< Back

Share |

Regulating CCTV use in the UK

March 2014

The growth of CCTV

We have grown to tolerate and, in certain cases, accept that CCTV is always behind the scenes recording our day to day activities. A report published by the British Security Industry Association in July 2013, estimated that there were up to 5.9 million CCTV cameras operating in the UK, approximately 1 for every 11 citizens. Given these numbers, it is perhaps understandable that people question whether it is right that we have allowed CCTV to become so ubiquitous and whether we have failed to heed the warning of the previous Information Commissioner, Richard Thomas, against 'sleep walking into a surveillance society'.

Although the spread of CCTV has been rapid, public concerns about its intrusion into our lives have been limited.  There are a number of reasons for this:

  • the initial limitations of the technology, including storage memory capacity and poor image resolution, acted as a brake on the retention and use of images;
  • the fact that that the CCTV systems privately owned by businesses and shops outnumber those operated by the police and local authorities by as many as 70 to 1; and
  • the existence of a complex web of regulation, guidance and standards that has evolved over time and is relevant to those operating CCTV.

However, with technological developments and the increase of CCTV in public places, as we look ahead to the future of CCTV within our society, the role of regulation and guidance will become increasingly important.

the regulatory landscape

The regulatory landscape

Data Protection Act 1998 (DPA)

The DPA applies to all operators of CCTV where the use of the system involves the processing of personal data which will include footage from CCTV cameras of individuals (perhaps walking down the street or moving round their place of work) or information that relates to them from which they can be identified (such as an ANPR image of a driver's car licence plate number entering a car park).

Because the  purpose of most CCTV is to learn and record something about what people are doing, the DPA will apply unless it is only being used in a home for domestic or household purposes or if the recording is a personal one captured by their digital camera or smart phone.

To help organisations apply the requirements of the DPA to their use of CCTV, the regulator of the DPA, the Information Commissioner (ICO), has published a CCTV Code of Practice. The current version of this code was last revised in 2008.

Although compliance with the code itself is not a legal obligation, it reflects the legally enforceable requirements of the DPA and the view of the ICO as to how compliance with the DPA can be achieved.

The ICO's CCTV Code of Practice – key requirements


Assess the risk
- in particular before installing CCTV, the code expects organisations to first consider the impact of their proposed use of CCTV on people's privacy.

Internal controls and procedures - the code goes on to give guidance on the checks and balances needed around the handling of images, including whether the organisation responsible for the system has notified the ICO that they are a data controller, the purpose of the processing of images as well as how and under what circumstances these may be disclosed, among other details.

Other checks should include procedures for how the images will be handled and ensuring that the responsibility for delivering compliance with these procedures within the organisation is allocated to a named individual.

Selecting and siting cameras - guidance is provided in the code on selecting and siting cameras to make sure these only record what is relevant at a time when this is relevant and that any captured images are of the right quality. The code warns against siting cameras in places where people would have a higher expectation of privacy such as changing rooms or toilets.

Use of CCTV Equipment - the code recommends in addition to ensuring good image quality, that other features of the system are appropriate and fit for purpose such as:

  • ensuring any date and time stamps recorded to images are correct;
  • ensuring where wireless transmission of digital image data is involved, that adequate measures have been taken to secure the data stream from unauthorised interception.

Audio recording of conversations by CCTV should not typically be enabled unless exceptional circumstances apply such as with audio help points covered by CCTV activated by a member of the public or the use of specific recording (and only )where it is made very clear that audio recording may also occur.

Look after recordings - operators of CCTV are expected to make sure that recordings are stored in such a way that image quality is preserved and images can easily be extracted from systems when required by law enforcement agencies. The images must remain secure and only be viewed under restricted conditions with access limited only to authorised personnel.

Image storage should be for no longer than is required for the organisation's own purpose, and only held beyond this if needed by law enforcement agencies investigating a crime. When no longer required then image deletion must be thorough and secure.

Generally speaking, disclosures should be limited to circumstances such as preventing or detecting crime or where people ask to view images of themselves provided that in both cases, the disclosures are subject to clearly documented processes, including considering if providing images may unfairly intrude on the privacy of any third party and, if so, making sure these images are obscured.

Publicising the use of CCTV - importantly, operators of CCTV are expected by the code to make clear to people when they are entering and are within an area under CCTV surveillance through signs that are:

  • clear, prominent, readable;
  • identify the operator of the system, giving details of who to contact about its use; and
  • explain the purpose of the CCTV.


