What are the considerations we need to take into account before operating CCTV surveillance at our university?
The Information Commissioner’s Office has recently issued a revised code of good practice aimed at helping closed-circuit television (CCTV) operators to strike that vital balance between the individual’s right to privacy and the public interest in security. It looks to be more concise and user-friendly than the original code issued in 2000.
Long-awaited updated guidance
The publication of the new code comes at a time when data protection issues are grabbing the headlines more than ever. CCTV technology has moved on considerably since 2000, and there has been a steady increase in high-profile coverage of a growing public and regulatory unease about a “surveillance society”.
There now seems to be far greater public awareness of CCTV and the rights conferred on individuals by the Data Protection Act 1998 (DPA), and therefore institutions can expect more queries from students and staff alike.
The DPA is likely to apply to CCTV if it is used to capture images of identifiable individuals or information relating to them (such as car registration details). Those images could constitute personal data, and as such the organisation that records and stores the CCTV images would be obliged to comply with the DPA in respect of access to the recorded images and how they are used.
Misuse of CCTV images by an institution or its staff could result in criminal penalties under the DPA and/or civil claims by affected individuals.
Following the guidance should help to ensure two key things:
• First, that CCTV images captured are usable.
CCTV footage can be valuable evidence in criminal or civil proceedings. For example, it is widely recognised as a cost-effective prevention measure in the fight against theft: “shrinkage” caused by retail crime significantly affects the profits of retail outlets and the costs of services offered by institutions such as libraries.
• Second, that institutions using CCTV on their premises comply with their obligations under the DPA and are not exposed to liability risks that could have been avoided.
Points for consideration
The following should be considered as a result of the issuing of the revised code:
• When did you last review your CCTV practices?
• Has your estate expanded or have you intensified your use of CCTV over the past few years?
• Would staff know how to handle a request for disclosure of CCTV footage or to whom in your institution they need to refer such a request? There are statutory time limits for dealing with these requests, and they must be processed in accordance with the DPA.
The publication of the new code presents an opportunity to check that your CCTV practices are in order and that you are compliant with the DPA.
However, do not assume that you need a complete overhaul of your current practices. There may be simple changes that you could make that would help bring you in line with the legal requirements.
Does the code apply to you?
According to the code, the starting point should be that the DPA applies to almost all CCTV systems because they usually record the activities of individuals.
Should CCTV be used/continue to be used?
The code recommends carrying out an “impact assessment” to provide a basis of justification for using CCTV.
How can CCTV be administrated effectively?
The code covers what should be recorded, how the images should be used and to whom they may be disclosed.
How should the cameras be selected/sited?
The CCTV images must be adequate and not excessive for the purpose(s) for which they are being recorded. For example:
• If one camera pointed at an entrance would suffice, it would be difficult to justify using more.
• If a problem usually occurs at a particular time of day, it might be difficult to justify recording CCTV images 24 hours a day.
How should the equipment be used?
Audio recording is justifiable only in extremely limited circumstances. The code makes it clear that CCTV must not be used to record conversations between members of the public.
How should the images be stored and used?
The code addresses the fundamental issues of storage, disclosure and retention of images in compliance with the DPA.
Institutions should not retain CCTV images for longer than is strictly necessary for the purpose(s) for which they are being recorded. The new code provides some limited examples of appropriate boundaries.
Responsibility to inform
CCTV operators must tell individuals that CCTV is in operation and for what purpose(s).
Considering alternatives to CCTV
When conducting an impact assessment, account should be taken of whether there are alternative solutions that are more appropriate. The code gives the example of recording CCTV images of car parks (eg improved lighting might be an effective and less intrusive way to reduce vehicle damage).
Monitoring staff
The code includes specific guidance for employers who use CCTV to monitor their staff. Installing CCTV to monitor staff (eg in a storeroom where theft is suspected) must be proportionate to the problem. Continuous monitoring of a worker is deemed to be intrusive and disproportionate except in very exceptional circumstances.
The code is intended only as guidance to good practice, and therefore compliance with the code does not necessarily mean that there would be no risk of liability under the DPA. Nevertheless, the new code is a welcome aid to organisations seeking to remain on the right side of the law in how they use CCTV.