The Data Protection Act & CCTV

The Data Protection Act 1998 is based on the following Eight Principles:

Section 4(4) of the Data Protection Act 1998 places all Data Controllers under a duty to comply with the Eight Principles of Data Protection.

As a quick reference guide:

First Principle

Personal data shall be processed fairly and lawfully, and, in particular, shall not be processed unless

a.At least one of the conditions of Schedule 2 is met, and

b.In the case of sensitive personal data, at least one of the conditions of Schedule 3 is also met.

Second Principle

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

Third Principle

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

Fourth Principle

Personal data shall be accurate and, where necessary, kept up to date

Fifth Principle

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes

Sixth Principle

Personal data shall be processed in accordance with the rights of data subjects under this Act

Seventh Principle

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Eighth Principle

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects.

Initial Assessment - Data Protection Principle 1

The purpose and use of the CCTV system should be established before use.

1. Assess the reasons for using equipment and how appropriate it is.
2. Establish the person or organisation that is legally responsible for the scheme
3. Establish the purpose of the scheme
4. Document standards 1-3.
5. Lodge notification with the Office of the Information Commissioner to cover purposes of use
6. Document and identify the person or organisation that will monitor compliance of scheme
7. Establish and document security and disclosure policies.

Location of Cameras - Data Protection Principle 2

To ensure the images are captured in a manner prescribed the location of cameras must be carefully considered.

1. The equipment should be used only to monitor the intended spaces.
2. Owners and residents of domestic premises must be consulted if domestic premises border the intended area to be viewed. (Not mandatory but good practice)
3. Those operating the system must be aware of its purpose and only use it for its specified purpose.
4. The cameras must be restricted where practicable so that those operating the system cannot overlook spaces that are not intended to be viewed.
5. Signs, which are clearly visible and legible, should be displayed so that the public are aware they are entering an area covered by CCTV.
6. Specific information should be included on the sign
   • Identity of who is responsible for the scheme
   • The purpose of the scheme
   • Identity of who is responsible for the scheme *
   • Details of who to contact regarding the scheme *
   • (* only applies if the location does not make this obvious)
   
   
7. If signs are not appropriate and monitoring is for a specific CRIMINAL activity:
   • Fully document the following steps
   • Identify the specific criminal activity
   • Identify there is a need to use surveillance to obtain evidence of that activity and whether the use of signs would prejudice success in obtaining such evidence
   • To ensure it is not carried out for longer than necessary, assess how long covert monitoring should take place

Access by Data Subjects

This right is provided by section 7 of the Data Protection Act 1998 - Data Protection Principles 1, 6 & 7.

1. When data subjects make a request for accessing their information, those operating the system must be able to recognise such a request.
   
   A standard subject access request form should exist for this purpose and should indicate:
   
   • What information is required to locate the requested images
   • What information is required in order to identify the person making the request
   • What fee is charged for carrying out the requested search (max £10.00)
   • Whether merely viewing the images recorded would satisfy the individual
   • That within 40 days of receiving the required fee and information the response will be provided
   • An explanation of the Rights provided by the 1998 Act
   
   
2. Written information should be given to individuals of the types of images retained, their purpose and the policy concerning disclosure in relation to those images
3. Standard 2 above should also be provided with the subject access request form
4. The designated person should deal with all subject access
5. The images requested should be located by a designated person
6. A designated person should make the decision whether disclosure also entails disclosure to a third party
7. A designated person should determine the decision as to whether the images of third parties are held under a duty of confidence
8. A designated person must ensure that third party images are disguised if third party images are not to be disclosed
9. An editing company may be used if the system does not have the capability to comply with standard 8 above
10. If a third party or an editing company is used the following procedures apply:
    • There is a contractual relationship between the data controller and the editing company
    • The editing company must give appropriate guarantees regarding the security measures taken in relation to the images
    • It is the responsibility of the designated person to check and ensure that the guarantees are met
    • That the editing company can only use the images in accordance with the instructions of the designated person should be explicit and in the form of a written contract
    • The security guarantees provided by the editing company should be explicit and in the form of a written contract
    
    
11. If it is decided by a designated person that an access is not to be complied with, the following should be documented:
    • The date of the request
    • The identity of the person making the request
    • Why the request to supply the images was refused
    • The name and signature of the designated person making the decision
    
    
12. All staff should be aware of individuals' rights
13. If disclosure is made, it should be in private with only authorised staff present
14. The Data Subject is entitled to a copy of his data in intelligible format (Standard VHS tape)

Under Sections 10, 12 And 13 Of The Data Protection Act 1998 Other Rights May Also Apply

1. When there is a request from an individual to prevent processing likely to cause unwarranted and substantial damage or automated decision taking in relation to that individual. All operators must be able to recognise such a request
2. When such requests are made all staff must be aware of the designated person who should respond to them
3. The response from the designated person must indicate whether they will comply with such requests
4. There must be a response in writing within 21 days of the designated person receiving the request
5. The designated person must give written reasons if the request cannot be complied with
6. A copy of the request and response must be kept
7. The designated person must notify the individual if an automated decision is made
8. If the individual makes a request in writing within 21 days the designated person must reconsider an automated decision
9. The designated person will respond within 21 days setting out the steps they will take if they receive a receipt of the written request in standard 8 above
10. The designated person will document the original decision, the request from the individual and their response to the request
11. Data Subjects can take court action to prevent unlawful processing
12. Data Subjects can claim compensation for "damage" suffered as a result of breaches of this Act

Action Surrounding Subject Access Requests, Complaints And Audit

1. The contact point indicated on the sign should be available to members of the public during office hours Employees staffing the contact point should be aware of the appropriate policies and procedures
2. Specific documentation should be provided to each enquiry
   
