Outside the law!

In CCTV Solutions last September we exclusively published the results of a survey north of the border which highlighted the low percent-age of CCTV schemes that were complying with the Data Protection Act.

The survey, carried out by Macbond, Scotland's premier Internet security and data protection consultancy, looked at 63 sites and found that very few were compliant.

MD of Macbond, Owen Sayers, feared that these results would be duplicated across the UK if a wider survey were carried out.

Since then, Sayers has undertaken a much wider nationwide survey and it has confirmed the fact that the DPA is not being adhered to and is resulting in widespread "illegal" operation of schemes.

The situation is "frankly appaling" says Sayers, who produced the Insight Data Protection Ltd study.*

He told CCTV Solutions: "In this case I examined 406 sites – in seven towns and cities, ranging from Inverness in the north to Ramsgate in the south. The overall level of compliance was slightly higher than the study of March 2002, where some 6% of the sample could potentially be compliant, with 10.2% meeting the "potentially compliant" criteria.

"However the possibility that only one in ten of CCTV installations being legally compliant is a worrisome one at best and I continue to believe this state of affairs can only have a damaging effect on the industry if it is not rectified in the very near future.

"The reason to attain compliance is generally suggested to be the avoidance of punitive fines – however as yet these have failed to materialise, and it is as a result hardly surprising that most operators have, thus far, decided to risk the perceived remote chance of such action.

"This is perhaps a short-sighted view, and one which has resulted in many generally poor systems across the country. Instead operators, installers and suppliers should realise that the best way to raise the quality and extent of CCTV coverage is to embrace DPA compliance as a core quality assurance measure. The industry as a whole faces a major crisis in the making – which has thus far been largely ignored, and which possesses tremendous potential for sales expansion.

"Systems which are operated in compliance with the legislation will require regular maintenance, replacement of tapes and media, and upgrade – and where suppliers are sufficiently aware of this they can reap the benefits of an annual sell-on opportunity to existing customers.

"Key to this opportunity is the provision of compliance related products and awareness, and this is also somewhat lacking at present. The provision of simple tape logs based on a 35 tape model – as supplied by most installers who do supply compliance products – is quite inappropriate for most applications, and in any event such a system is intrinsically flawed due to a basic design limitation.

"In addition any system which does not provide for chain of evidence recording, regular auditing procedures, evidence handling and rejection procedures and management monitoring will fall similarly short under close examination."

He concludes:
"Some 18 months after the end of the first transition period, the state of CCTV compliance across the UK is frankly appaling – and all involved in the use, supply or monitoring of CCTV should seek to make 2003 the year of compliance. To do so can only improve things for us all."

Where and why?
The first study in this series was conducted in March 2002, and examined the installation and operation of CCTV in two Scottish cities.

That study identified a worrying lack of potential compliance – suggesting that some 90% of operators could not possibly be complying with the legislation or the Code of Good Practice issued by the Information Commissioner.

The first study was however very small – the examined samples numbering only some 99 sites.

For this second survey the net was cast more widely – with sites sampled from Inverness in the North to Ramsgate in the South, and covering Metropolitan areas, small towns and cities in between.

In total some 406 sites were surveyed during December 2002 for the second study.

Once again the two sites sampled in the first survey were examined, and the differences in those site results are of particular interest.

As before, the sites examined included public open spaces, pubs, retail stores, department stores, banks and restaurants, and almost all of the sites surveyed belong to major high street retailers.

Almost 90% of the total sample could not meet the criteria required for compliance, and are likely to be operating in breach of the Act

In the absence of evidence to the contrary, and given the larger sample base of this second study, the results are believed to be strongly indicative of the general trend to be found in any major town or city centre in the UK.

The Survey Methodology
There are many elements required for DPA compliance of CCTV systems. These can be divided into three key areas.

1. Notification – an appropriate and up to date registration of the CCTV system on the Data Protection Register.

2. Signage – the display of appropriate warning signs around and within CCTV monitored areas. Although the specific details of warning signage is not legislated – rather it is subject to advisory measures in the Code of Good Practice. In the opinion and experience of the authors it is to this code that the courts will refer in considering what is required of systems from which footage is submitted for evidential purposes.

3. Operational Practices – in effect "everything else", including staff training, equipment and hardware, documentation and operational methodologies as defined by the CCTV Code of Practice defined by the Information Commissioner.

Areas 1 and 2 are highly visible, and a knowledgeable observer can readily identify whether the system appears to be compliant or not in only a very few seconds of inspection.

