Most of these requirements follow a “policy, not mechanism” approach and establish objectives, not the means to achieve them. Businesses are therefore given a great deal of flexibility in this regard. This guide aims to explore the key practical points of your legal requirements, in the hope that it will help you make the most out of this flexibility. The key questions that we want to address in regards to CCTV laws in the UK are:
The legal framework that you need to comply with is founded on four acts:
This legal framework is not overly complex, but it is very broad. FOI, POFA, and especially HRA refer to a great deal of topics besides data from CCTV cameras. This has prompted various government and industry bodies to issue their own documents, detailing the responsibilities of CCTV users and recommending compliance solutions.
The Information Commissioner’s Office (ICO) issues a data protection code of practice for surveillance cameras and personal information. The ICO is a government body, but the ICO code of practice itself is not a legal act – it’s a compilation of practical advice about how to ensure you are following the acts mentioned above. In other words, while following the ICO code of practice is not a legal requirement, chances are that, if you are breaking it, you are breaking the law as well.
The Surveillance Camera Commissioner’s Office (SCCO) also issues a code of practice, aiming not only to detail the legal requirements that CCTV users are bound by, but also to provide a coherent technical framework for planning the deployment of CCTV cameras and for integrating them in your IP security system. Like the ICO code of practice, while not a legal act, this is an officially-sanctioned document.
We should stress that these requirements are not mere legal burdens. There are real, substantial security benefits in following them, which go beyond the obvious benefit of not being fined, prosecuted or incarcerated. What are these benefits?
Benefits aside, breaching the DPA carries heavy legal consequences: serious breaches can result in a fine of up to 500,000 GBP, and penalties for deliberate breaches include custodial sentences. In 2016, the ICO has issued 35 fines, totaling 3.2 million GBP.
If you have to ask, it probably is: the DPA and the ICO code apply to all companies and organizations, regardless of size and activity, and regardless of why you use CCTV cameras. The only surveillance systems that do not fall under the DPA are those deployed for limited household purposes.
In short, the legal responsibility belongs to the person who decides (alone, jointly, or in common with others) what data is processed, for what reasons, and in what manner. This person is called the data controller in the DPA jargon. “Person” here is to be taken in the legal sense – they can be an individual, an organisation, or any other corporate and unincorporated bodies of persons.
Data controllers do not necessarily carry out the surveillance and processing themselves. They may do so through third-parties, such security or tech support service providers. These are called data processors and are not bound by the DPA when it comes to data owned by the data controller.
If you are unsure whether you are a data controller or a data processor, the ICO maintains an excellent guide that can help you figure it out.
The legal definition of surveillance is very broad. It definitely covers CCTV cameras, automatic number plate recognition (ANPR) systems, body-worn cameras (BWC) and surveillance drones (SD). Under certain conditions, it can also cover data generated by electronic access control systems (EACS), biometric recognition (BR) data, voice conversations, and telephone data.
In short, the data controller of a CCTV system has the following responsibilities:
Ensuring that CCTV cameras are used only where and when it is necessary is perhaps the most fundamental element of legal compliance. The DPA explicitly states that personal data “shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed” (DPA 1998, Sch I, 3). The ICO has a handy guide that can help you decide whether you need to collect any personal data, and how to decide what data is adequate for your purposes.
In practice, this decision is usually based on a privacy impact assessment (PIA). Conducting a PIA is not a legal requirement of the DPA, but it is a very effective way of demonstrating DPA compliance, and the ICO routinely asks organizations if they have conducted a PIA.
Effective administration of the surveillance system is the cornerstone of DPA compliance. In the context of surveillance equipment, effective administration refers to:
The ICO maintains several guides to help you devise an effective administration schemes: a code of practice on privacy notices, transparency and control, one on employment practices, and one on data sharing.
This responsibility means you need to:
Access control requirements are very strict, especially when it comes to sharing data with third-parties. For example, the ICO has a special set of recommendations for using cloud-integrated IP security systems.
Oftentimes, this requirement is breached accidentally – for example by posting surveillance camera images on the Internet or disclosing them to the media. The rule of thumb is that you should never disclose information unless you can point at the exact legal provision which allows you to do it.
Under the DPA, Section 7, the subject of CCTV data – that is, anyone who appears in your cameras’ footage – can ask for any personal data that you have collected on them, and you are required to release it.
You are allowed to charge for these services. You are also allowed to ask for additional information in order to be able identify which data you need to disclose, and in order to confirm that the person asking for the data is really the one in the pictures. However, if you have received a written request and if this information has been supplied, you are required to disclose the information.
The DPA also allows third-parties to access surveillance data under some conditions. For example, you may be required to disclose CCTV images if they are required for legal proceedings.
In practice, this means that you should ensure not only that your system is able to store the information you need, but also that you can look it up and retrieve any particular piece of footage in a timely manner, and that you can easily convert it in an easily-accessible format.
The DPA does not prescribe any fixed duration. The best way to determine the adequate duration for storing some data is to look at it from the opposite angle: you should remove it as soon as you no longer need it.
This duration does not have to be uniform for all equipment and under all circumstances. For example, CCTV footage from a hotel’s hallways and room access areas may need to be stored for a few days, as it can take some time before someone notices something has been stolen from their room. CCTV footage from a camera in the hotel’s restaurant, on the other hand, can safely be removed after just a few hours, since incidents in these areas come to light very quickly. However, if that camera has captured footage of an incident that has been reported to the police, those sections can (and should) be kept until the legal proceedings are finished.
For CCTV cameras, it is sufficient – and most effective – to place signs throughout the surveilled area and at its entrance. These signs should include:
Maintaining an Audit Trail
The legal requirements we have seen so far cover very long periods of time and, more often than not, large amounts of data. Demonstrating compliance over such periods is nearly impossible without a solid audit trail. What kind of internal documentation should you maintain?
Small businesses typically need to maintain only a small set of documentation, outlined in Appendix 2 of the ICO Code of Practice – essentially, nothing but a checklist and a small number of documents (such as a notification sent to the ICO).
For larger businesses, a minimal audit trail includes:
These documents will typically include CCTV-related information, as the CCTV cameras are likely to be only one component of a larger company’s IP security infrastructure.
In the UK, CCTV use is regulated as part of a broader legal framework, which deals with surveillance equipment of every form. For CCTV users, the ICO and the SCCO issue a set of guidelines in the form of codes of practice, which are not legal documents per se, but officially-sanctioned practical guides for ensuring compliance.
The body of legislation concerning surveillance equipment aims to strike a balance between privacy and security; it strives to give CCTV users the means to protect their staff, physical and electronic assets, without compromising the basic human right to privacy. Complying with surveillance-related legislation is a moral and legal requirement in and of itself, but it also brings substantial security and financial benefits.
Still confused by the legal requirements related to installing CCTV cameras in London? It’s perfectly understandable. The rules and regulations in this field take time to understand and master.
However, if you need more than information on the topic of UK CCTV laws, we’re happy to help. After more than 20 years in this field, ACCL knows exactly how to make sure that all the CCTV systems we install in London meet legal requirements and adhere to the highest standards in the field.
Get in touch with us for your FREE, no-obligations on-site survey.
Services mentioned in this blog post: CCTV installation, IP Security, Access Control, ANPR
Related topics: CCTV rules and regulations UK CCTV employee rights Guidance on the use of domestic CCTV