IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Penetration of CCTV in commercial town centres, retail and commercial areas in the UK is unrivalled in the world. CCTV installers continue to carry out millions of pounds worth of expert work as government grants are made available for major upgrading throughout the country.
However, the wide ranging Data Protection Act (DPA) implemented in October of last year is not being adhered to by many operators and could result in schemes operating illegally.
Macbond, Scotland’s premier Internet security and data protection consultancy, carried out a survey north of the border earlier this year which revealed worrying results that are quite likely to be duplicated across the UK.
Managing Director of Macbond, Owen Sayers, told CCTV Solutions that they did not anticipate such a low level of compliance. He believed installers, for their own good, should not just sell the systems but advise clients on good practise “… or they will come off badly in the end.”
He thought the survey would be representative of the UK as a whole: “I suspect that in some places the results would be worse. In general the take-up has been fairly low. More a case of ‘how do I get around it?’ rather than comply with it.”
Right to see footage Although the DPA covers many other processes other than CCTV, the study was carried out because it was relatively easy to determine compliance (a visual check and a document search on-line). CCTV’s importance in crime prevention and the extent of its deployment (2.5million cameras in the UK, capturing an individual up to 300 times each day) were other reasons for the survey.
Prior to March 2000 no formal controls existed to govern CCTV systems, and few people captured on these systems had any rights to view or obtain data held upon them. The new act has given Data Subjects these powers, and many more besides, entirely changing the landscape of CCTV operations – particularly with regard to the use of CCTV footage for evidential purposes.
Why is compliance important? Already in one criminal case in a Magistrates Court, CCTV evidence was deemed inadmissible because the operator had failed to fully comply with the requirements of the DPA 1998.
As the pressure of street crime and theft increases, it is important that evidence is admissible and is gathered, processed, handled and presented by means acceptable to the courts. CCTV operators must take steps to ensure that footage remains evidentially sound.
Individuals captured on film have a legal right to a copy of the data held about them on payment of a small fee. Systems which do not comply with the Act are unlikely to be able to meet this statutory requirement.
The operation of a non-compliant system has now itself become a criminal offence, and CCTV system operators who do not wish to risk prosecution must, in any event, ensure they bring systems up to an acceptable standard in all respects.
The Macbond Survey This survey was undertaken in March 2002 by Macbond Limited. The sample size was small, but was conducted in two stages. The first area sampled was the main shopping area of a major Scottish city, where 55 sites were surveyed. The second area was the high street of a medium sized provincial town, with 44 sites surveyed. Of these 99 sites, 94 had CCTV installed.
The sites examined included public open spaces, pubs, retail stores, department stores, banks and restaurants, and almost all of the sites surveyed belong to major high street retailers.
In the absence of evidence to the contrary, the study results are believed to be strongly indicative of the general trend to be found in any major town or city centre in the UK.
The Methodology There are many elements required for DPA compliance of CCTV systems. These can however be divided into 3 key areas.
Notification – an appropriate and up to date registration of the CCTV system on the Data Protection Register.
Signage – the display of appropriate warning signs around and within CCTV monitored areas.
Operational Practices – in effect “everything else”, including staff training, equipment and hardware, documentation and operational methodologies as defined by the CCTV Code of Practice defined by the Information Commissioner.
Areas 1 and 2 are highly visible, and a knowledgeable observer can readily iden-tify whether the system appears to be com-pliant or not in only a very few seconds of inspection.
In determining compliance for the purposes of this survey the following rules could be applied:
Where a system does not comply with areas 1 and 1 or 2 it cannot be DPA compliant.
Where a system does comply with areas 1 and 2 it may be DPA compliant – but only if all elements of area 3 are also complied with. It is not possible to determine this from casual inspection alone.
Interpretation of Survey Results The survey results only absolutely indicate those systems that cannot be compliant for the reasons given in Section 1.3 above.
This does not mean that those systems which do appear to be compliant based upon the survey are in fact fully compliant. It is not possible to deter-mine this from the survey conducted, and further investigation could reveal that even these systems do not comply with the Operational Practices requirements. Where appropriate, a breakdown of non-comp-liance results is given, as are several other compari-sons of system structures, signage and notification.
The Survey Results The following tables contain the general findings of the survey:
Proliferation of CCTV Systems Number of sites with External Cameras: 15 (16%) Number of sites with Internal Cameras: 92 (98%)
Within the 2nd sample there was a significantly larger proportion of sites where external CCTV cameras (24% Sample 2 in comparison to 9% Sample 1) had been deployed. By far the majority of these external systems were adjacent to or immediately outside licensed premises, and previous informal checks of CCTV deployment by the authors has identified that within that sector, great reliance appears to be placed upon CCTV systems to improve monitoring of access routes, and internal areas frequented by patrons.
