Guidelines for Using CCTV
Many businesses and organisations, and even individuals use CCTV. One of the most common reasons for doing so is for security; for instance, businesses might monitor shoppers and passers-by for suspicious or criminal behaviour. The images that are recorded may be handed over for police investigations. No matter the reason for using CCTV, it will affect the privacy of anyone recorded. The Information Commissioner’s Office (ICO) has provided guidance for best practices when using CCTV, the major points of which are highlighted below.
The Data Protection Act
The basic legal requirement for using CCTV is to comply with the Data Protection Act (DPA). Most uses of CCTV are covered by the DPA; however, it does not apply to private use by individuals. The guidance provided by the ICO sets out recommendations for how to meet DPA requirements.
Best Practices for CCTV Use
Before implementing CCTV, or when deciding whether to continue using it, you should do a privacy impact assessment. This assessment will help you determine whether CCTV is justified in all circumstances and, if so, how it should be operated. Questions to consider as part of the assessment include the following:
- Who will have legal responsibility for operating the CCTV system?
- What is the purpose of using CCTV? What problems is it meant to address?
- What are the benefits of using CCTV?
- Is CCTV the best option to address the problems? Are less privacy-intrusive solutions possible?
- How can the intrusion of privacy be minimised?
After you have determined that CCTV is the best option, you must decide who will be responsible for controlling the images (the DPA defines this person or third party as the data controller). The data controller will decide what to record, how to use the images, and to whom the images may be disclosed. The ICO should be notified of who is the data controller, as well as the purposes for using images and any disclosures.
You must also establish clear procedures for using the CCTV system. Make sure your system operators understand the purpose for using images, and have a documented procedure for viewing, storing and disclosing images. You should also allocate responsibility to someone for regularly ensuring that procedures are being followed. The ICO recommends periodically reviewing whether your use of CCTV is still justified.
When you have selected a system to use and are setting it up, remember to site the cameras in places where they won’t be obscured by electrical wires, trees or other obstacles. This will help ensure good image quality. To reduce the intrusion of privacy, site your cameras so that viewing spaces that are irrelevant to your purpose are not in viewing range.
The ICO recommends performing regular maintenance on your CCTV system. As part of the maintenance process, check that the images are good quality, and verify that they are not corrupted as they are viewed or stored. Make sure the date and time stamps are accurate.
Storage, Retention, and Disclosure of Images
Above all when storing recorded images, you must maintain the integrity and quality of the images. This will ensure that the rights of people in the images are protected, and that the images can be used as evidence in court. Following are the ICO’s recommendations for image viewing, storage and retention.
- Live images should only be viewed by the system operator in a secure area. Exceptions may be made in certain cases.
- Keep images only for as long as you need them. Your disclosure policies will help you determine how long that should be.
- Delete images when you no longer have a reason to retain them.
- Establish a retention policy, and make sure your system operators understand it. Perform regular checks to ensure your operators are in compliance with the policy.
Disclosure of your images to third parties should be consistent with your purpose for recording images. Carefully approach all image requests—make sure that the people who handle such requests have clear guidance on appropriate circumstances in which they may disclose images. You should also keep track of when images are disclosed, and to whom. Bear in mind that once you disclose an image to a third party, that person or organisation becomes the data controller for that copy of the image, and must comply with the DPA.
There may be instances where people in the images want to view their images and will submit a subject access request. You must provide images within 40 working days of the request. You should have a clearly documented process for handling subject access requests; this process should include the following:
- What information the subject must give you so that you can identify him or her, and so you can find the image. Such information may include photos, a description of what he or she was wearing, and the date and time.
- What fee you will charge, and how it should be paid. The legal maximum you may charge is £10.
- How you will provide the images.
When providing images for subject access requests, make sure you are protecting the privacy of other people in the image. If it is a case where other people should not be identified, obscure them in the image.
If you are a public authority, you may receive requests under the Freedom of Information Act 2000 (FOIA) or the Freedom of Information (Scotland) Act 2002 (FOISA). You should have a staff member who is responsible for handling such requests. You have 20 working days to respond to FOIA and FOISA requests.
When you have a CCTV system in place, you must let people know that they are under CCTV surveillance. An easy way to do so is to post a sign in a prominent location. The sign should be visible and clearly readable. The sign should also include details of who is operating the camera and why it is being used, if those facts are not obvious.
Under the DPA, individuals have the right to request prevention of the following:
- Processing that is likely to cause them substantial or unwarranted damage or distress
- Automated decision-making in relation to the individual making the request
Though these requests are rare, there is still guidance for handling them on the ICO website at www.ico.gov.uk.
If your CCTV system covers a public space, such as a park, you may have to get a licence from the Security Industry Authority. For more information, visit www.the-sia.org.uk.
We are Johnston Park McAndrew –Your Advice Led Commercial Insurance Broker
Author: Heather Adams
Credits: "SME Business Guidance Series: Guidelines for Using CCTV" (Zywave, inc. 2017)
The content of this Risk Insights is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2015 Zywave, Inc. All rights reserved.
The content of this guide is of general interest only and not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. It does not address all potential compliance issues with UK, EU or any other regulations. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. It should not be used, adopted or modified without competent legal advice or legal opinion. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. Design © 2013 Zywave, Inc. All rights reserved.
Contains public sector information published by the ICO and licensed under the Open Government Licence v1.0. For more information on the DPA’s principles and guidance for CCTV use, please see www.ico.gov.uk.
Musculoskeletal disorders (MSDs) are one of the leading causes of injury in the health care field. These injuries occur in large part due to overexertion related to repeated manual patient handling activities, often involving heavy manual lifting associated with transferring and repositioning patients and working in awkward postures. Read More...
As an owner or manager, you have a clear obligation and responsibility to provide your employees with a safe working environment. If you fail to do so, it could result in a current or even former employee filing a claim against you. Read More...
Every year, the HSE releases updated workplace health and safety statistics, providing employers with the opportunity to see how their company ranks in terms of health and safety initiatives, as well as highlighting key areas for improvement. Read More...