Data Protection - New CCTV Code of Practice - April 2008
Data Protection - New CCTV Code of Practice launched
Time to review your CCTV Practices
If your organisation uses CCTV or a similar device to record people then the attached article on the Information Commissioner’s new Code of Practice may be of interest.
The Information Commissioner’s Office (ICO) has issued a new Code of Practice for CCTV, setting out guidance for organisations using CCTV, on best practice for compliance with the Data Protection Act 1998 (DPA).
The new Code aims to reflect recent developments in CCTV technology, and to put in place safeguards regarding its use. The Code is very different to the old one, which was published in 2000, so organisations using CCTV will have to review their policies and practices to ensure they remain compliant.
Here’s a brief overview of the new guide.
Overview of the Code
Getting your practices and policies into shape
FAQs
Resources
Application
The Code applies not just to what we would commonly think of as CCTV, but to any device that records images of people, and the information about people that is obtained from those images.
What type of CCTV usage is covered by the DPA?
The DPA will apply to most usage of CCTV, simply because in most cases CCTV is used to view/record the activities of people. This stance contrasts with that of the previous code, under which only usage of CCTV to monitor/record particular individuals was subject to the DPA. Under the new Code, only very basic CCTV systems will not be caught by the DPA (see FAQs below).
Performing an impact assessment
Organisations should perform an ‘impact assessment’ on their use (or proposed use) of CCTV to help them assess whether they should actually use it. Section 4 of the Code sets out the questions that organisations should consider as part of their assessment. CCTV should only be used if it can be objectively justified.
The assessment, the conclusions drawn and justifications for using CCTV should be recorded, possibly as part of the organisation’s wider Data Protection Policy or Manual.
Policies on operating your CCTV Scheme
An organisation should put in place clear policies covering issues such as responsibility for control of the images, what is to be recorded, and how images are used. It should also consider performing regular audits to check that these policies are being complied with.
Choosing, placing and using the cameras
The Code contains detailed guidance to ensure that suitable cameras are used and sited whilst keeping privacy intrusion to a minimum. Recording conversations between members of the public is prohibited - in fact, recording can only be lawfully performed in a small number of situations.
Storing, viewing and disclosing CCTV images
Some organisations site TV monitors at different locations in a building to display CCTV images being recorded. The Code sets out rules for when and how this can lawfully be done - in general, these monitors should only be visible to the public if they are showing a publically-viewable area close to the monitor in question.
In terms of disclosing CCTV images (e.g. sending a video or video file outside the organisation), the Code stipulates that this should be consistent with the purpose of the CCTV scheme. For example, if the CCTV is used for crime detection/prevention, images should only be disclosed to law enforcement agencies. The organisation should have clear policies on handling disclosure requests.
For storage, the Code states that CCTV images should only be stored for as long as necessary, bearing in mind the purpose for recording the image in the first place. For example, if an organisation has CCTV to record crimes taking place on its premises, it will only need the recording for a short period because an incident is likely to be discovered soon after it occurs.
Displaying CCTV notices
In areas being monitored/recorded, organisations should place notices saying that CCTV is being used, the purpose of the CCTV, and giving contact details for the organisation.
Getting your practices and policies into shape
The new CCTV Code of Practice is a radical departure from the 2000 version. Whilst non-compliance won’t automatically put you in breach of the DPA, it will be an important factor to be taken into account in assessing your organisation’s DPA compliance.
Now is a great time for revisiting your CCTV practice and policies, and wider DPA compliance policies. If you would like assistance with your review, we’d be delighted to assist.
► “We only use our CCTV for crime detection. Do we have to comply?”
The Code sets out more restrictive obligations for organisations using very basic CCTV systems, where the sole purpose of recording is to record criminal incidents on the organisations premises. If you fall into this category, you have to check the points covered in Appendix 2 to the Code.
If the CCTV system is also used for checking up on employees, the wider obligations of the Code and some other special obligations (see below) will apply too.
► “I use CCTV to keep an eye on my employees. What do I have to do?”
To be compliant with the DPA, CCTV usage must be justified. Appendix 3 to the Code discusses this subject in detail, and the type of issues you must consider. If you decide you do want to use CCTV for employee monitoring, you must first go through the impact assessment discussed above.
► “We’re a public sector organisation. Is there anything else we should consider?”
For public authorities, there are even wider issues to address - for example, the Human Rights Act. The right to respect for private and family life, one of the rights turned into a legal obligation by the Act, may be infringed by use of CCTV by a public body.
A public authority’s CCTV policy (or its lack of one) is also likely to be disclosable under the Freedom of Information Act, and so subject to public scrutiny. With data protection enjoying a very much higher profile nowadays, being seen to have poor CCTV policies or practices could lead to embarrassment or even reputation damage for the authority concerned.
Of course, if you receive a subject access request for CCTV images, you should if at all possible try to avoid disclosing images of any other individual, as this would almost certainly breach the DPA.
Information Commissioner’s Office Data Protection Code of Practice 2008:
http://www.ico.gov.uk/upload/documents/library/data_protection/
detailed_specialist_guides/ico_cctvfinal_2301.pdf
This guide has been written by the Intellectual Property & Technology Team at Freeth Cartwright LLP. It was adapted from a guide published on IMPACT®, the award winning blog written by the team: http://impact.freethcartwright.co.uk.
If you would like to discuss your organisation’s data protection policies, please call Deryck Houghton, Head of Intellectual Property & Technology:
o Direct dial: 0845 070 3810
o Email: deryck.houghton@freethcartwright.co.uk
Whilst every effort has been made to ensure the accuracy of this review, it does not provide complete coverage of the subjects referred to, and it is not a substitute for professional legal advice and should not be relied upon as such.