by Amanda Chandler (Previously Compliance Manager - Information Commissioner)
The basis for the Data Protection Act 1998 originates from the provisions of an EU Directive aimed at harmonising EU data protection legislation. The provisions of the new Data Protection Act came into force for all CCTV systems (except only those used for domestic purposes) on the 1st October 2001. It is now a legal obligation for anyone operating a CCTV system to ensure full compliance not only with The Act itself but the Code of Practice for the operation of CCTV that the Information Commissioner has developed so you will not face any future surprises.
The definition of data under the new Act is ‘Information which is being processed by equipment operating automatically in response to instructions; or is recorded with the intention that it should be processed’. The definition of Processing is much wider than the previous legislation; ‘Obtaining, recording or holding the data, carrying out any operation or set of operations on the data, organisation, adaptation or alterations, retrieval, consultation or use of the data, disclosure of the data by transmission, dissemination, or otherwise making available, alignment, combination, blocking, erasure or destruction. By combining those two definitions, it will be recognised that the use of CCTV will almost certainly be encompassed by the requirements of the new Data Protection Act.
Some of the questions I am most frequently asked tend to concentrate on the following areas of concern: Subject Access; Information Sharing and Covert CCTV Operations.
Subject Access, (Section 7 Data Protection Act, 1998)
An individual is entitled to be informed of the following:
- A description of the personal data
- A description of the purposes for which the personal data are processed
- The recipients of the personal data
- The individual is entitled to a copy of the information to be provided in an intelligible form.
The Data Controllers rights may be summarised as follows:
- That the request be in writing
- There is sufficient information to satisfy themselves of the identity of the individual
- There is sufficient information to locate the information
- S/He has up to 40 days in which to respond
- S/He may charge a fee up to the statutory maximum
- S/He may continue routine processing
If a data controller cannot comply with a request without disclosing information relating to a third party, s/he is not obliged to comply with the request unless
- The other individual has consented to the disclosure, or
- It is reasonable in all the circumstances to comply with the request without the consent of the other individual, in which case regard shall be had to:
- Any duty of confidentiality owed
- Any steps taken to seek consent
- Whether the other is capable of giving consent
- Any express refusal of consent
The obligations under Section 7 with regard to subject access must be complied with unless
- It is impossible to do so
- It would involve disproportionate effort
- The individual agrees otherwise
Information Sharing (Section 115, Crime and Disorder Act 1998)
Although the Crime and Disorder Act creates a power to share information, such exchanges should only take place between parties which are specifically covered by the Act and which are sharing information under the terms of that Act.
The principles of the Data Protection legislation must continue to be addressed, e.g:
- Fair processing
- Compatible use / disclosure
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than necessary
- Individual rights
The power to share information created under the Crime and Disorder Act is only applicable where it is necessary or expedient for the purposes of the Act and may only be applied by the relevant Authorities, e.g. Police Forces, Police Authorities, Probation Committees, Local Authorities, Health Authorities. Information sharing between those bodies must be focused on the aims of the Crime and Disorder Act and should not be regarded as a licence for everyone to share information with everyone else! Therefore the practice of the police parting with photographs of known or suspected criminals to Local Authority CCTV schemes is unlikely to fall within the terms of the Act unless there is a clear crime prevention purpose, e.g. the individual is on conditional bail not to enter the town centre.
As mentioned, the sharing of information under this Act only applies to those bodies covered by the Crime and Disorder Act. With regard to the sharing of information by a public body to a member of the private sector, the public body needs to ensure that they have the power to do so. Equally the private sector needs to ensure that they have a legitimate basis for their processing under Data Protection legislation.
It appears that it is becoming increasingly popular for organisations in both the private and public sectors to carry out surveillance by the use of covert CCTV cameras. Although the term ‘covert’ in so far as it relates to the use of CCTV cameras is not defined, within their Model Code of Practice, the CCTV User Group offers the following:
‘The installation of a CCTV camera is considered to be overt unless it is installed in a manner whereby its presence is deliberately intended to be concealed from the view of any person likely to be within the field of view of that camera. Cameras which may be placed in domes or covered to reduce the likelihood of assessing their field of view, or to protect them from weather or damage, would not be regarded as covert provided that appropriate signs indicating the use of such cameras are displayed in the vicinity’.
There can be no all embracing advice regarding the use of covert CCTV cameras. Each application must be considered on its own merits but due regard should always be taken of the first principle of the Data Protection Act which states: Personal Data MUST be obtained and processed fairly. The only exception to that principle may be found under Section 29(1) which provides that personal data may be exempt from the First Principle under certain circumstances where compliance ‘would prejudice the prevention of crime or the apprehension and prosecution of offenders’.
Such exemption should not be seen as a blanket exemption to the use of covert cameras for the prevention and detection of crime. Each individual use should be carefully considered on its own merits taking into account the need to be focused, short term and aimed at specific criminal behaviour.
The office of the Data Protection Registrar advocates the use of signs to alert people that they are entering an area where they might be recorded and at least one Local Authority has amended the User Group’s nationally recognised sign to read ‘Hidden CCTV in operation’.Amanda Chandler was a compliance manager with the Office of the Data Protection Registrar and a regular contributor to The CCTV User Group’s national conferences.
(38) By , 12 Oct 2007, 16:15