In determining compliance for the pur-poses of this survey the following rules could be applied:

1. Where a system does not comply with areas 1 and/or 2 it cannot be considered to be fully DPA compliant.

2. Where a system does comply with areas 1 and 2 it may be DPA complaint – but only if all elements of area 3 are also complied with. It is not possible to determine this from casual inspection alone.

Interpretation of results
The survey results only absolutely indicate those systems that cannot be compliant for the reasons given above.

This does not mean that those systems which appear to be complaint based upon the survey are, in fact, fully compliant.

It is not possible to determine this from the survey conducted, and further investigation could reveal that even these systems do not comply with the Operational Practices requirements.

Sample details
The sample comprised 406 sites comprised of the following types:
11 Hotels, 7 Shopping Malls, 197 Retail Shops, 35 Department Stores, 17 Travel Agents, 9 Car Parks, 18 Banks, 16 Fast Food Outlets, 36 Bars / Public Houses, 6 Post Offices, 9 Off Licences, 11 Local Authority / Public Open Space Systems, 24 Restaurants, 7 Amusements, 3 Police Stations.

Of these 406 sites, 293 had CCTV installed – 113 of the sample not being outfitted with this equipment.

The general findings of the survey:
Proliferation of CCTV Systems: (percentages in brackets)

• Number of sites with External Cameras – 51 (17.4%)
  
• Number of sites with Internal Cameras – 281 (95.9%)

A comparable proportion of the current study to the March study have external cameras, and a slightly smaller proportion appear to have internal cameras. The overall percentage of deployed cameras ranged between 62% and 79% across the sample, with an average of 72.2% of each study sample area having CCTV cameras installed.

Public Open Space System Apparent Compliance

• Number of sites with Compliant Signage – 1 (9.1%)
  
• Number of sites with overall apparent Compliance – 1 (9.1%)
  
• Number of sites apparently non-compliant – 10 (90.9%)

Each sample area had at least one Public Open Space System in operation. In general these are operated by – or on behalf of – the local authority in that area.

Of the observed Public Open Space Systems, one had signage that would most probably meet the requirements.

Footage could potentially be successfully challenged in court where it is submitted as evidence.

Of the remainder, three had no signs displayed at all and seven had signs which were misleading, poorly placed, incorrect in terms of content or otherwise unlikely to meet the requirement for fairness under Principle 1.

Signage of sites with CCTV Systems

• Number of sites with External Warning Signs: 83 (28.8%)
  
• Number of sites with Internal Warning Signs – 41 (14%)

Appropriate signage identifying the system, its purpose, operator and contact details is a requirement under the First Data Protection Principle. Of the sites sampled only a small proportion complied with this requirement.

The figures here identify sites which displayed ANY form of CCTV warning sign – compliant or otherwise.

Compliance of displayed Signs (Internal or External)

• Signs with Compliant Textual Warnings – 57 (19.5%)
  
• Signs of an approved size and location – 53 (18.1%)
  
• Number of Overall DPA Compliant Signs – 40 (13.7%)

Where signs are used there are clear guidelines covering the size, location and content.

Overall across the survey areas, some 13.7% of deployed signs met these criteria. This tends to compare favourably with the March study where only 6% of sites displayed signs which met the criteria of the Code of Good Practice.

Without appropriate warning signs it is difficult to envisage any circumstance where the operation of the system and the consequent collection of images could be determined to be fair as required in Principle 1.

The requirement to obtain implied consent to the recording of data subjects must be considered fundamental to the principle of fairness required in the event of CCTV footage submission as evidence.

Registration of Sites with CCTV for the use of CCTV systems

• Number of sites with DPA Registrations – 212 (72.4%)
  
• Number registered correctly for CCTV use – 138 (47.1%)

The majority – though not all sites sampled – were found to be registered on the publicly available DPR register (available over the Internet on http://www.dpr.gov.uk). It is however the experience of the authors that this resource can run several weeks out of date and the number of correctly registered sites may be greater than the study determined.

Annual registration costs £35 per annum.

Of those who were registered, and whom operate CCTV systems, only 47.1% across the entire sample were correctly registered.

The difference in the total percentage of registrations between the March sample and the current study is likely to be explained by the higher incidence of small retailers in the second study.

In general the awareness of the DPA requirements, and the consequent level of registration, is significantly lower in small to medium enterprises.

