The Act focuses on the individual's right to be protected against the inappropriate use of any type of data including that collected by CCTV. System owners are legally responsible for ensuring the Act is adhered to. However, system installers and sub-contracted operators also have a responsibility to offer good advice. This must include the sitting of systems, specification of an appropriate number of cameras, quality of the hardware and images produced, operation procedures, the systems appropriate use and accessibility of the data processed to individuals.

Personal data is the key issue and the Act specifies eight principles that all owners of systems have a legal requirement to adhere to. These are that personal data shall be:

•  processed fairly and lawfully
•  obtained only for specified and lawful purposes and further processed only in a compatible manner
•  adequate, relevant and not excessive
•  accurate and up to date
•  kept for no longer than is necessary
•  processed in accordance with the rights of data subjects
•  kept secure
•  transferred outside of the European Economic Area (EEA) only if there is adequate protection

The CCTV Code of Practice provides guidance regarding enforceable standards and good practice recommendations. Copies can be obtained by contacting the Data Commissioner. In summary guidance covers seven areas of which key points are as follows;

Initial Assessment Procedures
What are the systems purpose e.g. prevention, investigation and detection of crime, apprehension and prosecution, monitoring security of premises and safety.

Siting of Cameras
Cameras must only monitor intended areas and used to achieve the purpose of the scheme. Signs are required to advise the public that they are entering an area covered by CCTV.

Quality of Images
- Images must be as clear as possible and effective for the purpose intended.
- Tapes must be of good quality and replaced regularly.
- The recording medium should be cleaned before new images are recorded on top.
- Inclusion of accurate date and time reference
- Recording should only take place at appropriate times
- Facial recognition systems must involve human verification

Processing The Images
- Images should not be retained for longer than necessary
- Documentation of handling procedures
- Restricted viewing and access to authorised employees
- Training and awareness of staff

Disclosure Of Images To Third Party
- Images must be restricted to relevant staff
- Limited to 3rd Parties in particular circumstances e.g. law enforcement prosecution agencies

Access By Data Subjects
- Staff must recognise requests for images from data subjects
- A straightforward access form must be available
- Maximum £10 fee for data search
- Individuals should be provided with information regarding processing

Monitoring Compliance
- Managers should undertake regular reviews
- Complaints should be recorded
- An annual assessment of effectiveness should be conducted and made public

The Act is designed to protect individuals from inappropriate use of systems and the data collected. However, the Act could be a double-edged sword. The intention of protecting and individual's right to privacy must be welcomed, but does that Act's intentions go too far in relation to CCTV systems?

It is feared in some quarters that the Act will lead to a reduction in operational CCTV systems. This is because of increasing regulation and cost, as well as the accessibility of the system's data to members of the public, where appropriate, and the procedure for allowing access to data. If this were to happen what about the rights of the individual to walk safely through a town centre at night or a business to protect its staff from unwanted visitors?

However, this is a pessimistic view. There will be teething problems and no doubt a few highly publicised test cases in the courts. If the owners of CCTV systems use regulated companies to install and maintain systems, and where appropriate regulated monitoring companies to provide the day-to-day operation of the system, the negative implications of the Act should be minimised.

For further information on the Act call the office of the Information Commissioner on 01625 545745 or visit the website www.dataprotection.gov.uk

CCTV Law Shake-Up Warning

Crimes caught on closed circuit television and recorded onto videotape could be ruled inadmissible as evidence in court if motor retailers fail to register their equipment before new laws are introduced at midnight on 23 October.

Motor retailers could find their insurance claims rejected or even face demands for compensation if CCTV apparatus is not registered.

The rules are being introduced under the Data Protection Act 1998 because police want CCTV video film quality improved so they can identify and catch criminals more easily and can only do this if cameras, video recorders and monitors are working properly.

The Retail Motor Industry Federation (RMI) is warning businesses to act fast and get their CCTV equipment registered with the Office of the Data Protection Commissioner as soon as possible.

RMI chief executive, David Evans, said: ‘It is extremely important that businesses register their CCTV equipment as soon as possible, particularly following reports of major thefts of new cars from dealerships in recent weeks.

CCTV is intended as a way for businesses to improve security, but if this equipment either does not work properly or the video recordings are of such bad quality as to prevent the police from using them to trap criminals, business owners may as well advertise their property as an easy target for would-be thieves.

The RMI has put together a straightforward guide for businesses to follow once they have actually applied for CCTV registration.

How to register and how to comply

There is an eight-section Code of Practice to follow.

1. Initial Assessment Procedures
Establish the person or data controller responsible for the scheme. This could also be a registered company. Next, assess the reasons and establish the purpose of the scheme. This is then documented through a notification form, which is lodged with the Office of the Data Protection Commissioner and will cost £35 a year. Get a notification form by calling 01625 545740 or logging onto the website www.dpr.gov.uk/notify or www.dpr.gov.uk. Once you complete and send off the notification form, you will be sent a registration form.

2. Positioning cameras
Position cameras so they solely monitor intended areas. If properties other than those belonging to your business are covered by the scheme, you must consult the owner of such areas. If members of staff are able to adjust cameras this should be restricted or staff trained to ensure they understand the need to cover only the intended area. Signs should be placed so the public can clearly see they are entering an area covered by CCTV. These signs should contain the identity of the person or organisation responsible for the scheme, the purpose of the scheme and contact details.

3. Image quality
Checks should be done to ensure equipment performs properly. If using videotapes, these should be good quality and cleaned so images are not recorded on top of images. If the quality of recorded images deteriorates the recording medium should be changed. If the system records date, time and location, these need to be accurate. Cameras should also be properly maintained and protected. Damaged cameras should be fixed within a specific time period.

4. Processing images
Do not keep images for any longer than is necessary. Once this retention period has expired the images should be erased or destroyed. If images are retained for evidential purposes, they should be retained in a secure environment. If images are removed to be used for legal proceedings, you should ensure the date of removal, the reason, crime incident number, the new location of the images and the signature of the collecting police officer are documented. All operators with access to the recorded images should be trained in their responsibilities under the code of practice. Monitors displaying recorded images should be in a restricted area with access restricted to designated members of staff.

5. Access to and disclosure of images to third parties
Access to recorded images should be restricted to staff who actually need to use the equipment. All access to the medium on which images are recorded should be documented, as should any requests for access. Recorded images should not be made widely available.

6. Access by data subjects
Under the Act anyone captured on CCTV has the right to ask for a copy of the image. All staff involved in operating the system must be able to recognise this request. Anyone requesting such information must be given a ‘standard subject access request form’ and a leaflet describing the type of images and the reason for the CCTV system. Anyone requesting an image can be charged up to £10. When providing the image the data controller or designated employee must make every effort to ensure other data subjects are not identified. All staff must be aware of the individuals’ rights under this section of the Code of Practice.

7. Other rights
Under the Act an individual has the right to request that a data controller cease processing data related to that individual, if the processing is liable to cause damage or distress to that individual. All staff involved in operating the equipment must be able to recognise such a request. Requests should be responded to within 21 days, setting out the response to the request and the reasons if the request is denied.

8. Monitoring compliance with this Code of Practice
The Data Controller or designated member of staff should undertake regular reviews of the documented procedures to ensure that the provisions of this code are being complied with.

Useful Contacts

Data Protection Commissioner
Telephone 01625 545745
Fax 01625 524510
www.dataprotection.gov.uk

Data Protection Registry
Telephone 01625 545740
www.dpr.gov.uk