Since the end of October, businesses have been facing possible fines of up to £5000 if their CCTV systems do not meet the requirements of the 1998 Data Protection Act... but are they aware the law has changed, or just confused?
The period of leniency for businesses to adapt old data systems to comply with the Data Protection Act came to an end in October, yet many companies are still ignoring its requirements, warns the British Security Industry Association.

Those companies are now subject to criminal and civil action and subsequent hefty fines. Says the BSIA: "They do so at their peril because the Information Commissioner, who is responsible for overseeing the Act's implementation, has powers to impose fines of up to £5000 on non-compliant companies, and even close them down if they are persistent offenders."

The Act applies to all businesses processing personal data, which covers personnel and customer records, records of sales calls, mailing lists and other forms of data including closed circuit television images.

CCTV installation companies or any non-specialist installers who occasionally work in this sector should also be aware of their customers' responsibilities.

Appoint a Data Controller
Businesses must appoint a Data Controller and notify the Information Commissioner of the data being held and the person responsible for it.

Since March 2000, all personal data systems initiated or significantly adapted since 24 October 1998 have had to comply with the 1998 Data Protection Act. Systems initiated before 24 October 1998 were allowed a transitional period to ensure compliance, which ended on 24 October 2001.

Closed Circuit Television
Businesses recording images of people on CCTV must notify the Information Commissioner immediately if they haven't already done so. The Information Commissioner produced a code of practice in 2000 specifically for CCTV, which outlines good practice that will ensure compliance with the Act.

It includes requirements such as:

  • there must be a legitimate basis for installing CCTV cameras;
  • cameras must be sited so that only public spaces are monitored;
  • clearly visible signs should be placed in the proximity so that people are aware they are under surveillance;
  • the use of covert cameras is only lawful if a specific, identified criminal activity is being investigated;
  • data subjects must be allowed access to images recorded of them, and all images must be processed fairly and lawfully, documented and retained no longer than necessary.

Information Disposal
Disposal of confidential information is a part of data processing that has often been overlooked to damaging effect by organisations.

Stories of confidential documents turning up on landfill sites and making the newspaper headlines should be warning enough, says the BSIA. Now, such incidents could be the subject of prosecution under the Act. The BSIA has produced a factsheet on secure information disposal, including advice such as:

  • confidential data should be disposed of in a secure manner using a professional data destruction company;
  • destruction should be carried out under contract and evidenced in writing;
  • there should be a audit trail from the point of collection to shredding or incineration.

Customers so confused
One company says that its customers have been so confused over the legislation that it has launched a series of seminars presenting the new code in "simple, practical terms."

Says Simon Edgar, UK Commercial General Manager of Checkpoint Meto CCTV: "In the majority of cases non-compliance has nothing to do with complacency – it's simply due to the fact that many organisations are unaware that the law has changed. Because of the low-key way in which the legislation was bought in and the complicated clauses of the DPA, a lot of businesses are either completely unaware of the legislation, or just confused as to what they are expected to do."

Despite the publication of the Code which also provides "good practice" guidelines for users, Checkpoint Meto says the majority of its customers were either uninformed or confused.

As a result, the company, a multinational which provides tagging and labelling systems as well as CCTV, teamed up with lawyers from Coffin Mew and Clover to devise a series of seminars entitled 'CCTV and The Law'.

Aimed at presenting the code in simple, practical terms, corporate law expert Amanda Brockwell and Checkpoint Meto's Simon Edgar, set out to shed light on the basic legal obligations. Comments Brockwell; "Among the host of safeguards necessary under the new legislation, CCTV operators are now obliged to erect signs informing the public if cameras are in operation. If signs aren't in place, the surveillance is termed covert, which is only permitted in extreme circumstances involving crime detection and catching criminals – and even then, users must have incontestable proof that making the presence of that camera known would hinder its crime-fighting purpose.

"... I suspect for people not working in the legal field, establishing what is and what isn't acceptable would be extremely hard work. Through our series of seminars, we have been able to dispel a lot of the confusion that surrounds the Code of Practice and offer businesses some sound advice on how best to fulfil their obligations at the same time."

Edgar concludes; "... with so much confusion still surrounding the subject, (we) intend to continue running them for some time yet."

ADT is also urging CCTV users to comply with the ACT and has put out a "simplified" list of requirements. Says the company: "In the past decade the use of CCTV for surveillance has grown to unprecedented levels.

It is estimated that in Britain 300,000 cameras are currently monitoring shopping areas, housing estates, car parks and public facilities in thousands of towns and cities."

The company adds that it provides its customers with "the necessary signage to comply with the regulations."

  • For more information on CCTV and the secure disposal of confidential inform-ation visit the BSIA website on www.bsia.co.uk or call the helpline on 01905 21464.

  • Companies needing to register their systems or needing a copy of the CCTV Code of Practice: contact Office of the Information Commissioner on 01625 545745 or www.dataprotection.gov.uk

  • For more information on 'CCTV and the Law' seminars contact 01384 791900

    Comment invited on remote monitoring standard

    The revised PAS 38 on remote monitoring will be published as a Draft for Public Comment early this year, with the intention that it will become a British Standard in Summer 2002. The BSIA working group for PAS 38, (the Publicly Available Specification standard for the Remote Monitoring of Detector Activated CCTV Systems) completed its revisions in October. The working group consisted of CCTV manufacturing, installation and alarm receiving companies. Adam Wiseberg, Chairman of the BSIA CCTV Section and chair of the PAS working group, said, “BSIA companies have taken the lead on this issue because we felt it was crucial that a standard was developed for this technology quickly, for the benefit of the industry and end-users. Clearly it was important that the standard did not hinder the development of the technology and for this reason we asked the British Standards Institution to publish it as a PAS, which meant that it was available for the industry to use immediately and was also open to comments. However, despite it being a ‘publicly available’ standard that was open to comments via the BSI, concerns were expressed by non-members that their views had not been taken into account. “We took this on board and formed a working group to review comments on the standard, which consisted of both member and non-member companies.” The revision will be published as a Draft for Public Comment this year and a BSIA working group will consider additional comments before it is developed into a BS.