   Enquirers should be provided, on request, with one or more of the following:
   • The leaflet which individuals receive when they make a subject access request as general information
   • A copy of this code of practice
   • A subject access request form if required or requested
   • The complaints procedure to be followed if they have concerns about the use of the system
   • The complaints procedure to be followed if they have concerns about the non-compliance with the provisions of this code of practice
   
   
3. A complaints procedure should be clearly documented
4. A record of the number and nature of complaints or enquiries received should be kept together with an outline of the action taken
5. A designated person should use the report in standard 4 to assess public reaction to and opinion of the use of the system
6. A designated person should undertake regular reviews of the documented procedures to ensure compliance with the code
7. A report of the reviews in standard 6 should be provided to the data controller so the legal obligations and provisions of this code can be monitored
8. An internal annual assessment should be undertaken
9. The results of the report in standard 7 should be compared with the purpose of the scheme. If the scheme is not achieving its purpose, it should be discontinued or modified
10. The results of the report in standard 7 should be made publicly available

Images should not be retained for longer than is necessary

Images should not be retained for longer than is necessary. While retained, the integrity of the images must be maintained to ensure their evidential value and/or to protect the rights of the people whose images have been recorded. Access to, and the security of, the images should be controlled. - Data Protection Principle 3, 5 & 7

1. Images should not be retained for longer than necessary to achieve the purposes of the CCTV system
2. Once a retention period has expired, images must be erased
3. If images are to be held for evidential purposes, they should be kept in a secure place with controlled access away from other routine data
4. There are procedures for removing the medium on which the images have been recorded for use in legal proceedings. The following should be documented:
   • The date on which the images were removed from the general system
   • The reason why they were removed
   • Any crime incident number to which the images are relevant
   • The location of the images
   • The signature of the collecting officer; see below
   
   
   If the medium on which images are recorded is removed the following should be documented:
   • The date and time of removal
   • The names of the person removing the images
   • The name(s) of the person(s) viewing the images and the organisation(s) they represent
   • The reason for the viewing
   • The outcome if any of the viewing
   • The date and time that images were returned to the system (or secure place if they have been retained for evidential purposes)
   
   
5. Monitors in areas where individuals would have an expectation of privacy should not be viewed by unauthorised operators and/or employees of the operators
6. Access to images should be restricted to designated staff
7. All CCTV data must be stored securely with access limited to authorised personnel only
8. Viewing of recorded images should only take place in a restricted area
9. There are procedures for the removal of the medium on which images are recorded see 4 above.
10. All operators and employees to be informed of the procedures for accessing the recorded images
11. All operators to be trained in their responsibilities so they are aware of the user's security and disclosure policies and the rights of individuals.

Access to and the disclosure of CCTV images

Access to, and the disclosure of, CCTV images and the disclosure of images to third parties should be restricted and carefully controlled to ensure the rights of individuals are protected. The chain of evidence must remain intact if the images are required for evidential purposes. Reasons for the disclosure of the images must be compatible with the purpose for which the images were originally recorded. - Data Protection Principles 2, 7 & 8

1. Access to the images should be restricted only to those who need access to fulfil the purpose of the system
2. All access should be documented
3. Disclosure should be made in limited and prescribed purposes
4. All requests for access should be recorded and reasons for any denials
5. There are procedures for allowing access or disclosure
   
   When access to or disclosure of the images is allowed then the following should be documented:
   • The date and time of access or disclosure
   • Identification of third party to whom access or disclosure is allowed
   • The reason for allowing access or disclosure
   • The extent of information to which access or disclosure is allowed
   
   
6. Recorded images should not be made widely available e.g. on an intranet site
7. If the images are made widely available, the decision should be made by a designated person and the reasons documented
8. If the images are disclosed to the media, the images of individuals will need to be disguised to avoid identification
9. If the system does not have the capability to comply with standard 8 above, an editing company may be used
   
   There are procedures if an editing company is used
   • There is a contractual relationship between the data controller and the editing company
   • The editing company has given the appropriate guarantees regarding the security measures they take in relation to the images
   • The designated person checks to ensure the guarantees are met
   • The written contract makes it explicit that the editing company can only use the images in accordance with the instructions of the designated person
   • The written contract makes the security guarantees provided by the editing company explicit
   
   
10. There are procedures if the media organisation receiving the images undertakes the editing (See notes under point 9 above.)

Quality of the Data

Quality of the Data - Images produced by the system must be as clear as possible to ensure that they are effective for the purposes for which they are intended. - Data Protection Principle 3.4 & 5

1. When installed, the equipment should be checked to ensure it performs correctly
2. Tapes (if used) should be of good quality
3. The maximum number of passes is 13 times
4. The medium on which the images are recorded should be cleaned to prevent recording on top of previous images
5. The medium on which the images are recorded should no longer be used if there is a deterioration in the quality of the images
6. If the system records location of camera, date, time etc. these should be accurate
7. There should be a documented procedure for 5 above
8. Cameras should be sited only where they will capture relevant images
9. If automatic facial recognition systems are utilised, the database of images should be clear
10. A human operator should assess and determine the action to be taken to verify matches made by automatic facial recognition systems
11. The assessment in 9 above should be documented regardless of a match on the data base
12. Consideration must be given to the physical conditions in which the cameras are located
13. Operators should assess whether real time or specific timed recordings are required
14. Cameras should be properly maintained and serviced
15. Cameras should be protected from vandalism (if it is a likely problem)
16. A maintenance log should be kept
17. If a camera is damaged, there are clear procedures for:
    • Defining the person responsible for making arrangements for ensuring the camera is fixed
    • Ensuring the camera is fixed within a specific time period
    • Monitoring the quality of the maintenance work