Legal Compliance
CCTV and the Data Protection Act
Closed circuit television (CCTV) surveillance is an increasing feature of our daily lives. There is an ongoing debate over how effective CCTV is in reducing and preventing crime, but one thing is certain, its deployment is commonplace in a variety of areas to which members of the public have free access. We might be caught on camera while walking down the high street, visiting a shop or bank or travelling through a railway station or airport.
There was no statutory basis for systematic legal control of CCTV surveillance over public areas until 1 March 2000 when the Data Protection Act 1998 came into force. The definitions in this new Act are broader than those of the Data Protection Act 1984 and so more readily cover the processing of images of individuals caught by CCTV cameras than did the previous data protection legislation. The same legally enforceable information handling standards as have previously applied to those processing personal data on computer now cover CCTV.
The standards which must be met if the requirements of the 1998 Act are to be complied are based on the eight Data Protection Principles which say that data must be;
fairly and lawfully processed;
processed for limited purposes and not in any manner incompatible with those purposes;
adequate, relevant and not excessive;
accurate;
not kept for longer than is necessary
processed in accordance with individuals' rights;
secure;
not transferred to countries without adequate protection
The Information Commissioner does have the power to issue Enforcement Notices where he considers that there has been a breach of one or more of the Data Protection Principles. An Enforcement Notice would set out the remedial action that the Commissioner requires to ensure future compliance with the requirements of the Act. In the case of CCTV, the Information Commissioner will take into account the extent to which the users of such surveillance equipment have complied with the CCTV Code of Practice (see below) when determining whether they have met their legal obligations when exercising his powers of enforcement.
A further aspect of the Data Protection Act 1998 is that it allows the Information Commissioner to produce, where appropriate, Codes of Practice providing guidance in connection with the legislation. It was determined that because of the increasing and widespread use of video surveillance systems, that a code of practice covering this field would be beneficial. The code, as produced, deals with surveillance in areas to which the public have largely free and unrestricted access (for example town centres and large shopping complexes) because there was a particular concern about a lack of regulation and central guidance in this area.
Although the Data Protection Act 1998 covers other uses of CCTV this Code addresses the area of widest concern. Many of its provisions will be relevant to other uses of CCTV and will be referred to as appropriate when we develop further guidance (such as the CCTV Small User Checklist). There are some existing standards that have been developed by representatives of CCTV system operators and, more particularly, the British Standards Institute. While such standards are helpful, they are not legally enforceable. The changes in data protection legislation mean that for the first time legally enforceable standards will apply to the collection and processing of images relating to individuals.
This Code of Practice has the dual purpose of assisting operators of CCTV systems to understand their legal obligations while also reassuring the public about the safeguards that should be in place. It sets out the measures which must be adopted to comply with the Data Protection Act 1998 and goes on to set out guidance for the following of good data protection practice. The Code makes clear the standards which must be followed to ensure compliance with the Data Protection Act 1998 and then indicates those which are not a strict legal requirement but do represent the following of good practice.
Following on from the production of the CCTV Code of Practice, there has been the development of the CCTV Small User Checklist. This document is aimed at small-scale CCTV users (for example small businesses and small retail units) and aims to provide straight forward guidance to the operators of such systems of what they need to do comply with the requirements of the Data Protection Act.
Copies of the CCTV Code of Practice and the CCTV small user checklist can be found on the Information Commissioner's website; www.informationcommissioner.gov.uk
Last update: Thursday, September 14, 2006