Each sample area had one local authority-controlled CCTV system. The system of the Sample 2 area was largely compliant from the criteria examined by the assessment team, the system in Sample 1 was not compliant in any of the measured elements.
Signage of sites with CCTV Systems
Number of sites with External Warning Signs: 14 (15%)
Number of sites with Internal Warning Signs: 17 (18%)
Appropriate signage identifying the system, its purpose, the operator and contact details is a requirement under the First Data Protection Principle. Of the sites sampled only a small proportion complied with this requirement.
Of the two observed Public Open Space systems, one had signage that would most probably meet the requirements in almost every regard, and the other had no signs displayed at all.
Compliance of displayed signs (internal or external
Signs with compliant textual warnings: 13 (14%)
Signs of an approved size and location: 8 (9%)
Number of overall DPA compliant signs: 6 (6%)
Even where signs are utilised, there are strict guide-lines covering their size, location and content. Overall across the survey areas, only 6% of deployed signs met these criteria.
Without appropriate warning signs it is difficult to envisage any circumstance where the operation of the system, and the consequent collection of images could be determined to be fair as required in Principle
Registration of Sites with CCTV for the use of CCTV systems
Number of sites with DPA Registrations: 80 (85%)
Number registered correctly for CCTV use: 40 (43%)
The majority – though not all sites sampled – were found to be registered on the publicly available DPR register (available over the internet on http://www.dpr.gov.u ). It is however the experience of the authors that this resource can run several weeks out of date, and the number of correctly registered sites may be greater than the study determined. Annual registration costs GB pound 35 per annum. Of those who were registered, and who operate CCTV systems, only 43% across the entire sample were correctly registered.
Overall measured DPA Compliance of sample sites
Number of sites apparently DPA compliant: 6 (6%)
Number of sites with CCTV who are visibly not compliant on tested criteria: 88 (94%)
Taking into account all of the above criteria, and assessing each sampled site carefully against both the Act itself and the Code of CCTV Good Practice Guidelines issued by the Information Commissioner, a worryingly low percentage of the sample fall into the category that could – providing all other compliance requirements are met – be compliant. It is more certain to state that 94% of the total sample using CCTV could not meet the criteria required for compliance.
Summary of Findings
The survey clearly demonstrates the extent to which CCTV is deployed in commercial retail properties of all types. Unfortunately it is also clear that very few systems within the sample area can be DPA compliant.
It is the experience of the authors that this pattern is repeated across the country, and throughout all sectors – public and private.
Any system non-compliant after 20 October 2001 is operating illegally (or after 1st March 2000 where the system was first deployed after that date). Although the Information Commissioner’s office will encourage operators to become compliant, those who control such systems could face fines of GB pound 5,000 or more.
General awareness of DPA compliance – and in particular the rules surrounding CCTV – appears to be very low, and uptake of compliance work has thus far been disappointing.
With only 6 surveyed sites even apparently compliant, the remaining 88 surveyed sites (94% of the sample) are almost certainly operating their CCTV systems illegally, and the footage thus derived could potentially be successfully challenged in court where submitted as evidence.
The difference in the number of correctly registered sites (43% of the sample) and those displaying compliant signage (6%) is notable.
Many of the sites in the survey area could become at least apparently compliant simply by displaying CCTV signs which meet the Code of Practice criteria.
The sample size was too small to generate viable results on compliance within individual types of site. Additional separate focused study by the authors in other locations has identified that in some sectors there are specific comp-liance issues however. An example is the use of external cameras outside bars and nightclubs – an increasingly common practice – or the often large and complex installations deployed at petrol filling stations. Though the intention of these systems may be to improve public safety and deter crime by monitoring the behaviour of patrons, and to protect staff and customers, these systems can and do capture members of the public merely passing by the premises, and the rights of these individuals are not being taken fully into consideration.
This “collateral” coverage has previously been used to good advantage by law enforcement bodies – notably in anti-terrorist and missing person investigations. It is however likely that in future the operators may be prosecuted for non-compliance with the DPA 1998, or that evidence obtained from such systems will be of limited use in legal proceedings. Police gathering such evidence should be made fully aware of the impact of the DPAon CCTV footage, and satisfy themselves that evidence obtained has been lawfully gathered.
Does your system comply?Penetration of CCTV in commercial town centres, retail and commercial areas in the UK is unrivalled in the world. CCTV […]
IFSEC Insider
IFSEC Insider | Security and Fire News and Resources
