Private Eyes

There are numerous privacy laws out there, of course, but the more predominant ones are: the Data Protection Act 1998, the Human Rights Act 2000, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 and the Freedom of Information Act 2000. Each of these Acts of Parliament will affect how the end user processes personal data, whether it be via the use of CCTV or any other form of processing.

That said, it's amazing when you consider how these laws are ignored. Despite warnings given by the Information Commissioner's office and pressure groups including Liberty and Privacy International, you can still walk around the City of London (and probably other major cities in the UK as well) and observe CCTV systems in operation with absolutely no signage telling you that you're entering a CCTV-controlled area.

Exemption from Data Protection
As the privacy laws – after my wife, my children and Sigourney Weaver – are the love of my life, I spend a great deal of time wandering into buildings where there's a CCTV system in operation and yet no signage to say so.

Once inside, I'll ask the security officers on reception if they know who their Data Protection Officer is, and what I would have to do to obtain a copy of the CCTV footage of me entering the building. Invariably, they look at me somewhat blankly, and with some degree of sympathy. The standard response is that they don't have a Data Protection Officer, while the CCTV footage is strictly confidential (and under no circumstances will copies be handed over). They're in for a shock!

Companies have even told me that they're exempt from the Data Protection Act. Let us dismiss that myth immediately. Absolutely no-one is exempt from the Data Protection Act. The current registration for the security service MI5 was made on 30 October 2000, and expires on 29 October this year. The current registration for the secret intelligence service MI6 began on 20 April 2001, and expired on 19 April. The current registration of Government Communications hq (or GCHQ) began on 16 March, and will expire on 15 March next year. If our security services are required to comply with the legislation, then your company or organisation must do so.

Rather than go into chapter and verse on the legislation itself, let us focus the mind on a couple of issues that could get you into serious trouble. Issues that have not been addressed anywhere else to date, in fact. The first of them centres on the relationship between the Data Controller and the Data Processor.

Data control and processing
It's the Data Controller that has to comply with the Data Protection Act and, when they instruct someone to process information on their behalf, they must ensure that the Data Processor complies with the legislation through a form of contract. The legislation stipulates that this contract must be in writing. Under English law, the contract comprises of an offer, an acceptance and a consideration, and must be considered legally binding by both parties. If any of those criteria are missing, then it's arguable as to whether or not it's a contract.

Data Protection imposes a fifth condition, and that is that where a Data Controller has instructed a Data Processor, the contract should include reference to the Data Protection Act, and the expectation of the Data Processor's compliance by the Data Controller (with an emphasis on Principle 7 of the legislation: security of personal data).

Let's look at the issue a little more closely, and see if we can work out what it means. The client (Data Controller) outsources all of its security to a private security company. The security company provides the services of security officers and, in turn, outsources the CCTV aspect of the security programme.

The CCTV company employed by the manned security contractor in turn outsources certain technical aspects of the CCTV system to specialist organisations (ie the 'pixelling-out' of third party data). This specialist company employs freelance operatives who travel around the country providing the service. These operatives are paid by the assignment, and are considered to be self-employed.

A common set of circumstances, then, that have prevailed for many years.

Under Data Protection legislation there are a number of issues that we must consider. The client, who is the Data Controller, should have insured the security company in accordance with the Data Protection contract. That would then make the security company the Data Processor. At this stage we could ask the question: how many companies (when outsourcing their security processes) actually make any mention of Data Protection in their contract? In turn, the security company is outsourcing the CCTV to yet another company. Does the client know that the contractor is doing so? If they don't, doesn't it raise the question as to whether the security company is determining that aspect of the processing?

If they do, aren't they then taking on the mantle of Data Controller?

The CCTV company then outsources part of the processing to the pixelling outfit. Have they told the security company that they're doing so, or is it arguable that they have determined that aspect of the processing and, as such, have taken on the mantle of Data Protection? The pixelling company in turn outsources it to other separate legal entities, and we have the same question posed. Have they now taken on the mantle of Data Controller?

At each stage of that outsourcing the contract should be in place, and the principal client should be aware of who or what is processing data on its behalf. If the instructions have not been in accordance with Data Protection, do we then have (in the aforementioned scenario) four Data Controllers and a Data Processor? If I'm right in my submission, there is probably a situation pertaining whereby three of those Data Controllers are responsible for the activities of a Data Processor whom they don't even know exists. That cannot be good business.

Absolutely no-one is exempt from the Data Protection Act. If our top security services are required to comply with the legislation, then your company or organisation must do so

If such a scenario has taken place and you are the security or facilities manager of the principal client organisation, and the entire process goes pear-shaped, your company will end up being prosecuted – and so will your Board of Directors. Don't hold out any hope for a pay rise or promotion if that happens.