Overall measured DPA Compliance of sample sites

• Number of sites apparently DPA compliant – 30 (10.2%)
  
• Number of sites with CCTV which are visibly not DPA compliant on tested criteria – 263 (89.8%)

Taking into account all of the above criteria, and assessing each sampled site carefully against both the Act itself and the Code of CCTV Good Practice Guidelines issued by the Information Commissioner, a worryingly low percentage of the sample fall into the category that could (providing all other compliance requirements are met) be considered to be compliant.

It is easier and more certain to state that almost 90% of the total sample using CCTV could not meet the criteria required for compliance, and are therefore likely to be operating in breach of the Act.

Although this figure is higher than the March sample (which being much smaller is less likely to be representative) it is hardly an acceptable situation to consider that only one in ten systems may be legally operated.

Summary of Findings
This study re-iterates the findings of the March study, and in general terms supports the suggestion that the low level of potential compliance identified was likely to represent a nationwide pattern.

Many of the sites in the survey area could become, at least apparently, compliant simply by reviewing their use or type of displayed CCTV signs

Any system non-compliant after 24th October 2001 is operating illegally (or after 1st March 2000 where the system was first deployed after that date).

Although in most instances the Information Commissioner's office will encourage operators to become compliant, those who control such a system should be aware that they could face fines of £5,000 or more, and that they must not rely upon the goodwill of the Commissioner's office in the event of an investigation.

General awareness of DPA compliance – and in particular the rules surrounding CCTV – appears to remain very low, and uptake of compliance work thus far remains disappointing.

With only 30 surveyed sites even apparently compliant, the remaining 263 surveyed sites (89.8% of the sample) are almost certainly operating their CCTV systems in breach of the legislation, and the footage thus derived could potentially be successfully challenged in court where it is submitted as evidence.

The difference in the number of correctly registered sites (47.1% of the sample) and those displaying compliant signage (13.7%) remains notable.

Compliant signage
Many of the sites in the survey area could become at least apparently compliant simply by reviewing their use or type of displayed CCTV signs, and displaying CCTV signs which meet the Code of Practice criteria.

Whilst in the event of a close examination this would not considerably benefit the system operator, the overall non-compliance signature of the operator would nonetheless be reduced, and this may have some benefits in crime deterrence if not detection. It is clear that much work remains to be done in highlighting the requirements of the legislation with specific respect to compliance.

There have recently been several well docu-mented cases where the police and security services have been unable to use CCTV footage from systems which were poorly maintained and operated.

Since it is a requirement that systems compliant with the DPA 1998 which also comply with the recommendations of the Code of Practice are well maintained and monitored on a daily basis, it is not overstating the importance of gaining compliance to suggest that there is no more important factor in the detection of crime via CCTV than to ensure all systems are DPA compliant.

The expectation of the general public as to the effectiveness of CCTV systems should be identified as a friable resource. If and when CCTV footage fails to meet the requirements of courts as acceptable evidence this public support may be adversely affected. If this support is lost the impact on the CCTV industry and crime prevention and detection could be significant.

Cost not prohibitive
The cost of compliance need not be prohibitive and in most cases can be attained for a few hundred pounds per annum – the compliance suite produced by Insight Data Protection for CCTV systems contains all of the required documents and information to assure compliance with the DPA, the Code of Practice, the requirements of BS7958:1999 and the recommendations of the Home Office Crime Reduction College.

When balanced against the cost of CCTV system installation and the benefits to be derived from the use of such technologies the additional cost of compliance is a relatively paltry and affordable sum.

The use of CCTV system "collateral" coverage has previously been used to good advantage by law enforcement bodies – notably in anti-terrorist and missing person investigations. If this is to continue, police officers gathering CCTV evidence should be made fully aware of the impact of the Data Protection Act on CCTV footage, and satisfy themselves that evidence obtained has been lawfully gathered by the system operator.

In driving forward the uptake of compliance, and raising the awareness of the legislation in general, law enforcement agencies, local and national authorities, equipment suppliers and installers should seek to act in a proactive manner.

It is the opinion of the authors that only by doing so can public confidence and support for CCTV as a crime reduction measure be maintained.

* CCTV System Compliance under the Data Protection Act 1998 – a Second Study. Author: Owen Sayers, of Insight Data Protection Ltd, Bridgeness Road, Carriden, Bo'ness, West Lothian EH51 9RF, Tel: 01506 823800

Adds Sayers: "Products which meet all of the criteria of the Act, the Code of Good Practice, the requirements of BS7958:1999 and Home Office Guidelines do exist – our own series of compliance suites are examples of this.