My data day concern ...

Most of you will know by now that time ran out on the new Data Protection Act last October, and that many of the companies trading in the security industry must now be registered by law with the Office of the Information Commissioner.

The whole idea of the act is to safeguard the keeping of information about other people. Every security company keeps confidential information about their customers on file and, as this has now become very widespread, laws have been introduced to control what we can and cannot do with this stored information. (Before we go any further, I have to point out that I am not an expert on these matters and my advice is to ring the Office of the Information Commissioner on 01625 545745 and find out for yourself if you need to register and how to go about it. There is also a comprehensive web site full of info at www.dataprotection.gov.uk)

Filtered down news
The problem with new laws and legislation is the time it takes for the information to filter down to the likes of you and I. Like most people we are too busy trying to make a living to find the time to browse through ream upon ream of largely useless information to find the very small percentage that is relevant to our industry and then find the time to put it into place within our company.

This is one of the distinct advantages of being inspectorate recognised, because the inspectorates keep abreast of these changes in the laws and often require your company to adapt to the changes before you get caught and clobbered with a hefty fine. Those without an inspectorate behind them have to find out as best they can. (Keep reading this magazine and watch for the articles as they appear)

For those with web access, the BSIA has a comprehensive website, but what the industry badly needs is a trade organisation to keep the smaller installer and the self employed engineer supplied with such info. It is not the job of the inspectorates to supply this (although they do pass it on), only to inspect your company against the standards and raise comments or non-conformities against your failure to comply – and then only as these laws touch our small industry.

At this point I also have to say that these inspectorate-enforced changes are not always received with the good faith that they should be, there is a strong tendency to groan first and to think after.

A classic example of this is the 'fused spur syndrome' and the vast numbers of companies that have just refused to do anything about it ... yet another expense forced upon you by some little Hitler with too much authority and you didn't see the point of it anyway ... and here we are, years later and still refusing to comply.

To return to the original point, we now have yet another piece of legislation to comply with that the majority of installers know nothing about, and until this new law becomes common knowledge there is a time window for certain elements of our industry to make a bob or two at the expense of the ignorant masses, and they haven't been slow off the mark.

Acting on your behalf
There are already three known 'registration' organisations that have been set up to 'help' the smaller installer to comply with the new Data Protection law. The method is quite a simple one; they send an official looking letter and a registration form out to the unsuspecting company. The letter explains (quite correctly) that your company should be registered in compliance with the new Data Protection law and invites you to register by filling in the attached form and returning it with a cheque for (in the case of the one that was sent to me) £95 + VAT. Your company will then be added to the Data Protection register. One presumes at this stage your company will be registered and all will be well, but what is the real situation?

The truth is that these registration companies are not breaking the law – provided they register your company on your behalf, and at the moment there is no suspicion that they are failing on that point. However, if you wish to register direct with the Data Protection Commissioner then it will only cost you £35 per year and there is no VAT (or it may be rated at 0%).

I have had conversations with various people within the trade and the best remark on the subject so far was "You have to hand it to them for spotting these things. I wish I'd thought of it". So do I! it looks to me like a good way to earn cash fast, charge the unsuspecting installer £60 over the going rate just to fill a form in for him.

Then of course we must not forget the VAT that must now be charged because (presumably) they are offering a service. I would like to see the size of the cheque that is delivered to the VAT man each quarter for VAT that didn't need to be collected in the first place. The irony in this case is that the larger companies will probably not fall for this line, but the smaller, non VAT registered companies will. On the other hand, if you've been approached by these companies and you are happy to pay the extra for them to do the job for you, then go right ahead. There is nothing illegal in what they are doing – provided your company is registered as it should be. My advice is to check.

The whole object of the new law is to help regulate the capture and storage of sensitive data and to offer some sort of control about the distribution of such data. So, when faced with modern technology like computers, the internet and CCTV cameras, trying to keep track of data and who is controlling it is a bit like trying to sweep the M25 with a toothbrush. They are doing the next best thing – making people accountable for their actions in the capture, storage and passing on of sensitive or confidential data.

Good for customer confidence
The first step was to establish what was deemed to be sensitive data, list the categories and to set up codes of practice, next was to get the right people to register and in doing so sign an agreement to comply with the laws. The final bit is to drop like a ton of bricks on those who get caught breaking the Data Protection laws and clobber them with very heavy fines, and then if the miscreants have not registered, hit them with an extra fine on top.

The very nature of our industry suggests that we should support the Data Protection laws as much as we can so perhaps it is time to find out if your company needs to register and then do it as soon as possible. By supporting and complying with the Data Protection Act we are, in fact, looking after the interests of our customers ... and let's not forget who pays our wages. In fact some larger companies have already realised that this is a good sales promotion feature and are 'selling' Data Protection as part of their package, and not without success. As a matter of course I would always assure the customer that their personal information would not be passed on to others. It gives the customer a little more confidence in you and your company. There is a specific problem where CCTV is concerned because the data is captured and kept by the end user rather than the installer, also, the information gathered is now likely to be about the public at large so therefore it is the customer or end user that the law now requires to be registered. But where does that leave the installer? Off the hook?

Do it in writing
Look from another angle. You are to install a CCTV system for a customer who is going to record the general public (say, at a car park). What then are your responsibilities to the customer? The customer may know nothing about the Data Protection requirements, he just knows he needs a CCTV system to help stop thefts from cars. It then falls to you as the supplier and installer to inform him of the existence of the law, and my advice is do it in writing. You don't even have to be an expert on the subject, all you have to do is to tell the customer that he may have to register with the data protection office and give him the telephone number and/or the address to write to, but remember the golden rule – do it in writing. It's called covering your back.

There has recently been another inspectorate launched, this time inspecting companies against the Data Protection code of practice on CCTV, published by the Office of the Information Commissioner. I am not sure as to exactly who this new inspectorate is aimed at or who it answers to. The regular inspectorates answer to UKAS, ACPO, the insurance companies and various large industry bodies. The Office of the Information Commissioner does not require that your installations be inspected – only that they comply. Maybe the new inspectorate is aimed at the smaller installers, but who is going to pay for an inspectorate to inspect what is the customers' responsibility? After all, we cannot force the customer to register, we can only strongly advise him. Also, I cannot see the customer enrolling with an inspectorate just to make sure that his one CCTV system complies.

Registering for police response
Having said that, there are a small number of companies out there that are already prepared to offer Data Protection services to the customer as an add-on to their existing services, and these are currently being inspected by the UKAS accredited ISI. But these are generally multiple site contracts and, in that case, it makes sense to leave it to the experts. Many CCTV companies are now looking at becoming inspectorate registered for police response to visual confirmation systems but the new inspectorate is not (at the time of writing) recognised by ACPO. There is one angle that could be profitable, and that is to rent out the CCTV systems and take charge of the data that is captured, but it could lead to a lot of problems if the customer wishes to have a quick look at a tape and it has been locked up by the installer. The alternative means that, after installation, the Data Protection is left to the customer (or the customer's employee) and they are not always the best people to see the severity of the situation.

I have seen (during inspection) tapes lying around that should have been locked away; log books supplied by the installer that are just not filled in, and I have heard stories of staff taking tapes home so that the family could have a good laugh at the antics of the public in car parks.

Do ring the office of the Office of the Data Commissioner or look on the website (number and address at the beginning of this article). They also have some very good codes of practice available - free of charge – that are written in easy to understand language. And finally ... try not to pay too much for your registration. Remember, it only costs £35 for the year to go direct to the Office of the Information Commissioner.