Security managers need to get to grips with the implications of the Data Protection Act and will almost certainly need to revise their procedures to meet the requirements of the act. Andrew Holmes and Alan Davenport unravel the legal complexities.
If ever a piece of legislation can be described as a “sledgehammer to crack a nut,” this is it. Variously described as “draconian,” or “interface with justice,” The Data Protection Act 1998 is the first statute to directly affect the use and management of CCTV. This new law affects every CCTV installation and other legislation will follow.

At the time of writing this article there are still issues that the Data Protection Registrar, now known as the Data Protection Commissioner, has to clarify. However the information is the very latest interpretation we can give of the legislation.

Scope of the Act

The Data Protection Act 1998 has superseded the 1984 Act and now covers a number of other ‘data’ storage and retrieval systems. The Act was introduced as part of the UK Government’s response to the growing unease by the House of Lords and some sections of the public, on the use and abuse of CCTV generated material. It is also a part of the Government’s response to the European Directive on Privacy Issues and will be complimented in October 2000 by the incorporation into UK law of the Human Rights Act.

From 1st March 2000 any member of the public or staff of an organisation has the right to request access to any CCTV data that they believe a CCTV ‘owner’ holds, and in which they appear. It is important to note that they do not have to give a reason for the request and Data Controllers are not entitled to ask for one.

There are some exceptions to this principle but the watchword now for those using CCTV has to be “consider the privacy of those who you view.” By definition many of the standards associated with this Act apply to those who record data and so any CCTV system that does not have a recording element to it is currently outside the majority of the Code, however it is not outside the Act. Viewing personal data for the purposes of crime prevention, detection or the promotion of pubic safety is regarding as processing and as such requires the system to be registered. The owner would then have to meet at least Principles 1, 2, 3 and 7 ).

Criteria for registration (Notification)

There are two elements to consider in deter-mining how the Act applies to your system. Firstly the date it was installed. Secondly, how you record your system output. Remember the Act requires you to comply to the Data Protection Principles even if you are not required to register or ‘notify’ as it is now called.

If your system was installed before 24th October 1998 and uses videotape based recording systems that require you to manually find the images by using the fast forward or rewind buttons, then you benefit from the first transitional period. If you have not registered under the 1984 legislation you have until October 2001 to register and comply with the current Act. If you have registered under the 1984 legislation then you will move to the 1998 legislation when you first re-register after 24th October 2001.

Whilst technically you do not need to comply with the legislation until you are required to register, it is strongly advised that you operate your system as if you are complying.

If your system was installed after 24 October 1998 irrespective of what method of recording you are using the whole of the Act including the right to access applies from 1 March 2000. You must register your system as soon as possible after that date. You will need to give details of who owns the system and for what purpose the data is being recorded. It is important that the purposes of your system are clearly specified and adhered to.

As a company you will need a ‘Data Controller’, this is “a person who (either jointly or in common with other persons) determines the purpose for which and the manner in which any personal data are, or are to be, processed.”

The Data Controller will be required to take all steps to ensure that the data recorded by the company is within the terms of the Act and in accordance with the ‘Principles’ laid down by the legislation.

If the monitoring is devolved to a third party such as a security company employed by the Data Controller, the security company is deemed a ‘data processor’” As such they process data on behalf of the Data Controller and the security company is not a Data Controller.

Data Protection Principles

The Act lays down eight ‘Principles’ by which the system must comply, these are:-

1. Personal data must be processed fairly and lawfully. E.g. with the subject’s consent or because it is necessary to do so, i.e. for the administration of justice.

2. Data should be processed for one or more lawful purposes and not further processed for incompatible purposes.

3. Data shall be adequate, relevant and not excessive.

4. Data shall be accurate and where necessary kept up to date.

5. Data shall not be kept for longer than is necessary

6. Data shall be processed in accordance with rights of data subjects under the Data Protection Act 1998.

7. Appropriate technical and organisational measures shall be taken to prevent unauthorised/unlawful processing of data or accidental loss of, destruction of or damage to data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level or protection for rights and freedoms of data subjects in relation to the processing of personal data.

