The Information Commissioner’s Office has warned CCTV operators that surveillance cameras must only be used as a necessary and proportionate response to a real and pressing problem. The warning emanated on the same day that the Information Commissioner’s Office (ICO) published its updated CCTV Code of Practice. The update includes a look at the data protection requirements placed on the operators of new and emerging surveillance technologies, including drones and body-worn video cameras. ” The UK is one of the leading users of CCTV and other surveillance technologies in the world,” said Jonathan Bamford (pictured), the ICO’s head of strategic liaison.” The technology on the market today is able to pick out even more people to be recorded in ever greater detail. In some cases, that detail can then be compared with other databases, for instance when Automatic Number Plate Recognition (ANPR) is used. This realises new opportunities for tackling problems such as crime, but also poses potential threats to privacy if cameras are just being used to record innocent members of the public without good reason.” Bamford added:” Surveillance cameras should not be deployed as a quick fix, but rather as a proportionate response to a real and pressing problem. Installing surveillance cameras or technology like ANPR and body-worn video is often seen as the first option, but before deploying such systems we need to understand the problem and whether that’s an effective and proportionate solution. Failure to conduct proper privacy impact assessments in advance has been a common theme in our enforcement cases.” Updated Code of Practice: the detail The updated Code of Practice explains how CCTV and other forms of camera surveillance can be used to process people’s information. The guidance details the issues that operators should consider before installing such surveillance technology, the measures that companies should have in place to make sure an excessive amount of personal information isn’t being collected and the steps organisations should take in order to make sure captured information is kept secure and destroyed once it’s no longer required. The ICO’s CCTV Code of Practice complements the provisions in the Surveillance Camera Code of Practice issued last year by the UK Surveillance Camera Commissioner, which applies to police forces, local authorities and Police and Crime Commissioners in England and Wales (as described in the Protection of Freedoms Act 2012). The ICO’s guidance covers a wider area, as the requirements of the Data Protection Act apply to all sectors processing personal information across the whole of the UK (including the private sector). The Data Protection Act 1998 does not apply to individuals operating CCTV for their own domestic use. Recent enforcement action taken by the ICO to stop the excessive use of CCTV includes an enforcement notice served on Southampton City Council after the latter required the video and audio recording of the city’s taxi passengers 24 hours a day. The ICO also served an enforcement notice on Hertfordshire Constabulary after the force began using ANPR cameras to record every car entering and leaving the small rural town of Royston in Hertfordshire. In both cases, the” excessive use” of surveillance cameras was reduced following the ICO’s action. ICO Blog: ‘An updated CCTV Code of Practice fit for 2014 and beyond’ In his latest blog on the ICO’s website, Jonathan Bamford discusses the ICO’s updated CCTV Code of Practice and outlines why a revised Code is required to meet the demands of modern society.” It’s nearly five months since I last wrote about the importance of having a CCTV Code fit for the demands of modern society. At that time the draft version of the Code was out for consultation. Now, all of your comments have been considered and our updated CCTV guidance is available on the ICO’s website. ” The updated CCTV Code is one that’s truly fit for the times in which we live. The days of CCTV being limited to a video camera on a pole are long gone. Our new Code reflects the latest advances in surveillance technologies and their implementation, while also explaining the key data protection issues that those operating the equipment need to understand. ” So what’s changed? Well, in some respects it’s a case of ‘keep calm and carry on’. The fundamental principles that need to be followed remain the same. People must be informed about the information being collected about them with relevant use of privacy notices and signage where required. The information also needs to be kept secure so that it doesn’t fall into the wrong hands, and effective retention and disposal schedules must be in place to make sure information is only kept for as long as necessary before it’s securely destroyed. ” However, the Code must reflect the times. The pace of technological change since our CCTV guidance was last updated in 2008″ let alone when it was first published some 14 years ago” has been considerable. These advances bring with them new opportunities and challenges for making sure the technology continues to be used in compliance with the Data Protection Act. ” One common theme from the enforcement action we’ve taken in relation to the use of surveillance cameras is that there needs to be a thorough privacy impact assessment. This needs to be conducted before deploying these increasingly powerful and potentially intrusive technologies. The Code will help operators to stay on the right side of the law and save them from wasting money and resources on non-compliant systems.” New and emerging surveillance technologies ” The new and emerging technologies section of the updated Code covers the key surveillance technologies that we believe will become increasingly popular in the years ahead. ” A number of organisations are starting to use body-worn video. These small, inconspicuous devices can record both sound and images. This can mean that they are capable of being much more intrusive than traditional town centre CCTV. On that basis, their use needs to be well justified with safeguards put in place such as to ensure they are not used when they’re not needed. There must be strong security in case the devices fall into the wrong hands. The Code details specific guidance to help deal with the challenges of using these new devices. ” The guidance also considers technologies that are not currently commonplace, but which may prove increasingly popular in future. Just last month, the Civil Aviation Authority released figures showing that over 300 companies have now been given permission to operate UAS (Unmanned Aerial Surveillance) in the UK. This figure has risen by a third within the last 12 months alone. Many of these devices can now be bought for a few hundred pounds and can record imagery. There’s important guidance on how they can be used by organisations to record personal information. ” Recreational users are also encouraged to operate UAS responsibly. For example, recording should be restricted and only carried out in controlled areas where people are informed that monitoring may be taking place. It’s important that organisations understand these obligations at an early stage if they’re to remain on the right side of the law. ” The updated CCTV Code also addresses long-standing issues where the consultation responses have shown that further clarification of the law is required. One such issue is the need for operators to comply with subject access requests. These requests are an important right enshrined in the Data Protection Act and allow individuals to request a record of any personal information that an organisation holds about them. This includes CCTV footage capturing their image. ” However, these requests have been causing a great deal of confusion, particularly for smaller operators unaware of this area of the law. The new CCTV guide includes an expanded section explaining how these requests should be handled, when the information should be given out and details of the statutory deadline of 40 days by which time operators have to provide a full response.” Complementing the Surveillance Camera Code of Practice ” We’ve designed our guidance to complement the Surveillance Camera Code of Practice published under the Protection of Freedoms Act 2012. The Surveillance Camera Code’s ‘Guiding Principles’ apply to police forces, Police and Crime Commissioners and local authorities in England and Wales as described in the Act, and contain advice about recommended operational and technical standards that others may find useful. ” The technology may change but the principles of the Data Protection Act remain the same. CCTV and other surveillance systems need to be proportionate, justifiable and secure in order to be compliant. The updated ICO Code will help to make sure that this situation continues for the years ahead.”
ICO warns CCTV operators that use of surveillance cameras must be” necessary and proportionate”
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.