CCTV & your responsibilities

In recent years the use of CCTV, especially in domestic settings, has increased exponentially.

There are now around 5.2 million cameras in the UK, but many operators are unaware that there has been a ‘Data Protection Code of Practice for Surveillance Cameras and Personal Information’ in place since the year 2000.

In a recent action, reported by Birmingham Live, a CCTV and video doorbell system showed not only the defendant’s driveway, but also the claimant’s house and garden. The cameras had the ability to capture images of the claimant as they moved around inside their own property as well as audio data.

In ruling in favour of the claimant the judge said: “Personal data may have been captured from people who are not even aware that the device is there – or that it records and processes audio and personal data.” John Ward, partner for the Warwickshire based dispute resolution solicitors, Brindley Twist Tafft and James, said under the Data Protection Act (2018) “every homeowner should be mindful of their security cameras capturing footage of public areas and shared spaces”.

The code of practice makes clear the need for regulation.

Surveillance cameras are no longer a passive technology that only records and retains images but are now a proactive one that can be used to identify people of interest and keep detailed records of people’s activities, such as with ANPR (automatic number plate recognition) cameras.

The code is part of a wider regulatory landscape that includes the Protection of Freedoms Act (2012), the Freedom of Information Act 2000 (FOIA), and the Human Rights Act (1998).

The ICO has also taken enforcement action to restrict the unwarranted and excessive use of increasingly powerful and affordable surveillance technologies.

For a business, data gathered by CCTV or any other surveillance system, needs to be handled in the same way as any other personal data. The code is very clear for instance that a vehicle registration mark is personal data as it could be used to identify the owner. So, if an ANPR system is used to collect information on those overstaying parking time limits then retaining details of cars which have not exceeded the limit may be seen as unnecessary and excessive and unlikely to comply with the UK GDPR data processing principles, in particular storage limitation.

The length of time information should be retained for is likely to vary but should be the shortest period necessary to serve the purpose the data was collected for. As an example, information collected for anti-fraud reasons at an ATM may need to be retained for several weeks while a surveillance system in a pub would be required for a much shorter time as any incidents would come to light quickly.

There are twelve principles that the Code of Practice suggests should be adopted by system operators. As with other aspects of personal data protection these cover transparency, review, auditing, and accountability through having clear policies and procedures in place to determine how the data collected is handled, stored, and disposed of. Relevant employee training is also a requirement, whether a data controller or processor.

The damage to an organisation’s reputation for the mishandling of this very public type of personal data can be permanent. Organisations which protect personal data properly send a clear message about how they conduct themselves in a wider business context.

CSRB has a simple mission. To be clear and open about personal data protection.

What you need, why you need it and what you are legally required to do. We aim to do this in a jargon free manner. Please get in touch or call 0117 325 0830 to discuss how your use of CCTV and surveillance systems should be included in your information governance framework.