We use cookies to make your experience of our website better. Some of these are set by third party Google Analytics to help us analyse website traffic. To comply with privacy regulations, we require your consent to set these cookies. If you continue to use the site without selecting an option we will assume you are happy for us to use cookies.

Updated CCTV Code Of Practice - Are You In The Picture?

Updated CCTV Code Of Practice - Are You In The Picture?

The Information Commissioner’s Office (“ICO”) has recently published their updated Code of Practice on how to use CCTV and other surveillance cameras in compliance with the Data Protection Act 1998 (“DPA”).  A full copy of the Code can be found on the ICO website here

The Code provides useful guidance to both private and public sector organisations of all sizes on how to implement surveillance systems without breaching the DPA.  Three key areas which are highlighted by the Code, and which should be noted by organisations wanting to ensure their CCTV and surveillance systems are DPA-compliant, are: (i) the importance of privacy impact assessments; (ii) new subject access guidance for surveillance footage; and (iii) rules for new surveillance technologies.

Privacy Impact Assessments (“PIAs”)

  •  A PIA requires a data controller to consider the privacy implications in advance of implementing a new surveillance system.
  • Many of the data protection issues the ICO has encountered in recent years relating to surveillance systems could have been avoided if data controllers had carried out a PIA, so PIAs are a good way of managing your data protection liability.
  • PIAs should be regularly reviewed, to ensure the surveillance system remains necessary and proportionate for its purpose.

Subject Access Guidance

  • If you receive a subject access request for surveillance footage, you should clarify the date, time and location of the relevant footage the requestor requires.
  • Best practice is to provide a permanent copy of the footage to the requestor, although footage can be viewed at the relevant premises if the requestor is happy with this.
  • Transcripts of footage will generally not be sufficient to fulfil a subject access request.

New surveillance technologies

The most relevant new technologies identified by the ICO as likely to give rise to data protection issues are automatic number plate recognition (“ANPR”), body worn video cameras and unmanned aerial systems (or drones). Here are some pointers if your organisation is considering using these technologies:

  • ANPR systems should not retain unnecessary data, such as details of cars that have not exceeded parking limits.
  • Body worn video cameras should allow for visual and audio recording to be controlled independently of each other.
  • The ICO considers that audio recording is more privacy intrusive than purely visual recording, which means audio-recording on body worn video cameras requires greater justification.  They suggest using audio based alert systems (which will only start recording if triggered by, for example, sudden shouting) or two-way audio feeds (which allow individuals to activate audio recording only when necessary).
  • Systems should be designed to allow for footage to be obscured or edited in case it needs to be disclosed.
  • Use of drones for surveillance can only be DPA compliant where there is a strong justification and a robust PIA.  They should be able to easily switch on and off, to ensure that recording of data is appropriate and not excessive.
  • The ICO has provided some examples of how to inform individuals when their personal data may be collected using new surveillance systems, including:
    • large notices at car parks using ANPR;
    • notices on uniforms incorporating body worn video cameras; or 
    • social media updates informing the public when and where drones are being used for surveillance (with links to more detailed privacy policies).

We will be discussing the new Code along with recent updates to the progress of the new EU data protection regulation at our upcoming Data Protection Seminar.  For more information, please click here.  

Joanne Snedden

Burness admin