ANPR Data Protection Act Compliance

From CCTV Information
Jump to: navigation, search

CCTV, Automatic Number Plate Recognition & Electronic Access Control


The goal of this white paper is to inform stakeholders of the legal responsibilities and rights in relation to the Data Protection Act (DPA) as it applies to CCTV and other systems that process personal data.

It is of fundamental importance to recognise that the Data Protection Act is not technology specific, it relates to the management of Personal Data and the rights of the individual, requiring that data is;

  • Fairly and lawfully processed;
  • Processed for the limited purposes as stated and not in any way incompatible with those purposes;
  • Adequate, relevant and not excessive;
  • Accurate;
  • Not kept for longer than is necessary for the purposes;
  • Processed in accordance with individuals’ rights;
  • Kept secure;
  • Not transferred to countries or territory outside the EU without adequate protection.

The DPA not only creates obligations for organisations, it also gives individuals rights, such as the right to gain access to their details and to claim compensation when they suffer damage.

The Data Controller or his advisor should produce a Data Policy relating to CCTV, ANPR & EACS as applicable and make this available to the Data Processor and other stakeholders within the organisation.


1:1 The Data Controller is responsible for registering with and informing the ICO of the purposes for which data is being processed. The Data Controller is normally the beneficial owner of the equipment who dictates Management Policy. In the case of investment property it is often the case that a Managing Agent will formally assume this responsibility on behalf of a Landlord. Having regard for the legal implications it is inadvisable for this to be further delegated.

1:2 The Data Processor is responsible to the Data Controller for the implementation of the Data Management Policy and its application. Having regard for the vicarious liability upon the Data Controller it is good practice that the Building Manager employed by the Data Controller adopts this role, alternatively an SIA CCTV licensed Senior Security Officer employed by the Security (Guarding) Service Provider could be considered.

1:3 The Auditor is normally an independent third party instructed by the Data Controller, to ensure an unbiased audit of compliance management and assessment of systems efficacy. Although for commercial reasons some will place the instruction via the Security (Guarding) Service Provider, whilst requiring that a copy report is also delivered to the Data Controllers Facilities Manager.


2:1 The Information Commissioners Office (ICO) is responsible for enforcement of the DPA and has powers to impose substantial penalties (£500,000 maximum) for serious breaches of the Act.


Any system that process Personal Data must be managed in accordance with DPA principles, insofar as Facilities and Security Management is concerned this relates to;

  • Closed Circuit Television (CCTV) images (these are regarded as data under DPA)
  • Electronic Access Control Systems (EACS) data
  • Automatic Number Plate Recognition (ANPR) data.

Biometrics and Video Analytics are becoming increasingly incorporated into security systems and careful consideration must be given to application policy.


There is no single all encompassing technical and management code of practice relating to DPA compliance, reference to the following publications is recommended in development of a Policy Document specific to the users requirements.

4:1 The ICO CCTV Code of Practice provides guidance for those involved in operating CCTV and other devices which view or record images of individuals. It also covers other information that relates to individuals such as ANPR when used for car parking enforcement.

The recommendations in this code are all based on legally enforceable data protection principles that lie at the heart of the DPA and they have been set out to follow the lifecycle and practical operation of CCTV. Each section of the code will:

  • help ensure that those capturing images of individuals comply with the DPA
  • mean that images that are captured are useable; and
  • reassure those whose images are being captured.

The above publication is available free issue from the ICO website.

4:2 British Standard 7958:2009 Closed circuit Television (CCTV) – Management and operation – Code of practice. This British Standard supplements the DPA 1998, Human Rights Act 1998 and the Freedom of Information Act 2000.

Irrespective of the ownership this code covers CCTV schemes where the public have a “right to visit”. These areas include, but are not limited to;

a) a place that is privately owned but where the public perceive no boundary;
b) a place where a public service is offered;
c) public footpaths, roads, bridleways, etc.;
d) educational establishments and hospitals;
e) sports grounds, supermarkets, and housing areas.

