Let's kick off with a definition. 'Data' means information which 'is being processed by means of equipment operating automatically in response to instructions given for that purpose', or information which "is recorded with the intention that it should be processed by means of such equipment". These definitions are indeed lifted straight from the Data Protection Act itself (Section 1.1 a and b).
As an end user, if your CCTV equipment doesn't fall within such a definition then it is classed as 'manual data' and you will be exempt from the conditions imposed by the 1998 Act until 24 October this year.
Technical experts have assured me that CCTV systems not falling within this definition are akin to an endangered species. If that is indeed the case, what follows is not for you. If, however, your CCTV set-up does fall within this definition, you have been required to comply with this legislation since 1 March 2000. As with any legislation there will always be exemptions to the rule, allowed for under what is commonly referred to as 'transitional relief'.
'Eligible data' and 'new processing'
If your existing system was operating prior to 24 October 1998, and the data/image processing on that system has not changed since then, it may be classed as 'eligible data'. Schedule 8.1(1) of the Data Protection Act states: "For the purposes of this schedule, personal data are 'eligible data' at any time if – and to the extent that – they are at that time subject to processing which was already under way immediately before 24 October 1998".
Suppose that your processing regime has altered since that date. It could then be classed as 'new processing'. As such it ceases to be exempt, and may require you to notify the Information Commissioner's Office. End users should be aware that it's a criminal offence to process personal data without informing the Information Commissioner – if asked to do so.
A change of processing could mean adding to the purpose of that processing, whether it's concerning perimeter control and protection, crime prevention and detection or staff monitoring for health and safety purposes, etc.
If you are the security and safety manager for, say, a large firm of corporate accountants or lawyers, and one of the firm's equity partners has left since October 1998, has the company's legal entity changed? If it has, the new entity has begun processing since 24 October of that same year. As such, it would not benefit from any transitional relief. Have you notified the Information Commissioner? Are you in fact committing a criminal offence?
There are a number of exemptions, many too complex and lengthy for discussion here. End users should refer to Schedule 8 of the Act, paragraph 13(1). You are required to comply with principles 2-6, which does include the right of data subjects to have access to any data that you hold on them.
You'll notice that we haven't even touched on the implications of the 1984 Data Protection Act. When we raise this matter we're constantly told that the 1998 variant repeals that 1994 Act in its entirety (Data Protection Act 1998, Schedule 16). That is correct, but only when the whole of the 1998 Act comes into force (and that's not until 24 October 2007!).
Until then, we suggest to you that the 1984 Act is still applicable to automated data processing in so far as the 1998 Act has not – as yet – replaced the relevant part of the 1984 legislation. In other words, although you may be able to rely on the transitional relief afforded by the 1998 Data Protection Act, you could be in breach of its predecessor.
The Data Protection Act 1994
The best place to start when seeking information and guidance on this Act is the excellent Home Office document entitled 'CCTV: Looking out for you' (published in November 1984).
At the time, advice from the office of the Data Protection Registrar expressed the view that "there are circumstances where video tapes such as may be generated in CCTV surveillance schemes would fall within the scope of the Act". For the Act to apply, a number of provisions must be met.
CCTV end users need to bear one truth in mind. If your camera image processing regime has not changed since 24 October 1998, you don’t have to notify the Information Commissioner’s Office until 24 October this year. That does not mean that you
Is it data? Section 1(2) describes data as "information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose". Of course, modern video editing and playback equipment can be sophisticated, and the Act states that "it's possible that such automatic processing could take place" (a point covered in due course in the section on processing).
Is it personal data? Section 1(3) of the 1984 Act describes personal data as "data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data users), including any expression of opinion about that individual, but not an indication of the intentions of the data user in respect of that particular individual".
The simple recording of video images about unknown individuals may not meet the terms of this definition, as it does not relate to living individuals who can be identified from that information, or from that and other information in the possession of the data user.
That said, the 1984 Act goes on to state that: "There may well be circumstances where a video image is of a known individual who can be identified from that (or from that and other information in the possession of the data user). This may well be the case where the video image is used in connection with crime investigation, or for evidential purposes purporting to show a known individual committing a particular offence."*
Is the data processed by reference to the data subject? The 1984 Act has this to say: "Information may be extracted about the data subject by viewing their activities recorded on the tape, but it is again a point of issue whether the data is actually processed by reference to the data subject. Increasingly, modern video editing and playback equipment is computer-controlled, and it may be necessary to differentiate this from a conventional, domestic video recorder/player. If the video image in question is encoded with frame/time references and video playback equipment can be instructed to automatically locate the images in question, it may well be processed by reference to the data subject".
CCTV management in perspective
Confused? I hope so. If I leave you with no other message, then let it be that this legislation is extremely complex and confusing. To rely on the bland statement that prompted this article (ie 'CCTV does not come within the remit of the 1998 Data Protection Act until October 2001') could land you in serious trouble during the next few months and beyond.
The following extract is reproduced by kind permission of the Information Commissioner from the publication 'The Data Protection Act 1998: An Introduction'. It reads: "Data controllers will have to decide for themselves whether or not (or to what extent) their processing and their various data are eligible for transitional relief. The Commissioner recognises that there will be cases where it is unclear whether particular data are so eligible, or whether they are subject to processing already under way. The data controller will have to make reasoned judgements."
The statement goes on to say: "The Commissioner's approach in deciding whether or not data are eligible for any transitional relief will be to seek relevant information from the data controller before making a decision. Where the Commissioner's decision is contrary to that of the data controller, the Commissioner will give the data controller ample opportunity to make representations before deciding whether to take enforcement action."
CCTV managers should realise that if the Commissioner decides not to take action, that doesn't preclude an affected individual from pursuing their own action through civil courts.
This last point sums up the biggest problem that CCTV users are likely to face in the next couple of months. We're all aware of the pressure groups out there, whose sole tactics revolve around attempts to disrupt businesses. Breaches of the Act could be a further means by which they might achieve their goals.
Having pointed out the pitfalls, it would be remiss of me not to leave you with a solution to your problem. To notify under the new legislation will cost you £35 per annum. Surely this is a small price to pay to ensure that you're not processing data unlawfully.
From Wednesday 24 October, your CCTV system will be required to comply with the Data Protection Act 1998. I think it's highly unlikely that you're going to turn up at work on that day and say to your team: "Right folks, as from today we've got to do things differently".
Source
SMT
Postscript
Chris Brogan is chief executive of Security International
No comments yet