Images of a living individual recorded by CCTV cameras are considered personal information about that individual. The processing of the images should be in compliance with the Data Protection Act 1998 which was extended from the Data Protection Act 1984 (which was repealed on 1st March 2000) to cover all types of records which contain information about individuals.

The Act consists of 8 principles of good information handling under Schedule 1 of the Data Protection Act 1998 which are as follows:

  1. Personal data shall be processed fairly and should not be unlawfully processed
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further
    processed in any way incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive.
  4. Personal data shall be exact and, where necessary, kept up to date.
  5. Personal data shall not be kept for longer than is necessary.
  6. Personal data shall be processed in accordance with the rights of the individual under this Act.
  7. Appropriate measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection.

There are also six conditions for fair processing and the obligation to register under Schedule 2 of the Act and at  least one of them must be met for personal information to be considered to have been fairly processed. They are as follows:

  1. The individual has given consent to the processing;
  2. The processing is necessary for the performance of a contract or for the taking of steps at the request of the data subject with a view to entering into a contract;
  3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
  4. The processing is necessary in order to protect the vital interests of the data subject;
  5. The processing is necessary for the administration of justice, for the exercise of any functions of either of the Houses of Parliament or the Crown, a Minister of the Crown or a government department or the exercise of any other functions of a public nature exercised in the public interest by any person;
  6. The processing is necessary to pursue the legitimate interests of the data controller or third parties unless it prejudices the interests of the individual.

The Data Protection Act 1998 requires every data controller who is processing personal information to register with the ICO, but the Act provides exemptions from notification for:

  1. Organisations that process personal data only for staff administration (including payroll), advertising, marketing and public relations (in connection with their own business activity) and accounts and records;
  2. Some not-for-profit organisations;
  3. Organisations that process personal data only for maintaining a public register;
  4. Organisations that do not process personal information on computer.
%d bloggers like this: