Legal
If you have installed a CCTV system in your business premises, or are thinking of doing so, then the Data Protection Act 1998 CCTV Code of Practice will apply to you.
You should make certain that you have a CCTV policy in place describing how it should be managed in compliance with Data Protection Act law, and that your security staff are not only issued with a copy but also carry out an annual assessment of management and equipment performance.
The UK is a leading user of CCTV and the public are used to seeing CCTV cameras on virtually every high street. Generally this security and surveillance system has the backing of the public, but if this is to continue, CCTV has to be used responsibly with proper safeguards in place.
The Data Protection Act legislation is at the very core of protecting Human Rights when it comes to the use of CCTV, so you must let people know that they are in an area where CCTV surveillance is being carried out. The most effective way of doing this is by prominently placed signs at the entrance to the CCTV zone and reinforcing this with further signs inside the area. The signs should contain details of the organisation responsible for operating the system, the purposes for using CCTV, and contact details.
It is vital that any CCTV data is kept securely, so that outside individuals cannot access it.
Those authorised to view CCTV images must have proper CCTV security training before they are allowed to handle the data, and their details noted on a training log. Whenever recorded CCTV data is viewed the time and date must be logged and the incident noted.
It is important that CCTV tapes and the CCTV recording machine, or the hard-disc if it is a digital CCTV system, be secured, so that only those with security clearance can access them. Specially designed security equipment should be obtained for this purpose.
Cameras and associated cables, recording devices and other ancillaries of the CCTV system must also be protected against interference, often necessitating anti-vandal housings, lockable boxes and secure areas.
It is also equally important to prohibit members of the public to view any CCTV data unless they go through the correct application procedure, and then only if they are entitled to do so.
All CCTV data held in your premises must be erased in the correct manner after the designated time limit for storing it has expired.
If the Police ever need to make use of CCTV data that you have recorded, it could be rendered useless if you have not complied with all of the legal aspects of operating the CCTV system.
Images of people are covered by the Data Protection Act, and so is information about people which is derived from images – for example, vehicle registration numbers. Most uses of CCTV by organisations or businesses will be covered by the Act, regardless of the number of cameras or how sophisticated the equipment is.
A little known aspect of DPA law is Right of Subject Access, whereby people have a legal right to request a copy of images captured on CCTV, and, subject to certain reasonable conditions the organisation responsible for the CCTV system (the Data Controller) must provide a copy, providing the person requesting them has made an application in writing, stating place, time and date, as well as photographic identity, within 40 days. In such circumstances the Data Controller is entitled to charge up to £10 for the search, including the cost of a CD or DVD.
Provided that CCTV images are managed in accordance with Data Protection Act principles there should be no cause for concern. Indeed, in countless high profile cases CCTV has proven to be an invaluable aid to investigation.
NB: The Data Protection Act does not apply to individuals’ private or household purposes. So if you install a camera on your own home to protect it from burglary, the Act will not apply.