This British Standard also applies to CCTV schemes used in public places such as the following;

a) areas where the public are encouraged to enter or have a right to visit, such as town centres, shopping malls, public transport, health establishments, etc.;
b) schemes that overlook a public space, such as traffic monitoring schemes;
c) private schemes where a camera view includes a partial view of a public space.

NOTE All operatives employed under contract to monitor CCTV schemes in public spaces, where the core activity is security must hold Security Industry Authority CCTV (Public Space Surveillance) Operator Licence.

This British Standard aims to provide recommendations on best practice to assist users in obtaining reliable information that can be used as evidence. Whilst some schemes might not need to meet the DPA criteria, compliance with this code of practice is strongly recommended particularly where schemes include an element of observation of the public.

This British Standard recommends that an annual audit should be conducted to monitor the scheme. This should include annual reviews of the scheme’s operation and working practices and, where appropriate, recommendations for improvements. Where schemes operate within the public domain an independent annual report should also be included and be made available to the public.

4:3 British Standard 8495:2007 Code of Practice for digital CCTV recording systems for the purpose of image export to be used as evidence.

This British Standard relates to images downloaded (exported) from recording equipment to portable media (e.g. CD or DVD), emphasis is placed on the following key areas.

a) Fitness for purpose of recorded images.
b) Audit trail.
c) Image integrity.
d) Time and date integrity.
e) Storage.
f) Export of Images.
g) Replay of exported images.

4:5 Home Office CCTV Operational Requirements Manual 2009 Publication 28/09

This document provides practical guidance to the design of CCTV systems that can be considered fit for purpose.

Frequently CCTV is installed without sufficient thought given to its purpose, operational issues and responses, technical specification and managerial implications.

Unless these matters are established there is no benchmark against which system efficacy can be measured. In the absence of a formal Operational Requirement one should be retrospectively documented within a site specific CCTV Policy Document.

The above publication is available free issue from the Home Office website.

4.6 ANPR Code of Practice

The Home Office launched a new consultation on a code of practice for CCTV & ANPR. The consultation is the first step towards a new code of practice, as set out in the Protection of Freedoms Bill, which at the time of writing is at the third reading stage. Until such time that this code of practice is published the Data Controller or his advisor should consider fundamental DPA principles when drafting ANPR policy notes as an addendum to a CCTV Policy.

4.7 Electronic Access Control Systems (EACS) Personal Data Policy

BS EN 50133-1:1997 Access control systems for use in security applications relates to the design and installation of EACS systems. The British Security Industry Association (BSIA) have published A specifiers guide to the security classification of access control systems 9 March 2011) page 35 17.5 Data Protection states ‘As the access control system will be storing personal data then it must be documented in the company’s data protection policy.’

5. Data Policy Document – Relating to CCTV, ANPR, EACS.

This should be developed by or on behalf of the Data Controller and contain information and guidance to the Data Processor and those subordinate to him involved in the day to day management of the system in accordance with and to achieve Data Protection Act compliance.

The document should form the benchmark against which system management can be audited and system performance checked against operational requirements. Policy should be stated in relation to the following headings;

5.1 Introduction – an overview of the purpose of the policy

5.2 Notification – a statement that the Information Commissioner has been correctly notified that CCTV / ANPR / EACS data are being processed.

5.3 Purpose of Scheme (CCTV) – the ICO requires that the purposes of the scheme are included in the notification.

A typical ICO template for CCTV is below, although it would be good practice to add & THE GOOD AND SAFE MANAGEMENT OF THE PREMISES to cover the non crime related purposes. AUTOMATIC NUMBER PLATE RECOGNITION IS USED FOR THE PURPOSES OF PARKING CONTROL AND ENFORCEMENT should be added if relevant and expanded on if required.

