On 15 October 2014, the Information Commissioner’s Office (the ICO) issued a revised code of practice on the use of CCTV video surveillance (the Code). The previous version of the Code was issued in 2008 (the 2008 Code) and was in need of an update given, among other things, changes in surveillance technologies and activities.
The Law – A reminder
The majority of surveillance systems are used to monitor or record the activities of individuals. The footage recorded by such systems is likely to constitute personal data for the purposes of the Data Protection Act 1998 (the DPA). This means that organisations that operate surveillance systems will need to process the footage collected via those systems in accordance with the DPA.
The DPA sets out eight principles which all data controllers (organisations which control the way personal data is processed) must comply with. While all of the principles must be considered when any personal data is processed, the key principles in relation to the use of CCTV and other surveillance technologies are as follows:
- Personal data must be processed fairly and lawfully
- Personal data must be adequate, relevant and not excessive
- Personal data must not be kept for longer than necessary
- Personal data must be kept secure
The updated Code offers guidance to organisations as to how to comply with the data protection principles. Complying with the Code will help organisations to meet the requirements of the DPA, but there is other legislation which may also need to be considered – for example, the Freedom of Information Act 2000, the Protection of Freedoms Act 2012 (and the Surveillance Camera Code of Practice issued under that Act) and the Human Rights Act 1998.
The Updated CCTV Code
The Code essentially restates many of the recommendations set out in the 2008 Code. However, it has been drafted to address issues raised by a consultation carried out by the ICO earlier this year in relation to the 2008 Code and to deal specifically with a number of emerging surveillance technologies which pose new risks to the privacy of individuals.
Emerging surveillance technologies
Examples of the emerging technologies that the ICO has highlighted in the Code are Automatic Number Plate Recognition (ANPR) and Body Worn Video (BWV).
ANPR systems now collect much greater volumes of data and are capable, in some circumstances, of recording images of vehicles, and their drivers and passengers. The data shared by these ANPR systems can be more easily combined with other databases meaning the information can be manipulated in a way which could, if not monitored, have a negative impact on privacy. The ICO recommends that organisations must be able to justify the use of such systems and demonstrate that their “introduction is proportionate and necessary”.
BWV, by its very nature (i.e. mobile recording equipment), is potentially highly intrusive on privacy, particularly given that some BWV devices have the capacity to record both images and sound. The use of such systems must be justifiable and proportionate. Where the BWV continuously records images and sound and is never switched off, the organisation operating the BWV is likely to need “strong justification” for such use. The ICO recommends using a BWV system where sound and image recording can be turned on and off independently of each other. This mobile technology also carries other inherent data protection risks (for example, it could be easily stolen), so the steps taken to safeguard the devices in accordance with the principle set out above should also be considered.
Subject Access requests
The Code also expands on previous guidance about how to handle subject access requests received where CCTV footage may be concerned.
Under the DPA, organisations are obliged to provide a copy of all personal data caught by the access request (which could include CCTV footage) unless an exemption applies. The data subject can consent simply to view the relevant CCTV footage; however, if the individual does not give such consent, the organisation operating the system is likely to have to provide a hard copy of the footage. The guidance highlights that a transcript of the footage is unlikely to be sufficient to comply with a subject access request as it will not reflect all of the personal data held.
- Review your use of surveillance equipment in light of the Code.
- If considering implementing surveillance equipment, carry out a privacy impact assessment and consider whether your proposed use complies with the Code.
- Be transparent by displaying clear signs to show surveillance is taking place.
- Keep data safe by controlling access.
- See more at: http://www.bonddickinson.com/insight/publications/lights-camera-action-new-cctv-code#sthash.fcRc8taT.dpuf