Influence of the Data Subject
In truth, the chances of the above scenario occurring in real life are pretty remote. It's highly unlikely that the Information Commissioner is going to find out. Elizabeth France and her colleagues are overworked and underpaid as it is, and at the moment it would appear that they're only responding to breaches reported directly to them.

That said, what about the influence that the Data Subject can bring to bear on this scenario? They have rights to a 'subject access request'. Put simply, this means that – as the end user of the CCTV system – you must provide to them copies of their information that you have processed, details of how you processed it and who actually did the processing for you. The chances of the Data Subject understanding the finer points of the legality of the legislation are also remote, so if you are in a position to give them a copy of the video they'll go away happy. However, consider the more well-informed Data Subject who might be deliberately targeting your organisation...

As mentioned previously, the pressure group Liberty fights for the rights of individuals. Its members know a fair bit about the privacy laws. James Welsh, one of Liberty's directors, has given many excellent presentations on individuals' rights versus the advancement of CCTV. But what about the pressure groups that are not quite so nice in their approach? Eco Warriors, Reclaim The Streets and the Animal Liberation Front spring to mind here. They also know a fair bit about the privacy laws. If you visit their web sites you will see that detailed advice is given out to the activists to help them exercise their rights under the Data Protection Act, the Human Rights Act and the other privacy laws.

There are numerous other web sites out there. We've looked at them and the advice they're giving is very good indeed. Many of these activists have one intention in life, and that is to disrupt our present system. We have all read of methods used whereby the protestors demonstrate outside the homes of directors and senior employees of companies and then create a nuisance – or, in many instances, resort to verbal and physical abuse. What you may not be aware of is the fact that many of these activists are issuing new challenges to public order policing.

Mark Button – a lecturer on crime science at the University of Portsmouth – has (together with other practitioners) written a paper entitled 'New Challenges in Public Order Policing: The Professionalism of the Environmental Protest and the Emergence of the Militant Environmental Activists'. Published in April last year, the paper explains how such activists are now using the law to fight their cause. The costs awarded and compensation obtained in successful cases are then fed back into the coffers of the activists' groups and used to fight the next battle.

If the scenario painted above has taken place and your organisation is targeted by such activists, I would suggest to you that they will use these potential breaches of Data Protection legislation against you and your organisation.

CCTV images and the Courts
Consider another aspect of the above scenario: CCTV images being used as evidence in a Court of Law. The defendant has a super smart barrister who is up-to-date with the privacy laws. As the case unfolds he brings example after example to the attention of the Judge of breaches of Data Protection legislation by you, the principal client.

Taking our imaginary case, he would be able to demonstrate that there were at least four breaches of the 1st Principle of the Data Protection Act ('fairly and lawfully processing'), and four breaches of the 7th Principle ('personal data should be processed securely').

If any one of the Data Processors that I'm suggesting might also be Data Controllers had not registered under the Data Protection Act, then you have the strict liability offence of processing information without having notified the Commissioner when required to do so.

If push came to shove and the barrister thought he had caught the interest of the presiding Judge, he would then be able to develop arguments along the lines of excessive processing and information from personal data being used for a process other than that for which it was intended.

The barrister's final submission to the Judge would be: "Your Honour, there have clearly been gross breaches of the Data Protection Act, and my submission is that this is a breach of my client's Human Rights under Article 6, which entitles him to a fair trial. This is not a fair trial because the evidence being produced before the Court was inequitably gathered in breach of Data Protection."

People have been telling me for some time that this will never happen. At a seminar I gave at the Lancashire Constabulary hq in November last year, a question was posed with regard to a problem being faced by the police – relating to drivers filling up at service stations and then driving away without paying. The petrol station manager calls the police, who will ask him whether or not the incident in question has been captured by CCTV. The manager answers in the affirmative. The police will then ask if the installation is registered under the Data Protection laws. You can imagine that the manager knows nothing about this, is not registered and yet would be required to do so. The police have to refuse the evidence, and thus no prosecution is possible.

I researched this with the Lord Chancellor's office, with the question as to whether the Lord Chancellor would deem this information as being admissible in a Court of Law. His answer was as follows...

"It is important that all Data Controllers (that is bodies/people who hold personal information about people within the terms of the Data Protection Act) are registered with the Information Commissioner. It is ultimately for the Judge to determine, in consultation with both parties to a case, whether any evidence is admissible. However, it is very strongly felt that evidence from an unregistered CCTV camera would not be disregarded in court simply because the camera(s) had not been registered – a minor offence. The court is far more likely to give weight to considerations such as the CCTV system's image clarity, and whether it showed the scene of the crime at a relevant time.

