. For example, if the purpose of the system is to collect evidence of criminal activity, blurred or indistinct images from degraded tapes or poorly maintained equipment will not provide legally sound evidence, and may therefore be inadequate for its purpose.
III) THE FIFTH PRINCIPLE
This principle requires that the personal information that is recorded and stored must be accurate. This is particularly important if the personal information taken from the system is to be used as evidence in cases of criminal conduct or in disciplinary disputes with employees. The Registrar recommends that efforts are made to ensure the clarity of the images, such as using only good quality tapes in recording the information, cleaning the tapes prior to re-use and not simply recording over existing images, and replacing tapes on a regular basis to avoid degradation from over-use.
Care should be exercised when using digital-enhancement and compression technologies to produce stills for evidence from tapes because these technologies often contain pre-programmed presumptions as to the likely nature of sections of the image. Thus the user cannot be certain that the images taken from the tape are an accurate representation of the actual scene. This may create evidential difficulties if they are to be relied on either in court or an internal employee disciplinary hearing.
IV) THE SIXTH PRINCIPLE
This principle requires that the information shall not be held for longer than is necessary for the purpose for which it is to be used. In general CCTV systems merely record events; they do not take shots or stills. It is recommended that stills are only taken from the tape when evidence is or may be required of a specific activity and to be used in cases such as the detection and prosecution of offenders or in internal disciplinary proceedings against employees. The tapes that have recorded the relevant activities should be retained until such time as the proceedings are completed and the possibility of any appeal has been exhausted. After that time, the tapes should be erased. Apart from those circumstances, stored or recorded images should not be kept for any undue length of time. A policy on periods for retention of the images should be developed which takes into account the nature of the information and the purpose for which it is being collected. For example where images are being recorded for the purposes of crime prevention in a shopping area, it may be that the only images that need to be retained are those relating to specific incidents of criminal activity; the rest could be erased after a very short period.
V) THE SEVENTH PRINCIPLE
The Data Protection Act l984 gives individuals the right to have access to personal information that is being held about them, and this will include CCTV images. Access must be granted provided that the individual has given sufficient information to identify themselves, and to locate the information or images that they are seeking. For example, it may not be sufficient for an individual to ask for all images recorded on a CCTV system owned by a local authority over for a period of a month. Section 2l (4) (a) of the Data Protection Act l984 enables the data user to request as much information as "he may reasonably require" to locate the information which the individual seeks. Therefore, it may be more appropriate for the individual to specify a place, date and time so that the owner/operator can find the images requested. A copy must be supplied on videotape.
If you cannot supply that information without providing personal information relating to a third party or parties, then that third party information need not be disclosed (although you may choose to disclose it if you want). However, you are entitled to suppress the features of any third parties and this can be done by using the technology to blur their features. The Registrar suggests that it is good practice to suppress the identity of third parties in order to protect their privacy.
VI) THE EIGHTH PRINCIPLE
This requires that
"appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data, and against accidental loss of destruction of personal data".
In order to assess what "appropriate security measures" are, consideration must be given to the nature of the information and the harm that might result from a breach of this principle. As a rule of thumb, the more sensitive the data, the more stringent the security measures required. This means that consideration will have to be given to, amongst others, :-
a) the placement of the technology in the streets.
b) security of the central control room.
c) monitoring of access to the central control room.
d) selection and recruitment of staff.
e) ongoing training in data protection and privacy issues.
f) monitoring of access to recorded material.
g) security of storage of recorded material.
3. CONCLUSIONS
Even where your CCTV system does not fall within the provisions of the Data Protection Act l984, consideration of all the above issues will
a) help form a Code of Practice which will encourage the efficient and effective use of the technology.
b) ensure that your use of the system will put you in a good position for compliance with current and future data protection legislation.
c) instil and maintain public confidence in the use of such systems.