Purpose #
Crime Prevention and Prosecution of Offenders
Purpose Description:
Crime prevention and detection and the apprehension and prosecution of offenders.
Data Controllers further description of Purpose:

Data subjects are;
Staff including volunteers, agents, temporary and casual workers
Customers and clients
Members or supporters
Complainants, correspondents and enquirers
Relatives, guardians and associates of the data subject
Advisers, consultants and other professional experts
Students and pupils
Offenders and suspected offenders

Data classes are:
Personal Details
Education and Training Details
Employment Details
Offences (Including Alleged Offences)
Criminal Proceedings, Outcomes And Sentences.

Sources (S) and Disclosures (D)(1984 Act). Recipients (1998 Act):
Data subjects themselves
Relatives, guardians or other persons associated with the data subject
Healthcare, social and welfare advisers or practitioners
Business associates and other professional advisers
Employees and agents of the data controller
Other companies in the same group as the data controller
Suppliers, providers of goods or services
Persons making an enquiry or complaint
Survey and research organisations
Trade, employer associations and professional bodies
Police forces
Private investigators
Local Government
Central Government
Data processors

None outside the European Economic Area

5.4 Location & Brief Description – a short description of the location of the scheme and general areas of surveillance, this should be included in Public Information. (see 5.17)

5.5 Data Processor Details - state levels of responsibility, who is responsible for ensuring that the scheme is correctly managed and what deputising arrangements are in place.

5.6 Maintenance Service Provider - state the name of the maintenance service provider and procedures.

5.7 Camera Performance - benchmark operational requirement of individual cameras against which performance can be assessed and ensure that there are no invasion of privacy issues.

5.8 Monitors - state location and policy for viewing.

5.9 Recording Equipment - state recording parameters and procedures. There is a common misconception that a 30 day archive period is in some way mandatory, this is not the case, the archive period should be adequate to achieve the purpose of the scheme. In the case of a commercial office building; the need for evidence could normally become apparent within 10 days of an incident, so this could be regarded as a reasonable archive period. The recording rate, number of pictures per second (pps) should be as close to real time (25pps) in playback as is economically viable. A minimum recording rate of 6pps would be reasonable for the majority of applications. Image quality must be sufficient to achieve the stated purpose of the scheme. For guidance in these matters refer to the Home Office Operational Requirements Manual.

5.10 Disclosure of Images - state who may be allowed access to recordings and what the handover procedures are.

Consideration should be given to procedures relating to the removal of recording hard drives, either separately or incorporated in DVR’s. There are rare occasions when Police remove hard drives for serious crime investigations, but more frequently they are taken by service engineers in response to equipment failure or routine replacement. It is important that robust handover procedures are in place ensuring accountability, traceability and the ultimate destruction of data held on these devices. Second hand recording equipment is often found for sale on auction sites, most will hold recorded images from the previous location, this could result in an ICO prosecution or at the least cause embarrassment to stakeholders.

5.11 Access to Recordings by Individuals (Subject Right of Access Request) - state policy and establish procedures.

We all have the right to request copies of our images captured on CCTV, there are exceptions to this rule which makes it all the more important to be sure of your ground when dealing with this issue. As a general rule it is better to comply with a request rather than procrastinate. When processing such a recording it is important to maintain the privacy of third parties by blurring (redeacting) their images.

The maximum charge that can be levied on the applicant is £10, whereas the editing cost for redaction alone can be hundreds of pounds. It can also be highly disruptive to your facilities management team.

5.12 Download of Electronic Images – state policy and procedures, NB download should be to Worm (write once read many times) CD Rom or DVD-R discs, in order to create and maintain a secure audit trail two copies should be made, a WORKING COPY for Police issue and an ARCHIVE COPY which should be held securely on site. It is good practice for the discs to be uniquely serially numbered in pairs during manufacture. The use of rewritable discs or memory sticks etc., could result in the veracity of evidence being challenged. 5.13 Video Prints - state the circumstance under which video prints may be made and what procedures that must be put in place to achieve a robust audit trail.