Evidence from an unregistered CCTV camera would not be disregarded in court simply because the camera(s) had not been registered – a minor offence. As long as the CCTV footage is being presented in accordance with the principles of the Data Protection Ac

"As long as the CCTV footage is being presented in accordance with the principles of the Data Protection Act, registration is a secondary issue. Of course, formal registration should always be made once the Data Controller is aware of the need to do so."

When confronted by this quote, Jonathan Bamford at the Information Commissioner's office, replied in a similar vein – rounding on the quality of CCTV images. He said...

"The Commissioner's opinion on this issue is the same as that expressed by the Lord Chancellor's office. This is that evidence from a CCTV system that wasn't notified is unlikely to be disregarded in court simply because of non-notification. The Commissioner also agrees with the other comments made about considerations of the quality of the CCTV footage, as well as the importance of operating in accordance with the principles of the Data Protection Act."

Liberty's comments on both of these statements were as follows: "We do not think we'd be able to disagree with the Lord Chancellor's office's opinion that CCTV evidence should be disregarded simply because the Data Controller wasn't registered. There is discretion of the court to exclude evidence under Section 78 of the Police and Criminal Evidence Act 1984. We would expect the fact that the Data Controller was not registered to be used in support of an argument that the evidence be excluded, but this wouldn't necessitate exclusion on its own."

A breach of Human Rights
My submission earlier in this article was that if the defending barrister could show repeated breaches of the Data Protection Act, then it would add weight to his submission that this is a breach of Human Rights Article 6. My prediction is that, in the next three years, this will become a regular occurrence.

As previously mentioned, current legislation states that the Data Subject may make a written request for a copy of any CCTV footage involving him or her for a fee of £10. Once the end user is in receipt of such a request they have 40 days in which to comply.

The Commissioner's Code of Practice recommends that you have the necessary documentation available so that someone entering your building could be given the wherewithal to commence the access request. What about a situation where you are being targeted by an activist group, though? A number of companies have experienced systematic targeting by activists, where the protestors have only one intention in mind – to disrupt the security management procedures of the company in question. They have rights just like the rest of us, but let's stop and review the rights you have as an organisation.

If their request is not in accordance with the Data Protection Act, where in the legislation does it say that you have to inform them as to how to make an access request? The Code of Practice from the Commissioner's office suggests how it should be done, but you could picture instances where you would have very little problem in developing an argument not to assist them. If your CCTV footage is being kept on the usual 31-day cycle, it could be that by doing nothing – as a result of the request not being made lawfully – then by the time the activists come round to making it lawfully the cycle has passed, and you no longer have the footage. Hence you don't have to go to the expense or inconvenience of providing it.

Consider another aspect of an access request. It's generally accepted that when someone makes such a request, if there are third parties caught within the footage then you would pixel out their details. In the Act, it doesn't state that you have to do so. It is a judgement call by you, the CCTV end user, as to whether or not you owe any confidentiality to the third parties involved.

Ask yourself the question: what harm would it cause to the third parties if you didn't pixel out their images? If I were to make an access request to you and I'm with a crowd of people and we're all wearing the same T-shirt bearing the slogan "West London Chapter For Saving The White Cabbage", wouldn't it be a sensible assumption to make that we all know one another, that I know they are there and that there had been no breach of confidence?

Ask yourself how many access requests you've had over the past two years. Then look at the cost of the equipment needed to pixel out the images of others caught within the footage, and also include the administrative time involved. Then balance the risk of getting it wrong (ie the Commissioner disagrees with your reasoning). What's the worst case scenario? The Commissioner will tell you she disagrees with your processes, and that you are not to do so again. At that stage, then you should start incurring the expense of pixelling images. What action is the Data Subject going to take against you? Unless they can demonstrate that they have suffered a tort, what would they be asking the court to remedy through a private action?

Don't disregard your responsibilities to the Data Subject and their access request, but maintain a balanced view on the subject.

Where to now?
I'm a great believer in education. It's a process, not an achievement. It should be distinguished from training by education dealing with the question of 'Why'? And training with the question of 'How'? Not enough time is spent on discussing 'Why'? Isn't CCTV all about processing personal data? It's safe to assume that you haven't put cameras up on your site just to look at a brick wall. They're there to monitor the actions of people. There's legislation out there to cover the monitoring of those people, but how much emphasis is being given to training your staff in that regard?

When visiting exhibitions like IFSEC, where there is an abundance of state-of-the-art CCTV systems, you engage the salesmen in conversation and then ask them about the Data Protection aspects relating to their products. There's usually a blank expression.