Understanding the CCTV code of practice

Research by Axis Communications has suggested that 82 per cent of small businesses that already have CCTV systems in place are planning to either upgrade or replace their existing systems.In fact, 39 per cent of the 500 UK-based small business owners surveyed are looking into putting their plans into action over the next two years – and 38 per cent said that they are motivated to take action after suffering either a break-in or theft at their premises.

James Lowman, the chief executive of the Association of Convenience Stores, commented: “Network cameras are a valuable tool for retailers, not just for reporting crimes when they happen but also to use as a preventative measure that discourages potential criminals.

“Our Local Shop Report shows that 78 per cent of convenience stores have surveillance cameras in their business, and we also expect this to grow over the next year as more stores invest in effective crime prevention measures.”

If you are a business owner that is planning to install CCTV systems around your premises, take note that you will need to follow the CCTV code of practice set out by the Information Commissioner’s Office (ICO) in order to stay within the law while using the technology.

The entire document can be viewed by clicking here. However, cloud CCTV providers 2020 Vision has summarised the main points below to help you get started:

Why was the CCTV code of practice developed?

The ICO developed the first edition of its CCTV code of practice in 2000 in order to explain the legal requirements that operators of surveillance cameras were required to meet under the Data Protection Act (DPA) 1998. It also serves to promote best practice and addressed the inconsistent standards that were adopted across various sectors at the time of publication.

By following the recommendations set out within the CCTV code of practice, businesses will be able to…

  1. Ensure that they are complying with the DPA and other relevant statutory obligations when capturing individuals’ information.
  2. Contribute to the efficient deployment and operation of a CCTV system.
  3. Capture information that is usable and able to meet its objectives in practice.
  4. Reduce reputational risks while also avoiding regulatory action and penalties.
  5. Re-assure individuals when information is captured.
  6. Help achieve wider public trust and confidence in the use of CCTV systems.

Does your business need CCTV?

As surveillance systems can be privacy intrusive due, to it placing significant numbers of law-abiding people under surveillance and recording their movements during their day-to-day activities, it is important to carefully consider whether or not you need the technology before going ahead with an investment.

Therefore, aim to answer the following questions when justifying the processing of personal data:

  • What is the nature of the problem that you are looking to address?
  • Will a surveillance system be a justified and effective solution for addressing this problem?
  • Are there alternative solutions available that will be just as effective, if not better?
  • If you do opt for a surveillance system, what effect will the technology have on individuals once in operation?
  • Will the surveillance system be a proportionate response to the problem that you have?

An effective way to answer all of these questions and analyse the impact that setting up a surveillance system will have on people’s privacy is to carry out a privacy impact assessment. The ICO has more information about this process in its ‘Conducting privacy impact assessments code of practice’ guide.

How can you ensure effective administration of your CCTV systems?

It is vital that you establish a clear basis for the handling of information about the individuals captured on surveillance systems; principally setting out who is the responsible party/parties for the control of such information.

To achieve this, work through the following questions:

  • Who is responsible for the control of information gathered from CCTV systems and decisions regarding how such information can be used?
  • If more than one body is involved with the administration process, has the responsibilities of each party been agreed and explained?
  • Has the body/bodies responsible for administration notified the ICO that they have been named as the data controller of the CCTV system? (This notification should include details about how the information is used and the disclosures that are made.)
  • Does someone outside your organisation provide your business with processing services? If so, has a written contract being drawn up detailing clearly defined responsibilities?
  • Have clearly defined and specific purposes for the use of information gathered from CCTV systems been identified? If so, have these purposes been communicated to parties who are responsible for operating the system?
  • Have clearly documented procedures regarding how information gathered from CCTV systems should be handled been established?
  • Has a plan been set out so that proactive checks and audits of procedures related to CCTV systems been established so that these can be carried out on a regular basis? (All checks and audits should be performed by either a system operator or an individual from a third party.)

How do I look after and use recorded material?

There are a few areas to cover when it comes to looking after and making use of any recorded material that your business has from CCTV systems:

Storage of information from surveillance systems

When storing any recorded material, it is important that this is carried out in a way that maintains the integrity of the information so that the rights of any individuals recorded are always protected.

Achieve this by holding and recording information in manner whereby access is always restricted, kept secure and, where necessary, encrypted.

With regards to encrypted material, this is a method for preventing unauthorised access to images but is not appropriate in situations such as when it may have an effect on the information that you are aiming to process.

Disclosure of information from surveillance systems

Any disclosure of information gathered from surveillance systems must be carried out in a controlled and consistent manner that abides to the purpose or purposes set out when the technology was set up.

Take note that if such information is placed on the internet incorrectly or without full consideration of what is being done, then the result could be the disclosure of individuals’ personal data and the disclosure of sensitive personal data in general. In the worst case scenarios, the ICO may take enforcement action as a result of this.

Subject access requests

When the information about an individual is recorded onto your surveillance systems, said individual will have a right to be provided with the data or, should they consent to it, view the information.

Be aware that this information has to be provided within no longer than 40 calendar days after the request has been received, though you may charge a fee of up to £10 for the procedure — this is the current statutory maximum that has been set by Parliament.

Freedom of information

If your business is a public authority, take note that your organisation may receive requests that fall under the FOIA or Freedom of Information (Scotland) Act 2002 (FOISA). Freedom of information requests need to be responded to within 20 working days, taking into account your authority’s responsibilities.

Take note that there are two exemptions in regards to freedom of information requests though, as set out in both Section 40 of the FOIA and Section 38 of the FOISA:

  1. If the information is personal data of the requester, then the request should be treated as a data protection subject access request and not a freedom of information request.
  2. If the information contains personal data relating to other people and not just the requester, then the data should only be disclosed if it doesn’t breach any data protection principles.

There is plenty more information available about freedom of information requests on the GOV.UK website.

What are my responsibilities once a CCTV system has been set up?

Once a surveillance system is in operation at your business, it is your responsibility to let people know whenever they are in an area that is being monitored.

Signs that are prominently placed at the entrance to a surveillance system’s zone are great for informing individuals about this, ensuring that these:

  • Are clearly visible and readable.
  • Contain details about the organisation in control of operating the surveillance system.
  • Detail the purpose/purposes of using surveillance systems.
  • Set out who should be contacted for further information about the scheme — a website address, email address or telephone number will be sufficient.

As well as these signs at the entrances to zones under surveillance, also consider setting up further signs inside the area, as well as backing-up the message with an audio announcement where public announcements are used; on trains, for example.

If your CCTV cameras are being used on a road network or around areas that allow access via vehicles — a car park, for instance — be aware that appropriate signs need to be provided that alert drivers about this operation. These signs must never affect the safety of the road users, so take note of the amount of time that a driver will likely have to read the information.

ShareTweet about this on TwitterGoogle+Share on LinkedInEmail to someonePrint this page
2020 Vision CCTV specialis blog logo

Request a call back

* indicates required
  • This field is for validation purposes and should be left unchanged.