CCTV Systems
and the Data Protection Act 1998 (DPA)
Why is there a need
for additional guidance?
There has been a recent court case which affects whether
particular CCTV activities are covered by the DPA. This
Guidance Note makes clearer which CCTV activities are
covered by the DPA. It is particularly aimed at helping
users of basic CCTV systems such as small businesses.
Guidance
Notes
What CCTV activities
are covered by the DPA?
The court case dealt with when information relates to
an individual and is then covered by the DPA1. The court
decided that for information to relate to an individual,
it had to affect their privacy. To help judge this,
the Court decided that two matters were important:
- that a person had to be the focus of the information
- the information tells you something significant
about them. So, whether you are covered or not will
depend on how you use your CCTV system.
I only use a very basic
CCTV system, how am I affected?
If you have just a basic CCTV system, your use may no
longer be covered by the DPA. This depends on what happens
in practice. For example, small retailers would not
be covered who:
- only have a couple cameras,
- can’t move them remotely,
- just record on video tape whatever the cameras
pick up,
and only give the recorded images to the police to
investigate an incident in their shop.
The shopkeepers would need to make sure that they do
not use the images for their own purposes such as checking
whether a member of staff is doing their job properly,
because if they did, then that person would be the focus
of attention and they would be trying to learn things
about them so the use would then be covered by the DPA2.
It sounds like many users
of basic CCTV systems are not covered by the DPA, is
there an easy way to tell?
Think about what you are trying to achieve by using
CCTV. Is it there for you to learn about
individuals’ activities for your own business
purposes (such as monitoring a member of staff giving
concern)? If so, then it will still be covered. However
if you can answer ‘no’ to all the following
3 questions you will not be covered:
- Do you ever operate the cameras remotely in order
to zoom in/out or point in different
directions to pick up what particular people are doing?
- Do you ever use the images to try to observe someone’s
behaviour for your own business purposes such as monitoring
staff members?
- Do you ever give the recorded images to anyone
other than a law enforcement body such as the police?
How are more sophisticated
CCTV systems affected?
In many CCTV schemes, such as are used in town centres
or by large retailers, CCTV systems
are more sophisticated. They are used to focus on the
activities of particular people either by
directing cameras at an individual’s activities,
looking out for particular individuals or examining
recorded CCTV images to find things out about the people
in them such as identifying a criminal or a witness
or assessing how an employee is performing. These activities
will still be covered by the DPA but some of the images
they record will no longer be covered. So if only a
general scene is recorded without any incident occurring
and with no focus on any particular individual’s
activities, these images are not covered by the DPA.
In short, organisations using CCTV for anything other
than the most basic of surveillance will have to comply
with the DPA but not all their images will be covered
in all circumstances. The simple rule of thumb is that
you need to decide whether the image you have taken
is aimed at learning about a particular person's activities.
What should I do next?
If some of your CCTV activities are still covered you
still need to comply with the DPA by making sure you
have notified the Commissioner, having signs, deciding
how long you retain images and making sure your equipment
works properly. The Information Commissioner has issued
a CCTV Code of Practice3 and this together with a checklist
for users of small CCTV systems provides detailed guidance
for those using CCTV systems. The only difference is
that you will no longer have to give individuals access
to those images that are just general scenes neither
focusing on a particular individual nor being used to
learn information about individuals. If you are a user
of a basic system and are not covered, you do not have
to comply with the DPA though you may find the guidance
on compliance in the CCTV Code of Practice helpful as
this gives good practice advice to help make sure the
images are up to the job of preventing and detecting
crime. If you have already notified the Information
Commissioner of your CCTV activities you will not have
to renew this when it is due. Just let us know when
you get your renewal reminder.
Will you be issuing further
guidance on CCTV?
The Information Commissioner is already conducting an
extensive review of the existing CCTV Code of Practice
to make sure it has kept up to date with technological
and other developments. This review will also take into
account the changes to the interpretation of the DPA
covered by this paper. The revised code should be published
later in the year.
Confused?
Just give us a call, the Data Protection Help line staff
will be happy to help. The number is 01625 545745. If
you have a query about an existing notification entry
our Notification staff can help you their number is
01625 545740.
Bogus
Agencies
Businesses throughout the UK continue to be troubled
by bogus data protection notification agencies.
The Information Commissioner's Office (ICO) is the
only statutory authority for administering and maintaining
the public register of Data Controllers.
Correspondence that is really from that ICO always
bears the address:
Wycliffe House, Water Lane, Wilmslow,
Cheshire.
The annual statutory notification fee is £35.00
, on which no VAT is payable.
If anyone is dubious about the validity of any correspondence
that has been received or requires further information
then please write to ICO at the above address or contact
the helpline on
Tel: 01625 545 740.
|
