The CCTV Code of Practice has been created by the Information Commissioner’s Office to advise data controllers on the use of CCTV in public areas. You should follow this code of practice in order to meet requirements under the Data Protection Act and to protect personal data of anyone captured on CCTV.
This code of practice should be used if:
If videoing is used for purely recreational purposes, for household protection or for news media, data stored will be exempt from this code of practice.
When using CCTV you should assess the impact of your scheme on public privacy. You need to consider who will be legally responsible for any data obtained and whether they have had proper training on processing of data. The ICO should be informed of who is responsible for data processing, and why data is processed. You should make sure that you can show the benefits of using CCTV and prove that you have considered whether there are any better solutions available.
The data processor needs to identify the reason for CCTV use in order to properly assess, how, when and where CCTV will be in use. CCTV use should always be proportionate to the problem it is aimed to tackle and should cause minimal intrusion to the privacy of any subjects. The use of CCTV should be regularly checked and audited in order to maintain a high level of data protection.
The viewing spaces caught by camera that are not of relevance should be minimal and cameras should only be active at the time and place necessary for data processing. If cameras are used for security purposes they should only be active at times of day and in areas where problems frequently arise. CCTV should be suitable for its purpose and images need to be of sufficient size and resolution, so as not to undermine the purpose of collecting data. The quality of image required will depend on the reason, i.e. monitoring, detecting, recognising, or identifying.
You should carry out regular checks on the date stamp, and any facial recognition technology used should have results of any matches checked by a person. A regular maintenance regime needs to be in place for maximum protection. If cameras have a sound recording facility this should be turned off or disabled.
Storing and processing images: Images recorded on CCTV should only be made visible to the operator and where appropriate, those who are being recorded. It should not be possible for a member of the public to view images of other data subjects.
Images should not be kept for longer than is necessary. You should decide on a retention policy as an organisation, and the nature for which data is processed will depend on how long it is necessary to store it. Generally only data that may be handed over to police should be stored for more than one month. At the end of the agreed retention period, you should permanently destroy this data.
Audio recording facilities: These are only allowed in certain circumstances set out below and only with relevant safeguards in place.
It must be made clear to individuals that audio recording is or may be carried out, and if audio is used to broadcast a message to those under surveillance, it must be restricted to the purpose for which the scheme is in place.
Notices: Wherever CCTV is in use, you should ensure that there are clear notices which are of the appropriate size for the context, ie if CCTV is in use on a road notices should be larger to accommodate drivers, whereas notices for pedestrians may be smaller to reflect the time allowed to read the notice. A notice should always inform the subject that CCTV is in use and should also include the contact details of the data controller where this may not be obvious. Where CCTV is used in a shop, it may be considered that the data controller is obviously the shop owner or contact details may be acquired from staff, in contrast to when CCTV is used in open spaces, where the controller may not be as obvious, and so should be listed.
An individual has a right to view any images you hold of them and to request a copy of that image. If you receive a ‘subject access request’, you must comply with the request within 40 days. The maximum fee you can charge for the release of data is £10. You should also provide subjects with a copy of the code of practice for use of CCTV and give them information about the complaints procedure you have in place for data processing. If you need more information on such requests, please refer to our quick guide on this topic.
Disclaimer: This note does not contain a full statement of the law and it does not constitute legal advice. Please contact us if you have any questions about the information set out above or require any assistance with drafting or reviewing a contract.
Copyright © 2013 - Oury Clark.