Outside the law

In March last year, Macbond – one of the leading independent Internet security and Data Protection consultancies north of the border – conducted a survey of 63 operational sites and duly discovered that, in the majority of cases, end users are not meeting the terms and conditions of the Data Protection Act. In other words, those CCTV systems are operating outside of the law.

Macbond's then managing director, Owen Sayers, feared that these results would be duplicated on a much wider scale if a UK-wide survey were to be undertaken. Since then, Sayers has indeed carried out such a survey – and all of his fears have been confirmed.

"This time around we examined over 400 installations in several towns and cities, ranging from Inverness down to Ramsgate," he states (see map, right). "The overall level of compliance was slightly higher than the first study in March 2002, where 6% of the sample could potentially be compliant, with 10.2% meeting the 'potentially compliant' criteria."

Sayers adds: "However, the possibility of only one-in-ten CCTV installations being legally compliant is a worrisome one at best. A state of affairs that can only have a damaging effect on the industry if it's not rectified in the very near future. The reason for attaining compliance is generally suggested to be the avoidance of punitive fines. As yet these have failed to materialise. It's hardly surprising, then, that most operators have decided to risk the perceived (but seemingly remote) chance of such action being taken.

Sayers feels that this is something of a short-sighted view, and one which has resulted in many CCTV systems that are generally poor in nature. "System suppliers, installers and operators should realise that the best way to raise the quality and extent of CCTV coverage is to embrace Data Protection Act compliance as a core quality assurance measure," stresses Sayers. "The industry is facing a crisis in the making. One that has largely been ignored."

In reality, any CCTV installation which doesn't provide for chain of evidence monitoring, regular auditing procedures, evidence handling and rejection procedures and management monitoring will fall short of Data Protection Act compliance. "Eighteen months after the end of the first transitional phase, the state of CCTV compliance across the UK is quite frankly appalling," opines Sayers.

"All practitioners involved in the use, supply or monitoring of CCTV should seek to make 2003 the Year of Compliance. To do so can only be an improvement for us all."

The studies in context
The first study carried out by Sayers back in March last year examined the installation and operation of CCTV in two Scottish cities ('Does your system comply?', Security Installer, September 2002, pp37-39).

That study suggested a worrying lack of potential compliance – stating that 90% of operators couldn't possibly be complying with the legislation or the Code of Practice issued by the Information Commissioner. Only 99 sites were surveyed, though, but for the second – and current – study (conducted by Sayers after his move to Insight Data Protection Ltd) the research net was cast much wider.

No less than 406 sites were surveyed at the tail end of 2002, covering Metropolitan areas, small towns and cities in-between. As previously, the sites examined included public open spaces, retail outlets, public houses, department stores, banks and restaurants – with many of the installations tellingly belonging to major High Street retailers.

In the absence of evidence to the contrary, and given the larger sample base of this second survey, the results are believed to be strongly indicative of the general trend to be found in any major town or city centre in the UK.

There are several elements required for the Data Protection Act compliance of CCTV systems, which can broadly be divided into three key areas. First there's notification. An appropriate and up-to-date registration of the CCTV system on the Data Protection Register. Next, end users need to think about signage. The display of appropriate warning signs within and around CCTV-monitored areas. Although the specific details of warning signage are not legislated, it is subject to advisory measures in the Code of Practice. It's likely that the Courts will refer to this in considering what's required of systems from which footage is submitted for evidential purposes.

Let's not forget those all-important 'operational procedures', either. In effect, these encompass "everything else" – including staff training, equipment and hardware, documentation and operational methodologies as defined by the CCTV Code of Practice.

The first two of these three 'essentials' are highly visible, and a knowledgeable observer can readily identify whether a given system appears to be compliant or not in only a few seconds of inspection.

For the purposes of the Insight survey, wherever a system didn't comply with notification and signage laws it couldn't be considered to be fully Data Protection Act-compliant. Where a system did comply with these two elements it could comply, but only if the variables under 'operational procedures' had also been observed.

The expectation of the general public as to the effectiveness of CCTV systems should be identified as a friable resource. If and when CCTV footage fails to meet the requirements of the Courts as acceptable evidence then public support may indeed be lost.

Before discussing the Insight survey results in detail, it's important to note that they only absolutely indicate those systems that cannot be compliant for the reasons stated. This doesn't mean that those systems which appear to be compliant based upon the survey are, in fact, fully compliant. It's not possible to determine this from the tests conducted.

Further investigation could reveal that even these systems don't comply with the 'operational procedures' requirements.

As stated, the second survey sample comprised 406 separate CCTV installations encompassing 11 hotels, seven shopping malls, 197 retail outlets, 35 department stores, 17 travel agencies, nine car parks, 18 banks, 16 fast food outlets, 36 bars/public houses, six Post Offices, nine off-licences, 11 local authority/public open space systems, 24 restaurants, seven amusement arcades and three police stations. Of those sites surveyed, 293 had CCTV installed (113 sites not having such equipment).

In all, 51 of the sites (17.4%) boasted external surveillance cameras, with 281 (95.9%) operating internal units. The overall percentage of deployed cameras ranged between 62% and 79% across the sample, with an average of 72.2% of each study sample area having CCTV cameras installed.

For public open space CCTV system apparent compliance, the number of sites with compliant signage was only one (9.1%). The number of sites with overall apparent compliance was exactly the same. The number of sites that were apparently non-compliant was 10 (ie 90.9% of this part of the sample).