5.14 Voice Recording - The ICO states that; CCTV must not be used to record conversations between members of the public as this is highly intrusive and unlikely to be justified.

5.15 Covert Recording - state policy and procedures, covert CCTV should only be implemented for specific justifiable cases which must be documented, any such equipment must be decommissioned once it is no longer required for the specific case.

5.16 SIA Licensing of CCTV Operators – consult with service provider and state parameters.

5.17 Public Information - make publicly available information about the extent of CCTV surveillance and how it is managed. Go to and enter VIF59A555264 to view an example.

5.18 CCTV Information Signs ensure that adequate CCTV signage is in place stating the purpose of the CCTV and contact details of the Data Controller or agent for further information.

5.19 Control Room Review – if the CCTV is managed via a security control room conduct an annual review in accordance with BS7958

5.20 Record Keeping – consideration should be given to implementing the following logs and documentation;

5.20.1 – Incident reporting and evidence download log
5.20.2 – Visitor viewing of images log
5.20.3 – Recording equipment check log
5.20.4 – Repairs and Maintenance log
5.20.5 – Hard drive tracking log
5.20.6 – Subject Access Request application forms

In addition to the above which are adequate for non control room applications the following should be implemented for CCTV control room operations where operators are responsible for real time surveillance.

5.20.7 – Operator duty log
5.20.8 – Contemporaneous observation log (or contractors DOB)

5.21 System Activity – an annual analysis of activity by type should be undertaken.

5.22 Assessment of Schemes Impact on Crime – an annual assessment should be undertaken based on the previous 12 months system activity.

5.23 Provision for Additional Policy Notes – an area should be set aside in the policy to accommodate the application of technology specific to the scheme, this could be ANPR or Body Worn CCTV cameras and recording equipment carried by patrolling security personnel.

5.24 Complaints Procedure – provision should be made for receiving and processing complaints relating to the CCTV /ANPR / EACS.

5.25 Electronic Access Control Notification – in the event that EACS processes personal data the notification to the ICO should state the purpose etc., as per the following template;

Purpose # Maintenance of a database in relation to the issue and subsequent use of electronic access control devices and biometric recognition of individuals.

Purpose Description: Control and logging of access & egress
Logging invalid use attempts
Setting, unsetting and management functions relating to security alarm system
Emergency role call
Control and logging of equipment use
Financial accounting for staff purchases
Time and attendance recording
Payroll accounting

Data subjects are:
Staff including volunteers, agents, temporary and casual workers
Customers and clients
Members or supporters
Complainants, correspondents and enquirers
Relatives, guardians and associates of the data subject
Advisers, consultants and other professional experts

Data classes are:
Personal Details
Family, Lifestyle and Social Circumstances
Employment Details
Financial Details
Goods or Services Provided

Sources (S) and Disclosures (D)(1984 Act). Recipients (1998 Act):
Data subjects themselves
Employees and agents of the data controller

None outside the European Economic Area

5.26 Access Control Data Policy – the policy document should state;

5.26.1 the objectives of the EACS
5.26.2 the specific purposes for which the system is intended
5.26.3 describe how the data is secured
5.26.4 describe how and under what circumstances the data may be disclosed and to whom it may be disclosed
5.26.5 define internal audit procedures to ensure that only current personnel and visitors remain active within the system.

About the Author

Brian Larkins has over 30 years experience in the security systems and manned guarding industry. Since 1998 he has been involved in the development of CCTV compliance products and services that are widely used by organisations as diverse as Multiple Retailers and HM Prison Service.

The company, previously known as Video management Services (VMS), rebranded as VeriFi CCTV in 2011 to focus on the provision of VeriFi Online, a holistic web based compliance service.

Brian has hands on experience in carrying out CCTV compliance audits and assessments across the widest spectrum of applications; it is through this practical experience that he is qualified to write this factually based paper.

Click here for more information on this article or Verfi CCTV services.