Skip to main content
Facilitate Magazine: Informing Workplace and Facilities Management Professionals - return to the homepage Facilitate magazine logo
  • Search
  • Visit Facilitate Magazine on Facebook
  • Visit Facilitate Magazine on LinkedIn
  • Visit @Facilitate_Mag on Twitter
Visit the website of the Institute of Workplace and Facilities Management Logo of the Institute of Workplace and Facilities Management

Main navigation

  • Home
  • News
    • Comment
    • People
    • Reports
    • Research
  • Features
    • Analysis
    • Features
    • Round Tables
    • Webinars
  • Outsourcing
    • Contract Finder
    • Contracts
    • FM Business Models
    • Interviews
    • Mergers & Acquisitions
    • Opinion
    • Procurement
    • Trends
  • Know-How
    • Explainers
    • Legal Updates
    • White Papers
  • Jobs
  • Topics
    • Workplace Services
      • Hospitality
      • Catering
      • Cleaning
      • Front of House
      • Grounds Maintenance
      • Helpdesk
      • Mailroom
      • Manned Guarding / Security
      • Pest Control
      • Washroom Services
      • Disaster Recovery
      • Specialist Services
    • Professional Performance
      • Behavioural Change
      • Continual Professional Development
      • Education
      • Management
      • Recruitment
      • Training
    • Workplace Performance
      • Benchmarking
      • Health & Wellbeing
      • Operational Readiness
      • Procurement
      • Security
      • Workplace User Experience
      • Workplace Culture
    • Compliance
      • Health & Safety
      • Risk & Business Continuity
      • Standards
      • Statutory Compliance
    • Building Services
      • Architecture & Construction
      • Asset Management
      • Building Controls
      • Building Fabric
      • Drinking Water
      • Fire Protection
      • HVAC
      • Landscaping
      • Mechanical & Electrical
      • Building Security
      • Water, Drainage & Plumbing
    • Technology
      • Building Information Modelling
      • CAFM
      • Data & Networks
      • Document Management
      • Information Management
      • Internet of Things (IoT)
      • Software & Systems
    • Energy management
      • Energy Management Systems
      • Electricity
      • Gas
      • Solar
      • Wind
    • Sustainability
      • Environmental Quality
      • Social Value
      • Waste Management
      • Recycling
    • Workspace Design
      • Agile Working
      • Fit-Out & Refurbishment
      • Inclusive Access
      • Lighting
      • Office Interiors
      • Signage
      • Space Planning
      • Storage
      • Vehicle Management / Parking
      • Washroom
    • Sectors
      • Corporate Office
      • Education
      • Healthcare
      • Manufacturing
      • International
      • Retail
      • Sports & Leisure
      • Regions
  • Buyers' Guide
Quick links:
  • Home
  • Topics
Know How
Legal Updates
Compliance
Sustainability

Legal Update: Data protection act

Open-access content Friday 14th September 2012 — updated 3.30pm, Tuesday 26th May 2020
Where CCTV is concerned, facilities managers are deemed to be 'the data controllers' for buildings they manage. They're also liable for prosecution, writes Bernie Brooks.


20 September 2012

Businesses that use CCTV must comply with the Data Protection Act (DPA).


If you aren't compliant, you're breaking the law - it's that simple. Most companies are already aware of the requirements of the DPA, with respect to the collection and use of personal data (for example, staff and supplier databases). Yet every business should be fully aware of the relevant parts of the DPA regarding CCTV.

Strictly controlled
Using CCTV to capture images of visitors to your premises or to monitor tenants and employees is strictly controlled under the DPA.

Dependent on interpretation, the revised edition of the CCTV code of practice issued by the Information Commissioner's Office (ICO) contains some 70 legally enforceable standards that must be complied with.

For example, all data controllers should, prior to installing any CCTV system, conduct (or have conducted on their behalf) an impact assessment. This is to ascertain the proposed CCTV system's impact on people's privacy, and to determine whether it is justified, and if so, how the system should be operated.