Separate, specific guidance on the use of CCTV in the workplace is also provided in the ICO's Employment practices Code and more information on the specific considerations for employers using CCTV can be found in our article on Use of CCTV in the Workplace.

Human Rights Act 1998 (HRA)

The HRA implements the European Convention of Human Rights and states, among other things, that individuals have a right to respect for their private and family life, their home and their correspondence

looking through the blindsPublic authorities are required to act in a way compatible with the HRA and although the HRA is not directly enforceable against private organisations, the HRA does require a court or tribunal to interpret any UK legislation in a way that is compatible with the rights set out in it.  This means that, where appropriate, courts and tribunals used by public and private bodies in proceedings such as employment tribunals, must consider individuals' privacy rights.

Regulation of Investigatory Powers Act 2000 (RIPA)

Part II of RIPA regulates covert surveillance by public authorities using, among other things, CCTV. Following concerns that public authorities were using powers under RIPA to conduct surveillance that was out of proportion to the minor nature of the offences under investigation, RIPA was amended by Part 2 of the Protection of Freedoms Act in November 2012 (see below) to require designated public authorities to obtain the prior approval of a magistrate for any covert surveillance authorised under RIPA.

Freedom of Information Act 2000 (FOIA)

Where public authorities operate CCTV then they may receive requests under the FOIA for recorded information held by them or on their behalf. Requests received under the FOIA must be responded to within 20 working days of receiving the request.

Where the requested footage contains images about individuals then an exemption under s40 of the FOIA covering personal data of individuals may be relevant. In particular, where the requested images are those of the requestor, then the information is exempt under the FOIA and the request should instead be treated as a request made under the separate subject access provisions of the DPA (see above). However, where images include other people, then whether it is possible to release this information under the FOIA will depend on whether disclosure would breach the data protection principles and, in particular, whether under the first principle, the processing would be unfair to the subjects of the footage.

Protection of Freedoms Act 2012

In line with a public intention of the coalition government to limit state surveillance, A Surveillance Camera Code of Practice (SCCP) was published in July 2013, under the Protection of Freedoms Act 2012.The code applies to the appropriate and effective use of CCTV CCTV camerasystems in public places by 'relevant authorities' such as local authorities and policing authorities, regardless of whether or not there is any live viewing or recording of images, information or data. Others who use CCTV are also encouraged to abide by its terms. Covert surveillance is not covered by the code but is instead subject to the separate RIPA and DPA (see above).

The SCCP starts from the expectation that operators should seek to achieve surveillance by consent through use of CCTV that is in line with a "legitimate aim and a pressing need".  This should be clearly expressed and documented and utilise technology that is proportionate to the purpose.

The SCCP establishes twelve guiding principles that system operators should adopt and designates responsibility for ensuring compliance with the code to a Surveillance Camera Commissioner. The Commissioner's role to advise and review its operation falls short of any enforcement or inspection powers although compliance with the code may be taken into account in actions brought before the courts or in complaints to other regulators (such as the ICO) where these systems involve the processing of personal data of individuals (see above).

SCCP Guiding Principles
  • Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet a pressing need.
  • The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
  • There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  • There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  • Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
  • No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted when their purposes have been discharged.
  • Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
  • Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
  • Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.

 

Looking ahead

There are a number of changes on the horizon that suggest we may have reached a crossroads in the capabilities and use of CCTV.

Looking aheadFirst, advances in technology will present greater opportunities to collect, analyse and share image data. These developments include a shift from analog to digital and IP networked systems as well as enhancements such as ANPR, body scanning systems and the use of facial recognition.

In addition, we have the competing legal challenges of potential changes to European data protection law and the anticipated publication of plans by the current Government to replace the HRA with a Bill of Rights that would no longer subject the UK to the decisions of the European Court of Human Rights.

Guidance backed up with effective regulation of CCTV systems will arguably need to become more important in the future if public trust and confidence in the continued use of CCTV is to be maintained. Given this, it is worth noting that the ICO has confirmed that his office is updating its current CCTV code of practice and it is expected that a revised code will be published for full consultation later this year.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Regulating CCTV use in the UK
Sally Annereau

Sally Annereau      


Sally looks at the development of CCTV in the UK, the current regulatory landscape and what the future holds.

"People question whether it is right that we have allowed CCTV to become so ubiquitous and whether we have failed to heed the warning of the previous Information Commissioner, Richard Thomas, against 'sleep walking into a surveillance society'."