As far as managers are concerned Principle Seven is of particular relevance. Appropriate security measures will have to be taken both to protect the contents of tapes and to ensure that their location can be identified at all times. Secure storage systems and effective records of who has had access to tapes, when and why will have to be implemented. Failure to implement these could prejudice legal proceedings and lead to action against the company by the Data Protection Commissioner.

Whilst it is not expected that there will be significantly high levels of demand by the public to view the contents of video recordings, it will have an impact where video recordings are used to support criminal proceedings. The defence is almost certain to ask in court and seek assurances that the system was registered and administered in accordance with the Data Protection Act 1998 before allowing the tape to be offered in evidence.

What you could expect

The public must put requests to access the data you hold in writing and give enough information for you to be satisfied that they are who they say they are. They must provide a clear description of the time, date and location that they are interested in and a description of themselves to allow you to identify them from the recording.

From 1st March 2000 any member of the public or staff of an organisation has the right to request access to any CCTV data that they believe a CCTV ‘owner’ holds, and in which they appear

This request can be made at any time after the event. The Standards being introduced by the Data Protection Commissioner indicate that the recording medium should be replaced after 13 uses. Most systems will operate a 31 day tape rotation system so this time scale is not too onerous and provides ample opportunity for someone to request access to the data.

The Data Controller must also make every effort to ensure that other ‘data subjects’ are not identified from the showing of the material or that they have given their consent to the showing of the material. In some cases this may mean that the pictures provided need to have some faces blanked out.

What will it cost?

To register your system with the Data Protection Commissioner will cost £35 per year.

In order to comply with the principles set out in the Act the following equipment, together with appropriate procedures, will provide the minimum requirement:-

  • Signage: Signs indicating the area being covered by the cameras. A person passing the sign is giving implied consent to be recorded. The sign needs to give details of the ‘owner’, purpose and contact number.

  • Tapes: A minimum supply of 28 days, with a Home Office recommendation of 31 days of tapes for each video recorder in the system. These should be labelled with some unique reference so that the tape can be easily identified.

  • Storage: Principle 7 states that appropriate technical and organisational measures should be taken to prevent unauthorised/unlawful or accidental loss, damage or destruction of data. A secure cabinet therefore is recommended to store the tapes in. In very vulnerable areas it may be that the video recorder also needs to operate inside a secure cabinet. In addition, access to the tapes must be restricted and effectively controlled.

  • Log book: Following on from the storage issue, data needs to be carefully tracked and its history followed for legal purposes. A comprehensive logging system should be in place for large systems with smaller systems adopting a short form of the same system. The logging system must also identify any third parties to whom tapes have been passed and the circumstances surrounding the decision to release data to a third party.

  • Bulk eraser: “Simply recording over old material is not satisfactory, not least because this will compromise a tape’s acceptability for evidential purposes”. This together with principle 5 of the Data Protection Act means that a bulk eraser is a necessary investment.

    You will also need to consider how you will playback, copy or provide the information that any data subject requesting access.

Managers will need to give careful consideration to their systems ability to meet the purposes for which the system was installed.

For example, if one of the system purposes is “for the prevention and detection of criminal activity” and the images are not capable of identifying the individual in the picture that may lead to a complaint against the system. The images may also be useless as evidence in a criminal trial, this may make the difference between conviction and acquittal. The ‘data subject’ may then be able to sue the owner of the system for unlimited damages.

Offences under the Act

The main offences under the Act revolve around:-

  • Processing without notification

  • Failing to notify the Commissioner of changes in your circumstances

  • Failing to comply with written requests

  • Knowingly or recklessly making false statemments in compliance with an information notice

  • Intentional obstruction of, or failure to give reasonable assistance in, execution of a warrant.

It is also an offence for a person without the consent of the Data Controller, knowingly or recklessly to:-

  • Obtain or disclose personal data or the information contained in personal data.

  • Unlawfully selling of personal data

There are exceptions to this in respect of criminal activity but they are carefully constructed and need to be fully understood by the Data Controller.

All the above offences are triable in either the Magistrate’s Court or the Crown Court.

The Act also provides for separate personal liability for the offences in the Act for Directors or other employees of the company that may have committed the offence. 

Source

SMT

Postscript

Andrew Holmes is CCTV training manager with ADT Fire and Security. Alan Davenport is a senior lecturer at the University of Northumbria at Newcastle