Back in June 2013 the Home Office published its Surveillance Camera Code of Practice, creating the new office of Surveillance Camera Commissioner (SCC) and outlining his powers and responsibilities. The first SCC, actually appointed slightly earlier, was Andrew Rennison and he almost immediately announced he would not stay long. The new SCC Tony Porter started work on 10th March 2014.
The Surveillance Camera Code of Practice is now further supported by the Information Commissioner‘s Office‘s (ICO) latest code of practice on CCTV usage, entitled: ‘In the picture: A data protection code of practice for surveillance cameras and personal information‘ which was published on 15th October 2014.
The ICO‘s Code of Practice for CCTV draws on codes and statutes laid down in the Protection of Freedoms Act 2012 as well as in the Data Protection Act, the Human Rights Act and Regulation of Investigatory Powers Act (RIPA). As you would expect, the focus of the new CCTV code builds on legislation that has gone before in key areas including:
- Information governance – setting rules for video data retention and disposal including reliable storing of data only as long as is necessary to achieve its purpose, and establishing an audit trail for archiving and deletion procedures.
- Using images as evidence of wrong-doing – requiring the need to supply evidence to the police in a timely way, and in a format and to a level of quality that enables it to be used as evidence in a court of law (i.e. not using overly-compressed poor quality images, corrupted or incorrectly time-stamped images).
- Data access provisioning – having systems and procedures in place to supply video in a a timely manner in cases where Freedom of Information Act requests are made by the public while also weighing up whether these images should be supplied to a requestor or whether, by doing so, they compromise the privacy (or even safety) of others likely to be identifiable on the images you supply.
- Data ownership – making it clear who is collecting the data and for what reason and using appropriate signage to communicate that surveillance is underway for a prescribed purpose.
- Privacy Impact – ensuring that surveillance being carried out is meeting a specific pre-agreed need while minimising personal identification (except for subject being captured)
- Maintenance regime – to ensure that the system is still doing its job, meeting the original need, working properly etc
However, the most interesting parts of the ICO‘s 41-page document are the ones that focus on ‘surveillance technologies other than CCTV‘. Specific guidance in Section 7 of the document covers use of Automatic Number Plate Recognition (ANPR), Body worn video (BWV) cameras and Unmanned Aerial Systems (UAS). There is even separate ICO guidance now on the use of cloud-based storage of video surveillance images and even the use of big data analytics where personal data is involved.
We thought it might be worth taking a slightly closer look at a couple of these areas as it is clear that both of them are likely to see wider deployment in the next couple of years: ICO requirements for ANPR and body-worn camera systems, or BWV as the organisation prefers to call them.
For those putting in ANPR systems there are a few considerations in addition to the above list, according to the ICO. These are:
- When storing video images of number plates and cross-referencing it with other databases to identify individuals, you will need to ensure that these databases are kept up-to-date, accurate and ‘of sufficient quality to prevent mismatches‘.
- Think carefully about whether you need to collect all the information that you could collect ““ often including images of entire vehicles, occupants of those vehicles and ‘patch plates‘ which identify the chassis of the vehicle? Do you need to be collecting all this and why?
- Broadly speaking, data that has served its purpose should be deleted as soon as possible. In other words, in cases where ANPR is being used to enforce the two-hour parking limit in front of a supermarket, once vehicles have left that car park within the prescribed time-limit their records need to be deleted, ideally immediately.
- The ICO highlights specific concerns around passing this data to third parties (if for example an outside contractor handles parking enforcement). Signage explaining that customers are being monitored also needs to provide details of the data controller ““ in this case the third party contractor.
There is also a recognition, particularly by the police and parking enforcement officers, that body-worn cameras are being more widely deployed now. The main focus of the ICO‘s concern is use of audio and video recording in a proportionate way – commensurate with the threat. A few guidelines specific to BWV are included in the latest code of practice:
- Continuous recording is rarely justified so it is important that those wearing body-worn cameras are able to turn them on and off easily.
- Furthermore, there is a need to be able to turn video and audio recordings on independently of each other. In other words the ICO suggests that audio recording needs to be treated more sensitively in some instances.
- It should not be used to capture conversations on the street for example although it could be used in instances where a police man is facing aggression or even physical attack. The concept of ‘collateral intrusion‘ (essentially accidental breaching of privacy simply by leaving audio and video running for no good reason) is discussed in some detail.
It is clear from a thorough reading of the ICO‘s new CCTV code of practice, together with the Home Office‘s own Surveillance Camera Code, that the Government is finally recognising that the world that consisted of standalone (and often somewhat limited) traditional CCTV systems is rapidly evolving into one that is heavily networked and integrated with many other IP-based systems and devices.
In this much more connected world where video analytics packages and sensors can pick up and track our every movement and gather data about our behaviour are proliferating; it remains important that we keep data protection and privacy laws in mind as we deploy these new technologies. Surveillance for the sake of surveillance is just not good enough.
That‘s why we’ve made a Privacy Impact Assessment part of our standard, comprehensive site survey procedures. Do make contact if you would like a Privacy Health Check for your existing or freshly-planned surveillance system. We would be pleased to help you step through the vast array of considerations and requirements.