On 20th May 2014, the Information Commissioner’s Office (ICO) launched a consultation on a revised Code of Practice on CCTV. The previous version was published in 2008. On 15th October the ICO published the 44 page code of practice on surveillance cameras and personal information. Jonathan Bamford, Head of Strategic Liason at the ICO, states in his blog post launching the code:
“Today’s updated CCTV code is one that is truly fit for the times that we live in. The days of CCTV being limited to a video camera on a pole are long gone. Our new code reflects the latest advances in surveillance technologies and their implementation, while explaining the key data protection issues that those operating the equipment need to understand.”
There are no major changes in the code when compared with the previous version. The ICO once again emphasises fundamental Data Protection Act (DPA) principles e.g. informing people about the information being collected about them, keeping data collected secure and having effective retention and disposal schedules.
The new and emerging technologies section of the code covers the key surveillance technologies that the ICO believes will become increasingly popular in the years ahead. Jonathan Bamford says:
“The days of CCTV being limited to a video camera on a pole are long gone. Our new code reflects the latest advances in surveillance technologies and their implementation, while explaining the key data protection issues that those operating the equipment need to understand.”[A1]
The code emphasises the importance of conducting a privacy impact assessment before undertaking surveillance using CCTV, especially when fitted to drones e.g. broadcasters seeking to gather footage for production purposes, police forces conducting surveillance on suspects, or construction companies monitoring job progress. Concerns have been expressed about the legal use of drones. The BBC reports, “Drones which could seriously injure or kill are being flown over cities and towns across England, despite laws designed to protect the public.” The code refers to drones as ‘unmanned aerial vehicle’ (UAV) and the overarching systems in which UAV’s are used as ‘unmanned aerial systems’ (UAS). Key points include:
· Organisations should ensure there is an on/off button for recording in UAS’ and have “strong justification” for continuously recording via the system.
· Continuous recording must be both “necessary and proportionate” for the purpose the business is pursuing.
· The Fair Processing Code under Principle 1 of the DPA must be complied with. Website notices, social media, highly visible clothing and signage telling the public about the use of drones for filming in the area can help to do this.
Many councils now use body worn cameras to, amongst other things, help deal with combating anti-social behaviour or to help gather evidence for parking enforcement. These small inconspicuous devices can record both sound and images. This can mean that they are capable of being much more intrusive than traditional town centre CCTV. The code states that the use of such cameras needs to be justified. Safeguards must be put in place to ensure they are only used when needed. Strong security is essential in case the devices fall into the wrong hands. The code identifies other practical steps to help users of these devices stay on the right side of the law.
The new ICO code is said to complement the Surveillance Camera Code (PoFA code) which came into force last year. Made pursuant to the Protection of Freedoms Act 2012 (PoFA) the latter governs the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR).
The ICO code applies to all data controllers (public and privacy sector) throughout the UK but the PoFA code currently only applies, in the main, to local authorities and policing authorities in England and Wales. The Scottish Government has produced its CCTV Strategy for Scotland. The strategy provides a common set of principles that operators of public space CCTV systems in Scotland must follow. The principles aim to ensure that these systems are operated fairly and lawfully and are using technologies compatible with the DPA.
As regards the legal effects of the PoFA Code:
“A failure on the part of any person to act in accordance with any provision of this code does not of itself make that person liable to criminal or civil proceedings. This code is, however, admissible in evidence in criminal or civil proceedings, and a court or tribunal may take into account a failure by a relevant authority to have regard to the code in determining a question in any such proceedings” (paragraph 1.16).
The Surveillance Camera Commissioner (SCC) has been appointed by the Home Secretary but has no enforcement or inspection powers unlike the ICO. He “should consider how best to ensure that relevant authorities are aware of their duty to have regard for the Code and how best to encourage its voluntary adoption by other operators of surveillance camera systems” (paragraph 5.3). The ICO says of its revised CCTV code:
“This code is consistent with the [Home Office] code and therefore following the guidance contained in this document will also help you comply with many of the principles in that code”.
It is essential that all CCTV operators, both in the public and private sector, read the new ICO code and revise their policies and procedures accordingly. Whilst the code is not legally binding, it will be taken into account by the Commissioner and the courts in deciding whether the DPA has been complied with.