CCTV & Data Protection

Images of a living individual recorded by CCTV cameras are considered personal information about that individual. The processing of the images should be in compliance with the Data Protection Act 1998 which was extended from the Data Protection Act 1984 (which was repealed on 1st March 2000) to cover all types of records which contain information about individuals.

The Act consists of  8 principles of good information handling and personal data is entered onto a register controlled by the Information Commissioner.

 The 8 principles require that:

1. Personal data is processed fairly and lawfully and in particular shall not be processed unless at least one one of the conditions in Schedule 2 of the DPA is met. In the case of sensitive personal data such as medical conditions, commission or alleged commission of an offence, at least one of the conditions in Schedule 3 of the DPA is also met;
2. Personal data is processed only for one or more specified and lawful purposes and shall not be processed in any manner which is incompatible with those purposes;
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose (or purposes) for which they are processed;
4. Personal data shall be accurate and where necessary, kept up to date;
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that (or those) purposes;
6. Personal data shall be processed in accordance with the rights of the data subject under this Act;
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of (or damage to), personal data;
8. Personal data shall not be transferred to a third country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of that data.

WHO IS THE DATA CONTROLLER?

Part of the answer supplied to Leasehold Life by the ICO concerned Section 5 of the CCTV Code of Practice 2008:

Establishing a clear basis for the handling of any personal information is essential and the handling of images relating to individuals is no different. It is important to establish who has responsibility for the control of the images, for example deciding what is to be recorded, how the images should be used and to whom they may be disclosed. The body which makes these decisions is called the Data Controller and it is legally responsible for compliance with the DPA.

More Than One Organisation

If two organisations are used then each should know its responsibilities and obligations. If both make decisions about the purposes and operation of the scheme, then both are responsible under the DPA. This may be the case, for example, where the police have a ‘live feed’ from a local authority-owned camera.

1. Who has responsibility for control of the images and making decisions on how these can be used? If more than one body is involved have responsibilities been agreed and does each know its responsibilities?
2. Has the body (or have the bodies) responsible notified the Information Commissioner's Office (ICO) that they are the data controller?
3. Does the notification cover the purposes for which the images are used, the disclosures that are made and other relevant details?
4. If someone outside your organisation provides you with any processing services, for example editing the images, is a written contract in place with clearly defined responsibilities? This should ensure that the images are only processed in accordance with your instructions. The contract should also include guarantees about security, such as storage and the use of properly trained staff.

Clear procedures will also need to be established to determine how the system is used in practice:

1. Are there clearly defined and specific purposes for the use of images, and have these been communicated to those who operate the system?
2. Are there clearly documented procedures, based on this code, for how the images should be handled in practice? This could include guidance on disclosures and how to keep a record of these.
3. Have these been given to appropriate people?
4. Has responsibility for ensuring that procedures are followed been allocated to an appropriate named individual? They should ensure that standards are set, procedures are put in place to meet these standards and they should make sure the system complies with this code and with legal obligations such as an individual’s right of access.
5. Are proactive checks or audits carried out on a regular basis to ensure that procedures are being complied with? This can be done either by you as the system operator or a third party.

The ICO then went on to advise that as can be seen, the Data Controller would be the organisation responsible for making decisions about the processing of the images. If this is our freehold RMC then they may, as Data Controller allow other oganisations, such as the company installing the CCTV or the managing agent, to process the images on their behalf, under contract, as data processors. In this the freehold RMC would remain data controllers and be responsible under the DPA for any processing of the images.

In finishing they advised particular attention be paid to to Section 9 of the CCTV Code of Practice 2008:

You must let people know that they are in an area where CCTV surveillance is being carried out. The most effective way of doing this is by using prominently placed signs at the entrance to the CCTV zone and reinforcing this with further signs inside the area.

Clear and prominent signs are particularly important where the cameras themselves are very discreet, or in locations where people might not expect to be under surveillance. As a general rule, signs should be more prominent and frequent where it would otherwise be less obvious to people that they are on CCTV.
In the exceptional circumstance that audio recording is being used, this should be stated explicitly and prominently.

Signs should:

1. Be clearly visible and readable;
2. Contain details of the organisation operating the system;
3. The purpose for using CCTV;
4. Who to contact about the scheme (where these things are not obvious to those being monitored, i.e. the name and contact details of the organisation responsible); and
5. Be an appropriate size depending on context, for example, whether they are viewed by pedestrians or car drivers

NOTIFIYING THE ICO

The Data Protection Act 1998 requires every data controller who is processing personal information to register with the ICO, unless they are exempt.

To demonstrate who is the contact operator our signs have www.whoiswatchingme.org and on completion the Scheme ID will provide further information.

SUMMARY

Data protection legislation ensures that personal data is not processed without the knowledge and consent of the person on whom the data is held (except in certain cases). Legislation enforces a set of standards for both the accuracy and the processing of such information.

Data Protection can however often be a somewhat contentious issue because it is often used as a blanket response to the most reasonable requests for information. The ICO on the other hand state that where the request is made for legitimate reasons, the Data Protection Act wiill not prevent the disclosure of such information.