Data Protection and CCTV
Images of a living individual recorded by CCTV cameras are considered personal information about that individual. The processing of the images should be in compliance with the Data Protection Act 1998 which was extended from the Data Protection Act 1984 (which was repealed on 1st March 2000) to cover all types of records which contain information about individuals.
The Act consists of 8 principles of good information handling under Schedule 1 of the Data Protection Act 1998 which are as follows:
- Personal data shall be processed fairly and should not be unlawfully processed
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further
processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data shall not be kept for longer than is necessary.
- Personal data shall be processed in accordance with individual rights under this Act.
- Appropriate measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection.
There are also six conditions for fair processing and the obligation to register under Schedule 2 of the Act and at least one of them must be met for personal information to be considered to have been fairly processed. They are as follows:
- The individual has given consent to the processing;
- The processing is necessary for the performance of a contract or for the taking of steps at the request of the data subject with a view to entering into a contract;
- The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
- The processing is necessary in order to protect the vital interests of the data subject;
- The processing is necessary for the administration of justice, for the exercise of any functions of either of the Houses of Parliament or the Crown, a Minister of the Crown or a government department or the exercise of any other functions of a public nature exercised in the public interest by any person;
- The processing is necessary to pursue the legitimate interests of the data controller or third parties unless it prejudices the interests of the individual.
INFORMATION COMMISSIONERS OFFICE
When we acquired the freehold I contacted the Information Commissioners Office (ICO) on behalf of the company Directors to establish exactly they were required to do under Data Protection legislation. They provided the following advice:
It is essential that there is a clear basis for the handling of any personal information and the handling of images relating to individuals is no different. It is important to show who has responsibility for the control of the images, i.e. what is to be recorded, how the images should be used and to whom they may be disclosed.
It is the Data Controller which is the organisation responsible for a) making decisions about the processing of the images and b) ensuring compliance with DPA legislation. So it is the RMC Company Directors in their capacity as Data Controllers who will allow other organisations, such as the company installing the CCTV or the managing agent, to process the images on their behalf. They would then be under contract as data processors. In this the freehold RMC Directors would remain data controllers and be responsible under the DPA for any processing of the images.
The Data Protection Act 1998 requires every data controller who is processing personal information to register with the ICO, but the Act provides exemptions from notification for:
- Organisations that process personal data only for staff administration (including payroll), advertising, marketing and public relations (in connection with their own business activity) and accounts and records;
- Some not-for-profit organisations;
- Organisations that process personal data only for maintaining a public register;
- Organisations that do not process personal information on computer.
Awareness of CCTV Surveillance
They also advised particular attention be paid to the fact that people must be aware that they are in area where CCTV surveillance is being carried out. The most effective way of doing this is by using prominently placed signs at the entrance to the CCTV zone and reinforcing this with further signs inside the area. Such signage is particularly important where the cameras themselves are very discreet, or in locations where people might not expect to be under surveillance. In the exceptional circumstance that audio recording is being used, this should be stated explicitly and prominently.
- Be clearly visible and readable;
- Contain details of the organisation operating the system;
- The purpose for using CCTV;
- Who to contact about the scheme (where these things are not obvious to those being monitored, i.e. the name and contact details of the organisation responsible); and
- Be an appropriate size depending on context, for example, whether they are viewed by pedestrians or car drivers.