CCTV is becoming a common feature of our everyday lives, recording our movements in shopping centres, car parks, communal areas of flats and many other places.

As public awareness of rights under Data Protection legislation increases, those who use CCTV should be aware of the appropriateness of their use of CCTV and their handling and storage of the data and images it produces. CCTV is essentially an intrusion into an individual's privacy, so the law aims to regulate its use and restrict its impact. Companies need to be aware of the many obligations placed upon them, extending well beyond notifying the public of the presence of the cameras.

Big Picture

Under the Data Protection Act (DPA) 1998, images recorded by CCTV may constitute personal data of the individuals who are recorded. This means that any company responsible for the presence of the camera, normally the landlord or business tenant but also potentially any security contractor or property management agent, is the data controller of the CCTV images and the information they contain.

The DPA makes the data controller liable for obtaining, processing and securing personal data. Even if the landlord/tenant delegates responsibility for the storage or processing of films to a third party, they are most likely still liable for the handling of the information. Therefore it is imperative for the landlord/tenant to be aware of their obligations and responsibilities under the legislation to prevent being found in contravention, and possibly liable for criminal offences.

Red Tape

The new code sets out the main issues for anyone considering or currently using CCTV on their premises in a very user-friendly way. These include:

  • Purpose - is the business's aim best achieved by using CCTV or could another solution have the same effect? Is CCTV justifiable and proportionate in the circumstances?
  • Notification - data controllers must notify the Information Commissioner via a public notification register and be registered for the purposes for which they collect and process data. Failure to do so is a criminal offence.
  • Delegation - data controllers cannot delegate responsibility for any operation, maintenance, handling or storage of data. They must have a written contract with the data processor, who can only act on the data controller's instructions. The data controller will be liable for the failings of the data processor. Therefore the relationship between the two must be closely monitored and regulated by the data controller to ensure compliance with the law.
  • Implementation - data controllers must have policies in place to control the way in which personal data is collected, for what reasons it is processed, who is allowed access etc. But the responsibility doesn't end there. Employees should be trained about how data protection applies to their job so that those policies are put into action effectively by the workforce. 
  • Storage and security - there is no point in diligently collecting data and using it correctly if the data is then abandoned and unprotected. Companies should consider the length of time they need to store the information, what location is appropriate, what physical security arrangements need to be made and what organisation procedures can be put in place to prevent accidental and malicious loss and damage. The police can request copies of CCTV footage so the material needs to be stored in a format that can be accessed easily by the police.
  • Informing the public - covert surveillance is the prerogative of the very few. Most organisations need to be open about who is doing the recording.

An impact assessment of the company's approach to data protection compliance is an effective method to try to assess the above factors and provide hard evidence that the company has made every effort to fall within the law. Annual re-assessments on renewal of the company's data protection notification should ensure that any changes in the law are incorporated and remind employees of the importance of adhering to data protection policies.

Warning for the camera shy...

Bad press in relation to the loss and mishandling of personal data shows how important having well-implemented, pro-active policies is in order to stay away from the harsh light of a reporter's camera!

Ready, steady, action!

So, watch out for the publication of the new Code of Practice governing CCTV usage available today from the Information Commissioner's website.