Does your CCTV system comply with the ICO’s new CCTV guidance?

9th January 2015

The commonplace use of CCTV, camera (and video) phones and other devices which are capable of recording images of individuals means that as a society we have all become accustomed to the fact that we are often being recorded as we go about our daily business.

However, the rapid development of surveillance technology together with its increased use in a more intrusive and proactive manner has given rise to public concern about the ways in which CCTV and other surveillance cameras are being used and the data protection implications.

In light of this the Information Commissioner’s Office (the ICO) has published a new and updated code of practice for the use of CCTV, In the picture: A data protection code of practice for surveillance cameras and personal information (the New Code) which provides good practice advice for those involved in operating CCTV and other devices which view or record individuals or which collect other information relating to individuals. The New Code has been extended to cover new technologies including Automatic Number Plate Recognition, body worn video, unmanned aerial systems (or drones) and other systems that capture information of identifiable individuals or information relating to individuals.

Many organisations will also need to comply with the Surveillance camera code of practice (the POFA Code) issued under the Protection of Freedoms Act in England and Wales or the CCTV Strategy for Scotland in Scotland. The New Code is consistent with the POFA Code and compliance with the New Code will also help organisations comply with the POFA Code.

Here are our top tips on what organisations need to do to ensure that they are complying with both the ICO’s new guidance on CCTV systems and the surveillance camera code of practice

• Consider carefully whether a surveillance system is the best solution to the problem

– The use of the surveillance system needs to be justified, necessary and proportionate.
– You will need to take into account the nature of the problem you are seeking to address, whether there are any better solutions to the problem and the impact that the surveillance system may have on individuals. The best way to assess the impact on individuals is to complete a Privacy Impact Assessment (PIA) and the ICO’s guidance on how to complete a PIA is available here.
– Where a surveillance system is already in use, this should be regularly reviewed to determine whether its continued use is necessary and proportionate.

• Make sure that your data protection registration with the ICO is updated to include all relevant details relating to the use of the surveillance system.
• Ensure the information collected by the surveillance system is administered effectively.
• You will need to put in place a clear policy for the handling of any personal information collected by the surveillance system which needs to include:

– what information should be recorded.
– where the CCTV cameras (or other types of devices) are to be located.
– how the information is to be used.
– how the information is to be kept secure technically, organisationally and physically.
– to whom the information can be disclosed and in what circumstances.
– how subject access requests will be dealt with.
– when the information will be deleted.

• Let people know that they are in an area where a surveillance system is in operation.
  The most effective way of doing this is to use prominently placed signs in and around the area covered by the surveillance system.
• The signs should also contain details of the organisation operating the system, the purpose of using the system and who to contact about the system together with basic contact details, such as a website, telephone number or email address.
• Clearly document all your procedures relating to the use of the surveillance system and where appropriate provide training on these procedures to the relevant people.
• Allocate responsibility for compliance with these procedures to a specific individual.
• Carry out regular proactive checks or audits to ensure that the procedures are being properly followed.
• Make sure that the information recorded is stored securely, and where necessary encrypted.
• Access to the information should also be restricted to only those who need access.
• Carry out regular checks to make sure that information is being deleted in accordance with your policy.
• These checks should also confirm that the information has been permanently deleted through secure methods.
  Ensure that there is a written agreement in place with any third parties outside your organisation who process any data on your behalf. The agreement needs to clearly set out:

– how the data is to be processed, which should only be in accordance with your instructions.
– how the data is to be stored.
– how the data is to be kept secure.
– the third party’s obligations to only use properly trained staff and to keep the data confidential.

• Review your policy regularly (and at least annually) to ensure that it remains up to date and that your procedures are being followed.
• Complete the Surveillance camera code of practice: self assessment tool to find out how well your organisation complies with the 12 principles of the surveillance camera code of practice.

Organisations which use CCTV and other surveillance devices need to review their existing policies and practices to ensure that they comply with the New Code.

If you have any questions about the new CCTV code or data protection in general, please contact Jeanette Burgess, Head of Regulatory & Compliance at Walker Morris.