Each of the sample areas had at least one public open space system in operation. In general, these are operated by – or on behalf of – the local authority in that particular area.

Of the observed public open space systems, one had signage that would most probably meet the requirements of the Data Protection Act. Of the remainder, three had no signs displayed at all and seven had signs which were misleading, poorly placed, incorrect in terms of content or otherwise unlikely to meet the requirement for fairness under Principle 1.

A warning on warning signs!
The number of sites exhibiting external warning signs in the latest survey was 83 (28.8%), while those with internal warning signs numbered 41 (14%). Appropriate signage identifying the CCTV system, its purpose, operator and contact details is a requirement under the Act. Of the sites sampled, only a small proportion complied with this requirement. The figures here identify sites which displayed ANY form of CCTV warning sign – compliant or otherwise.

Of those sites monitored, 57 (19.5%) exhibited signs with compliant textual warnings and 53 (18.1%) signs of an approved size and location. The overall number of Data Protection Act-compliant signs was 40 (13.7%). Encouragingly, the latter figure shows a 6% increase on the previous survey.

Without any appropriate warning signs it's difficult to envisage any circumstance where the operation of the CCTV system – and the consequent collection of images – could be determined to be fair as required under Principle 1 of the Data Protection Act. The requirement to obtain implied consent to the recording of data subjects must be considered fundamental to the principle of fairness required in the event of CCTV footage submission as evidence.

In terms of the registration of sites with CCTV for the use of such systems, 212 sites (72.4%) had Data Protection Act registration in place, and 138 owners (47.1%) had registered correctly for CCTV use. The majority – though not all sites sampled – were found to be registered on the publicly-available Data Protection Act Register (available over the Internet at www.dpr.gov.uk).

However, Owen Sayers is quick to point out that this resource can run several weeks out of date, and the number of correctly registered sites may be greater than the study determined. Annual registration costs £35.

Without any appropriate warning signs it’s difficult to envisage any circumstance where the operation of the CCTV system – and the consequent collection of images – could be determined to be fair as required under Principle 1 of the Data Protection Act. T

Overall awareness of the Data Protection Act requirements – and the consequent levels of registration – is significantly lower in small-to-medium-sized enterprises.

The number of sites that were apparently Data Protection Act-compliant in the second survey totalled 30 (amounting to 10.2%). The number of sites with CCTV which were visibly not Data Protection Act-compliant on tested criteria amounted to 263 (89.8%). Taking into account all of the above criteria, then, and assessing each sampled site carefully against both the Act itself and the Code of Practice issued by the Information Commissioner, a worryingly low percentage of the sample falls into the category that could (providing that all other compliance requirements are met) be considered to be compliant.

It's easier and more certain to state that almost 90% of the total sample using CCTV could not meet the criteria required for compliance – and are therefore likely to be operating surveillance systems in breach of the Data Protection Act.

Only one in every ten systems operating legally? Hardly an acceptable scenario.

Penalties of non-compliance
Although in most instances the Information Commissioner's Office will encourage CCTV scheme operators to become compliant, those who control such a system should be aware that they could face fines of £5,000 or more for non-compliance. SMT's readers who are operating surveillance systems SHOULD NOT rely on the goodwill of the Commissioner in the event of any future investigation.

With only 30 surveyed sites even apparently compliant, the remaining 263 (a significantly high 89.9% of the total sample) are almost certainly operating their CCTV systems in breach of the legislation. Thus, the footage derived from any of these systems could (potentially, at least) be successfully challenged in Court were it to be submitted as evidence.

The difference in the number of correctly registered sites (47.1% of the sample) and those displaying compliant signage (13.7%) remains notable. Many of the sites in the survey could become at least apparently compliant if the management teams at each reviewed their use or type of displayed CCTV signs, and then displayed CCTV signs which meet the Code of Practice criteria.

While in the event of a close examination this would not considerably benefit the system operator, the overall non-compliance signature of the operator would nonetheless be reduced. This may have some benefit in terms of crime deterrence if not detection. It's clear that much work still needs to be done in highlighting the requirements of the legislation.

Since it's a requirement that systems compliant with the Data Protection Act 1998 (and which also comply with the recommendations of the Code of Practice) are well maintained and monitored on a daily basis, it's not overstating the importance of gaining compliance to suggest that there is no more important factor in the detection of crime via CCTV than to ensure that all systems are Data Protection Act-compliant.

The expectation of the general public as to the effectiveness of CCTV systems should be identified as a friable resource. If and when CCTV footage fails to meet the requirements of the Courts as acceptable evidence then public support may indeed be lost. If that should occur, the impact on the CCTV sector – and on crime prevention and detection in general – could well be significant.

The compliance suite for CCTV systems (published by Insight Data Protection) contains all of the necessary documentation and information to assure compliance with the Data Protection Act, the Code of Practice, the requirements of BS 7958:1999 and the recommendations of the Home Office's Crime Reduction college. The cost of Data Protection Act compliance need not be prohibitive. Certainly, when balanced against the cost of CCTV system installation, and the benefits to be derived from the use of such technologies, the additional cost associated with compliance is a relatively paltry and affordable sum.

Making use of 'collateral coverage'
So-called CCTV system 'collateral coverage' has previously been used to good advantage by law enforcement bodies, notably in anti-terrorist and missing persons investigations. If this is to continue, police officers gathering CCTV evidence should be made fully aware of the impact of the Data Protection Act on CCTV footage, and satisfy themselves that evidence obtained has been lawfully procured by the system operator.