You are allowed to store the data only for as long as it is legitimately needed.
The DPA does not prescribe any fixed duration. The best way to determine the adequate duration for storing some data is to look at it from the opposite angle: you should remove it as soon as you no longer need it.
This duration does not have to be uniform for all equipment and under all circumstances. For example, CCTV footage from a hotel’s hallways and room access areas may need to be stored for a few days, as it can take some time before someone notices something has been stolen from their room. CCTV footage from a camera in the hotel’s restaurant, on the other hand, can safely be removed after just a few hours since incidents in these areas come to light very quickly. However, if that camera has captured footage of an incident that has been reported to the police, those sections can (and should) be kept until the legal proceedings are finished.
You must let everyone know if they are in an area where a surveillance system is operational.
For CCTV cameras, it is sufficient – and most effective – to place signs throughout the surveillance area and at its entrance. These signs should include:
- A notice that the area is being surveyed
- The details of who and why is using the surveillance system, if these things cannot be easily inferred from the surroundings
- Basic contact details, such as a website, email or phone number
Maintaining an Audit Trail
The legal requirements we have seen so far cover very long periods and, more often than not, large amounts of data. Demonstrating compliance over such periods is nearly impossible without a solid audit trail. What kind of internal documentation should you maintain?
Small businesses typically need to maintain only a small set of documentation, outlined in Appendix 2 of the ICO Code of Practice – essentially, nothing but a checklist and a small number of documents (such as a notification sent to the ICO).
For larger businesses, a minimal audit trail includes:
- An initial PIA
- An internal surveillance system policy document
- Periodic management audits, privacy impact reports, and system operational assessments
These documents will typically include CCTV-related information, as the CCTV cameras are likely to be only one component of a larger company’s IP security infrastructure.
Conclusions
In the UK, CCTV use is regulated as part of a broader legal framework, which deals with surveillance equipment of every form. For CCTV users, the ICO and the SCCO issue a set of guidelines in the form of codes of practice, which are not legal documents per se, but officially-sanctioned practical guides for ensuring compliance.
The body of legislation concerning surveillance equipment aims to strike a balance between privacy and security; it strives to give CCTV users the means to protect their staff and physical and electronic assets, without compromising the basic human right to privacy. Complying with surveillance-related legislation is a moral and legal requirement in and of itself, but it also brings substantial security and financial benefits.
Still confused by the legal requirements related to installing CCTV cameras in London? It’s perfectly understandable. The rules and regulations in this field take time to understand and master.
However, if you need more information on the topic of UK CCTV laws, we’re happy to help. After more than 20 years in this field, ACCL knows exactly how to make sure that all the CCTV systems we install in London meet legal requirements and adhere to the highest standards in the field.
Get in touch with us for your FREE, no-obligation on-site survey.