Home > Uncategorized > Data Protection Act and CCTV Regulation in the UK

Data Protection Act and CCTV Regulation in the UK

January 5th, 2006
Goto comments Leave a comment

A recent post over at Peter at Public Eye led me to the UK’s code of practices for CCTV. I spent a few minutes learning about this topic and figure I would share it for others, since there is nothing like this in the US.

The UK has a Data Protection Act to ensure information is handled properly. It contains a number of principles. (These principles are similar to the principles of fair information practices). Data must be:

  • fairly and lawfully processed
  • processed for limited purposes
  • adequate, relevant and not excessive
  • accurate
  • not kept for longer than is necessary
  • processed in line with your rights
  • secure
  • not transferred to countries without adequate protection

To aid users with the regulation, the Information Commissioner has developed a Code of Practices for CCTV. There is a one page checklist that summarizes the requirements. Here are some of the requirements:

The controller is aware that notification to the Information Commissioner is necessary and must be renewed annually.

Cameras have been sited so that their images are clear enough to allow the police to use them to investigate a crime.

Cameras have been positioned to avoid capturing the images of persons not visiting the premises.

There are signs showing that a CCTV system is in operation visible to people visiting the premises and the controllers contact details are displayed on the sign where it is not obvious who is responsible for the system.

The recorded images from this CCTV system are securely stored, where only a limited number of authorised persons may have access to them.

The recorded images will only be retained long enough for any incident to come to light (e.g. for a theft to be noticed).

Recordings will only be made available to law enforcement agencies involved in the prevention and detection of crime, and no other third parties.

The operating equipment is regularly checked to ensure that it is working properly (e.g. the recording media used is of an appropriate standard and that features on the equipment such as the date and time stamp are correctly set).

The controller knows how to respond to requests from individuals for access to images relating to that individual. If unsure the controller knows to seek advice from the Information Commissioner as soon as such a request is made.

A quick read leads me to believe CCTV is seen as a tool for law enforcement. The regulation furthers this end, while protecting individuals from the arbitrary use of the surveillance footage. I am sure for American camera companies, the biggest issue is the restriction on third party usage. The requirement that the cameras only be used for law enforcement means that other uses of recordings, such as for marketing purposes, are forbidden. Otherwise, the limitations on camera usage seem reasonable to me. (But I am happy to be proven wrong).

FInally, we should remember that compliance is another issue. One small study over at Urban Eye by MacCahill and Norris found that only 23% of CCTV systems were in accordance with the Data Protection Act.

For more background on CCTV regulation see the articles by Taylor and Gras.

Uncategorized

  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.