IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Paul Mackie is a recognised expert in the field of Data Protection Act compliance for CCTV systems. He boasts a 30-year CV in IT with both international blue chip companies and also national governments. This work has included dealing with the compliance and legislation of industry software. Mackie, who also serves as CameraWatch's compliance director, assumed the CEO's role at the UK's leading CCTV Data Protection Act compliance advisory body organisation on 1 July 2011.
The author is on a panel discussing the Surveillance Camera Commissioner’s Code of Practice on 17 June, 1pm-2pm, on the IFSEC Global.com Centre Stage at IFSEC International 2014
As you’ll probably know, CameraWatch seeks to ensure that CCTV systems in the UK are operated correctly and legally, in accordance with the UK Data Protection Act.
We are totally independent and not-for-profit.
Writing for Asia Pacific Security Magazine Adeline Teoh recounted how a member of the public complained about being captured by a local council CCTV system unlawfully, that his images were passed to and stored in a police station for no specific reason.
Even if the cameras were themselves lawful, he argued, the activity wasn’t directly related to the council’s responsibilities and functions.
The tribunal found in favour of the member of the public so the council literally had to cease operating CCTV in that area – a pretty big consequence. This ruling prompted a proposed change in legislation and I’m sure many lessons have been learned.
Three areas of legal concern were included in the tribunal hearing:
Adequate notification, for example signage, that personal information is being collected and for what purpose
That the information collected is relevant to that purpose, is not excessive and is accurate, up to date and complete and
Reasonable security safeguards against loss, unauthorised access and misuse of the CCTV information.
I won’t engage with the nuances of legal argument but I will compare it to UK non-compliance policing, much of which relates to the Data Protection Act 1998, since CCTV images that capture people effectively constitute personal data.
1. Adequate notification, for example signage, that personal information is being collected and for what purpose
Photo: Hustvedt on Wikimedia
The adequate notification very much covers the statutory signs which need to be erected and notification of CCTV use that should have been made to the statutory body, the Information Commissioner’s Office.
This notification must state the CCTV system’s purpose. There are specific requirements regarding the siting and wording of the signs which must include the registered purposes.
Any member of the public should be able to read the sign, understand what the CCTV is for, who is in charge of it and how to contact them. Having read this information the member of the public can then decide whether they’re willing to have their image captured and therefore personal data taken.
So that keeps things fully transparent as well as helping the public understand the CCTV’s purpose.
All reasonable and simple to do, you would think. Well yes it is – so why is this such a problem area of compliance? Ignorance? Laziness? Can’t be bothered attitude?
I guess if the UK had the clout to force the removal of CCTV systems in similar cases then more CCTV systems managers would resolve the problems.
2. That the information collected is relevant to that purpose, is not excessive and is accurate, up to date and complete
Well now: a multitude of potential sins here.
Firstly, “relevant to that purpose” means that you can only use the CCTV system for its registered purpose, to which so many CCTV systems fail to adhere.
It’s very tempting when you see the technological possibilities of CCTV to encroach beyond this stated purpose, but remember: you must be transparent and inform people of what you are using the system for. No more, no less.
Secondly, “not excessive” means that it needs to be proportionate to the stated purpose(s). You must be able to justify the system and, in particular, the system’s size and use.
Thirdly, the system must be “accurate” – and how easy is that to get wrong?
Now many of you will have seen previous articles from CameraWatch warning that when the clocks change twice a year your CCTV system could, in a stroke, become an hour out of kilter. That inaccuracy could be the difference between a successful prosecution and a failed one.
And how many people could be let down in the judicial process?
Accuracy also covers whether there is adequate lighting or the cameras are serviced. How many times do we see images which – let’s be honest – are so grainy we rely on our imagination to identify the image.
And fourth, “up to date and complete” covers the time and date display, but basically covers whether the system is fit for purpose. Does the system do what it should be doing (do we actually know what it should be doing?) and can we prove it?
We need documentation to show we are doing everything correctly and legally. It doesn’t have to be elaborate – you just need to prove an audit trail of what happened to those images from when they were first recorded through managing them to the end of the process, either destruction accompanied by a certificate of destruction or passed to law enforcement agents with a sign-over form.
I guess if the UK had the clout to force the removal of CCTV systems in similar cases then more CCTV systems managers would resolve the problems
3. Reasonable security safeguards against loss, unauthorised access and misuse of the CCTV information.
Let’s have a wee bit of pure honesty here. It’s OK. I’m not looking over your shoulder for answers.
When you copy images onto disk or pen-drive etc, do you have the correct written request and authorisation? Where do you keep it while waiting for collection – under lock and key where the keys are restricted and logged?
Are staff trained on how to ‘dump’ the images?
Can other people – unauthorised and untrained in data protection – see your monitors and watch areas outside the immediate locale? Do third parties – eg, maintenance, engineers, visitors, cleaners – log in and out and are they signed up to data protection for exposure to CCTV?
I guess if the UK had the clout to force the removal of CCTV systems in similar cases then more CCTV systems managers would resolve the problems.
Those are just three areas, which then raise many more issues. Identified by the ruling in Australia they are also covered by the UK Data Protection Act, so you should have them covered.
If you want to install and use a CCTV system which captures members of the public then there are legal requirements to follow – just like owning a car.
We all have the right to emulate the Australian complainant in the aforementioned story, whether the CCTV is in public space or a local shop. And it’s only a matter of time before someone in the UK does just that. It might be a defence lawyer or a member of the public – it doesn’t really matter.
Do you remember the positive publicity for CCTV in the aftermath of the 2011 riots, when CCTV images led to thousands of prosecutions? Now imagine if just one of those accused decided to question the legality of the CCTV system that captured them.
It could have been any number of CCTV systems – in shops, garages, public space, council buildings – for various purposes.
Now CameraWatch sees this as a risk – a major, but unnecessary risk.
More than 90% of UK-based CCTV systems monitored by CameraWatch don’t comply with the law. Why do we accept the risk of someone challenging the legitimacy of these cameras?
What if people already prosecuted using CCTV evidence later challenge its legitimacy? Might the CCTV owner themselves risk prosecution and action from the Information Commissioner’s office?
And just who pays for this? Might insurance companies have encouraged CCTV use by discounting premiums for security on site?
Did they ever check that the CCTV system attracting reduced premiums was actually legal? Do they know about CCTV and data protection?
Perhaps insurance companies will claim the system’s illegality will void the policy.
As an industry we’re taking a big risk through non-compliance.
The lesson from that Australian article is very simple: CCTV can be an invaluable, increasingly powerful tool. But just because technology can do something, it doesn’t mean it should.
Use CCTV transparently. Use it legally and compliantly. Use it without risk. Use it to help us all.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
Watching the watchers: CCTV Under SurveillanceThe UK is awash with CCTV cameras that don't comply with the Data Protection Act - and it's only a matter of time before CCTV operators end up in court, argues CameraWatch's CEO and compliance director.
Paul Mackie
IFSEC Insider | Security and Fire News and Resources
