The Information Commissioner's Office ("ICO") has published a new code of practice on CCTV, "In the picture: A data protection code of practice for surveillance cameras and personal information ("the Code").' The Code provides practical advice for those who are involved in the operation of surveillance devices that can record or view information about individuals. The Code encompasses requirements set out in the both the Data Protection Act ("DPA") and the Protection of Freedoms Act, and intends to assist those who capture information about individuals through the use of surveillance systems to comply with the relevant legislation and requirements.
The Code reflects the enormous legal, practical and technological changes that have taken place since the first code of practice was published. Surveillance systems have moved from being used passively to protect people and property, to being used to proactively collect evidence. Modern surveillance systems can record people and their movements in great detail, and the quality of the cameras used means that people are now more readily identified. Surveillance systems include not only CCTV cameras, but also automatic number plate recognition, body wearable devices and unmanned aerial systems (drones). Devices have become smaller and more covert, so their use is not always obvious and is easily concealed, and flying drones, especially with a panoramic lens, can capture images of individuals unnecessarily and without their knowledge.
As devices have become much cheaper, and huge volumes of footage and data can now be stored easily and at low cost, an increasing number of business are considering how and whether to use camera surveillance. The new Code describes the processes and considerations that organisations should make when deciding whether to implement a surveillance system. The Code reminds you to:
1. Carry out a privacy impact assessment. Consider whether surveillance is an effective solution to the problem with which you are confronted and what impact it will it have on individuals.
2. Establish a clear basis and system for the processing, storage and handling information. You should appoint a person to have responsibility for the control of information, deciding what is to be recorded, and how it can be used and disclosed.
3. Put clear documented procedures into place, make sure that they are communicated to the operators, and proactively check that they are followed.
4. Notify the ICO that you are a data controller. Your notification to the ICO must be renewed annually - this can be used as an opportunity to review your use of the system and whether it is still justified.
5. Ensure that information is secure (encrypted where necessary), and that access is restricted.
6. Ensure that disclosure of any information is controlled and consistent with the purpose for which is was retained. It may be appropriate to provide security surveillance footage to a law enforcement agency, but it is unlikely to be appropriate for an organisation to publish it online or in the media.
7. Set retention periods. The DPA does not specify minimum or maximum periods, but the information should not be kept for longer than necessary and should reflect the purpose for obtaining the information.
8. Ensure that the system only collects information necessary to meet the purpose for which it is required. Carefully consider the location of the cameras - make sure they do not view unnecessary areas, and consider a system that can be switched on and off. Be careful in areas where individuals expect more privacy, such as changing rooms (cameras should only be used here in exceptional circumstances).
9. Consider whether you need to record both audio and video. Only record audio in circumstances where it is necessary, and make sure that audio recording can be switched on and off.
10. Take care when using drones. Make sure that recording can be switched on and off. Continuous recording needs strong justification, and must be necessary and proportionate. You should consider using website notices, high-vis clothing and signs to tell the public that drones are being used.
11. If you are regularly going to share recorded information with third parties then it is important to have a data sharing agreement in place with them. Likewise, put written contracts in place with any contractors or service providers that you use who access or work with the information. Make sure any contract sets out their obligations in respect of storage, use of the information, and the training of their staff.
12. Make sure that you let people know when they are in an area where a surveillance system is in operation. This could be by signage, audio announcements, or by way of online notices.
Public authorities should also make sure they consider the Home Office code of practice on surveillance cameras, which provides more specific guidance.