APPENDIX 1
Return to top
REGISTRATION OF CCTV SYSTEMS
If you decide that your use of a CCTV system should be registered, this may be done in one of the following ways:-
1. EXTENSION OF EXISTING USE OF PERSONAL DATA
In some cases, it may be that you are already registered to hold and use the personal data for the purposes for which you are proposing to use your CCTV system. It might be that you are installing CCTV in order to manage staff or employee activity either on the shop or factory floor. If you are already registered to hold personal data for this purpose ie P001 - personnel/employee administration, it may only be necessary to simply amend that existing register entry to indicate an additional data class. Thus in the free text box after the coded section, you might add "sound and/or visual images". Similarly, if you are already registered to use personal data to monitor staff access to and from a building, and you propose to use your CCTV system for the same purpose, an addition to the data class for the relevant register entry would be appropriate. In that case your register entry for P012 should be amended to reflect the new data class of "sound and/or visual images". Furthermore, if you are already registered to hold personal data for the purposes of crime prevention and detection (P058), then the addition to the data class categories may be sufficient.
2. LARGE SCHEMES/TOWN CENTRE SCHEMES
In cases, where it is proposed that the CCTV system will be used to monitor city centre or open spaces, the registration of this use of personal data may become more complex.
The Data Protection Act 1984 requires that the data user registers with the Registrar. The Act defines a data user as a "person" who holds data (see definition from factsheet). This reference to "person" is a reference to a legal person for example a public or private limited company. Thus the person who registers must be a legal person. This can pose problems for CCTV schemes which have been developed by partnerships between local authorities, the police and other organisations. Such partnerships do not necessarily have the legal status required for the purposes of registration. However, this does not mean that they do not have to register., The Act defines a person as "holding" data if that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection. Thus if a partnership does not have legal status it may be that the individual organisations or bodies involved in that partnership will have to register as a data user if they exercise control jointly or in common with the others:-
A person "controls data for the purposes of the Act if they have the power to decide what information about an individual should be recorded, whether the information should be added to, amended or deleted, and to what use the recorded information may be put either by the data user or by others.
Where data users share a pool of information, each changing, adding or using the information for its own purposes independently of the other, they will be "data users in common" for the purposes of registration.
Where data users exercise control jointly, then they will obviously be "joint data users" for the purpose of registration.
The second issue which needs to be clarified is the use of that personal data. Most schemes have been designed for the purposes of:-
Prevention and detection of crime
Apprehension and prosecution of offenders
Thus it may be more appropriate for this use of a CCTV system to be registered independently as a purpose rather than using a standard or coded purpose.
Thus this purpose may be registered as:-
Recording and retention of sound and/or visual images for the purposes of monitoring for potential criminal activity, investigating criminal activity and for providing evidence of such activity in legal proceedings.
It should be borne in mind when completing this section, that you should consider the relationship between you as the data user and the individuals about whom you are holding information. Thus this use of a CCTV system may collect images of complainants (S019), witnesses (S020), and offenders and suspected offenders (S021). It may be that these people are also tax payers (S023) or students (S030), but that is not relevant to the purpose for which you are holding personal data on them, and thus these categories do not need to be registered.
In the data class section, the only entry would be in the free text box:-
Sound and/or visual images
Finally, with regard to categories of sources and disclosures, these should be kept as restricted as possible to reflect the limited use of this information. Thus only the following categories may be relevant:-
D101 The Data Subject themselves (source and disclosure)
D105 Employees, agents (source and disclosure)
D107 Legal representatives (disclosure only)
D206 Suppliers, providers of goods and services (source and disclosure)
D341 Police (source and disclosure)
D371 Private detectives, security organisations (disclosure only)
It should be noted that these are only suggested categories for registration. It may be that your use of a CCTV system does not fit easily within any of these categories or within these suggested methods of registration. You may wish to develop your own register entry which you believe more accurately reflects your use of a CCTV system. Further assistance can be obtained from contacting our registration department, see back cover for contact details.
For further information, please contact,
Office Of The Data Protection Registrar
P O Box 66
Water Lane
Wilmslow
Cheshire SK9 5AF
tel: 01625 545700
http://www.dataprotection.gov.uk
A Model Code of Practice for CCTV Use is available from:-
The Local Government Information Unit
l-5 Bath Street
London
EClV 9QC
Telephone number: 0l7l-608-l05l
Return to top
|
|
|
