Under the terms of the Data Protection Act 1998, members of the public have a right to obtain copies of CCTV recordings featuring identifiable images of themselves. What could be considered 'best practice' for the end user when it comes to providing those images?
Is your CCTV system illegal, Mr Security Manager? If it doesn't comply with the requirements laid down by the Data Protection Act (DPA) 1998 it is now! With the cut-off date for compliance – Wednesday 24 October – having come and gone, end users in the retail, leisure, banking and finance and industrial sectors (to name but some) should have taken the necessary steps outlined by Chris Brogan ('Process... and be damned', pp42-43) in the September edition of SMT to make sure that compliant systems are now in place.

As SMT went to press, the British Security Industry Association issued a stark warning to all those businesses recording images of people by way of CCTV – they must notify the Information Commissioner immediately if they haven't already done so. Ultimately, end users must have a legitimate basis for installing CCTV cameras, and those cameras must be sited such that only public spaces are monitored. In addition, clearly visible signage has to be placed in the vicinity such that members of the public know that they are under surveillance.

Remember, too, that the use of covert cameras is only lawful if a specific, identified criminal activity is being investigated, and any images captured must be retained for no longer than is absolutely necessary.

In reality, that's only half the battle. Aside from effective CCTV management, end users are being dogged by yet another headache. Under the terms and conditions of the DPA, members of the public are entitled to request copies of any CCTV recordings that feature 'identifiable images' of themselves. Access to recorded images is normally restricted to those members of the security team who "have need of access in order to comply with the objectives of the system".

In truth, recordings may also be disclosed to law enforcement and prosecution agencies, relevant legal representatives and the media (but only in strictly limited situations as prescribed by the DPA). Then there are the aforementioned individuals whose images have been recorded and retained.

Dealing with an image request
As a CCTV end user, how should you deal with a request for a copy recording from a member of the public? First, be aware that any such request must be made in person at the address at which the CCTV system is located.

Applications should only be processed in relation to that individual alone, and the images of all other recognisable individuals featured in the recording must be masked (together with any vehicle number plates).

So that the image of the individual in question can be identified by the CCTV team, you should ask the individual concerned to provide two standard, colour photo booth-style pictures – one of which is full face and the other a side-on perspective. These pictures must be handed over in person to the security manager or his/her designated deputy during normal office hours.

You must also ask the individual to bring along another form of identity verification by way of a passport or driving licence. In this way, the security manager may validate the address to which the recorded images will subsequently be sent.

It is the manager's responsibility to name a date and time for the handover of passport photographs and related documents, and they must also make sure they are provided with a detailed description of the background to the recording (ie when and where it took place). The individual has to give details of what he or she was wearing at the time of the recording, together with a description of any vehicles involved and their number plates.

As long as all of these requests are fulfilled (and the applicant has handed over the necessary £10 'search and find' fee), the onus is then on the CCTV operator to provide the requested images within a 40-day window. If unable to comply with a given request under the terms of the DPA, the end user has to give a reason why within 21 days.

The processing procedure explained
The actual processing procedure itself is fairly straightforward, moving as follows:

  • an initial enquiry is received, subsequent to which a member of the security staff will provide the applicant with the appropriate application form;
  • the completed form is then received and validated by the site or security manager (or his/her deputy) and a copy given to the applicant (needless to say, the manager must retain a copy on site also);
  • the relevant video tape is then withdrawn from use and despatched to the Data Controller (note that this must occur within two days of the application being received);
  • subsequently, the Data Controller will then approve or deny the application (if approved, the application will be despatched as soon as possible together with the original recording – if not, the application will be returned to the individual concerned);
  • when one calendar year has elapsed the original recording then has to be mechanically destroyed, and an appropriate destruction certificate issued.

Contracted CCTV management
A properly-managed analogue recording system will provide good quality, easily-accessed 31 day archive recordings (achievable at a fraction of the cost of upgrading to a digital system capable of providing the same archive period). Bear that in mind.

End users will often need a little help when it comes to tape management, and there are companies out there only-too-willing to offer a bespoke service. One such is Dorset-based Video Management Services (VMS).

For the larger, more complex CCTV system installation (ie one that boasts a number of video recorders and telemetry-controlled cameras), a VMS surveyor would visit the site and carry out a detailed audit of procedures, documentation signage and system operation. Any shortfalls would be identified in this consultancy process and appropriate recommendations given.

The service is normally incorporated into an annual contract that includes the supply of documentation, recording media, right of subject access request management and editing and certified mechanical tape destruction. Further details are available on the web: www.videomanagementservices.co.uk.

Don't risk anything up to a £5,000 fine by not registering your CCTV system.

And if you're still unsure as to how you might 'best manage' the information retrieval process there's no excuse. Assistance is always to hand.

Caught on camera: the latest CCTV news from Securex 2001

Although disappointing in terms of CCTV manufacturer turnout, last month’s Securex exhibition for end users – held at ExCel in London’s Docklands for the first time – was notable for a conference dedicated to those system managers who want to add value to their installations. Keynote speaker Bob Lack – senior operations manager for the London Borough of Newham’s CCTV scheme, currently the largest public scheme in the country – bemoaned the lack of funding that is besetting many such schemes. Although the camera set-up in this East End Borough has helped in reducing crime by 30%, Lack is struggling to employ CCTV monitoring staff because there’s insufficient money on the table courtesy of the Home Office. Nonetheless, the scheme is proving to be a tremendous success. It has helped enforce the Intensive Supervision and Surveillance Programme launched last July by the Youth Justice Board. Targeting persistent young offenders by placing a curfew order on them, any known individuals ‘spotted’ on one of the Borough’s 300-plus cameras ‘out of hours’ will result in harsh punishments. Visionics’ FaceIt facial recognition software has been integrated with the cameras to achieve efficient ‘captures’. Home Secretary David Blunkett has offered his support to the Newham initiative, but it’s clear that if similar schemes are to be run elsewhere they will need additional funding to cover the cost of Visionics’ systems.