The ICO's updated guidance reflects the technological developments in surveillance, particularly in relation to new technologies like body worn video and drones.

What's the issue?

The Information Commissioner's (ICO) guidance on CCTV cameras was first published in 2000.  Since the code was last updated in 2008, technological developments have moved quickly. Surveillance technology has become increasingly sophisticated and far more portable, which also means it has become more widespread.  With the increasing prevalence of surveillance cameras in our lives, have come additional privacy issues.

What's the development?

The ICO has updated his CCTV guidance (Code) and extended it to cover surveillance cameras in general, in particular, dealing with body worn video and drones for the first time.

What does this mean for you?

While many of the CCTV elements are similar to those in the previous version of the code, it is worth checking that you operate in accordance with the Code if you use any type of camera surveillance.  For those using or developing newer technologies like Automatic Number Plate Recognition, body worn cameras or drones, this is essential reading. It's particularly worth taking into account at the development stage as making products capable of data protection compliance will be key to bringing them to market successfully.

Read more

The Code emphasises the need to conduct privacy impact assessments (PIAs) prior to deciding whether or not to proceed with a surveillance system. These should look at the pressing need the surveillance system is intended to address and whether its proposed use has a lawful basis and is justified, necessary and proportionate.

In addition, the Code stresses: the requirement to ensure that the system only goes as far as necessary for the purposes required; the need to inform data subjects they are being recorded or monitored as well as of their other rights; the need to respond to data subject access requests; and the requirement to make sure data is held securely and for no longer than necessary. In other words, the overriding need to comply with the data protection principles.

The Code emphasises the possible application of other applicable legislation such as RIPA or the Protection of Freedoms Act 2012.

The main departure in the Code is the inclusion of a section on newer surveillance methods which the ICO considers are particularly intrusive such as Automatic Number Plate Recognition, body worn video (BWV) and unmanned aerial systems (UAS) e.g. drones. Both BWVs and UASs should be capable of being turned off. Special consideration has to be given as to how to inform users these technologies are being used and of their rights given, especially with UASs, that it is particularly challenging to provide fair information. Continuous recording is discouraged and said to be highly unlikely to be justifiable. Operators are also warned that audio recording is likely to be harder to justify than visual recording.

The ICO has also published a separate topic guide on drones and the Data Protection Act (DPA). The ICO reminds potential users that drones with cameras are likely to be covered by the DPA but also suggests that all users of drones consider the guidance which recommends:

  • let people know before recording begins, if possible;
  • consider your surroundings to minimise any intrusion;
  • get to know the capability of the camera;
  • plan the flight in order to minimise intrusion;
  • think before sharing images;
  • keep images safe.

The issue of drones and their impact on privacy is becoming increasingly pressing.

The ICO recently gave evidence to a Parliamentary Committee on the risk to privacy posed by drones and underlined that use of drones for commercial purposes must be carried out in accordance with the DPA. He also said that the line between commercial use of cameras and private use was blurring and that the ICO was under pressure to regulate the private use of drones and other surveillance technology despite the fact that such use might not be covered by the DPA.

In addition, the CJEU is currently considering a case on the private use of CCTV. The Advocate General has given a preliminary Opinion saying that to the extent that such use covers public spaces, it should be caught by data protection law.  This is contrary to the ICO's view. Until the final judgment is handed down, the ICO says this is "a little bit of a moving field".