If the CCTV system that you are responsible for has not had an impact assessment, and the findings documented in writing, you should get it done now.

Many facilities managers have a wide range of responsibilities and often claim they don't have time to get and stay compliant. Many believe that the CCTV installer 'must have made the system complaint'.

However, it is not up to the installer or your service company to make your system complaint. It is up to you, as the data controller, to ensure your system is managed and operated in full compliance and continues to be complaint on an ongoing basis.

If you are a data controller you have a number of options. One solution may appear to be to simply turn the system off. But the reality is you may have spent a long time as well as a lot of money configuring your system and are happy with the results, and can't see how you can do without it.

You could choose to tackle the compliance issues yourself: you will have to familiarise yourself with the act (and all its ramifications), as well as keeping abreast of further changes, such as technological developments.

If you ignore the act altogether, you are found contravening the Data Protection Act principles and don't comply, the penalties for operating a CCTV system outside of the law can be severe - even if the system does not record. A fine of up to £5,000 (for each offence) in a Magistrate's Court and a fine with no upper limit in a Crown Court.

Data Controllers found guilty of an offence under the act can be fined up to £500,000 or face conviction in a Crown Court. In August 2012 a business owner was prosecuted by the Information Commissioner's Office (ICO) for failing to register his premises' use of CCTV equipment.

Also, individuals who believe that they have suffered damage and distress as a consequence of a CCTV system can also seek unlimited compensation through the courts.

Criminals could walk free from court if an organisations fails to ensure that its CCTV system is not in compliance with the DPA, since the evidence gathered could be considered inadmissible in court.

Subject access request
All individuals whose images are captured on CCTV, classified under the act as 'personal data', have a legal right to request a copy of those images under what is termed 'a subject access request'.

Any such request must be responded to within 40 days, and any other individual captured on the footage requested must either give their permission for their images to be included, or must be pixilated out.

Insurance issues
Insurance companies who insist on a working CCTV system to be installed as part of their policy cover (details of which should be included in your premium), if made aware, may decide to look deeper into a claim if the only evidence is the data/images captured on CCTV that is then found to be non-compliant; this could have a serious bearing on the outcome of a claim.

It was commented on recently that the ICO is concerned that the CCTV and automatic numberplate recognition (ANPR) provisions in the Freedoms Bill are limited to police and local authorities, whereas the technology is widely used by others (in private car parks, for example), and in an potentially invasive way.

Many people make the same basic mistake when notifying and registering the purpose of use for their CCTV (including ANPR): invariably, this notification will not provide cover for all of the uses that the system will be used for, or may transpire in use.

Data processing
The first of the eight principles of the act requires that you process personal data fairly
and lawfully.

Data controllers must seek informed consent, normally done with signage in the correct location, size and, most importantly, wording, giving the correct details for which the data is to be processed, and how to contact the data controller or the representative of the data controller.

Simply putting up a sign that says 'CCTV in operation' in most cases is neither correct nor sufficient. Failure to comply with all of the requirements of the DPA can have serious consequences; aside from fines and the fact that the recorded data may not be admissible in a court of law.

Bernie Brooks is co-founder of security and intelligence firm, DatPro
Also filed in:
Topics
Know How
Content
Legal Updates
Compliance
Sustainability

You might also like...

Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Today's top reads

 

Latest Jobs

Project Leader (Maternity Cover One Year Contract)

Cambridge
Circa £50,000 Pro Rata + Benefits & Opportunities
Reference
56378

Maintenance Supervisor

Surrey
Up to £43,000 + Excellent Package & Opportunities
Reference
56376

Regional Facilities Manager

South West England
Circa £40,000 + Benefits & Opportunities
Reference
56375
See all jobs »

 

 

Sign up to our newsletter

News, jobs and updates

Sign up

Subscribe to print

Sign up to receive our bi-monthly magazine

Subscribe
Facilitate magazine cover, June 2020
​
FOLLOW US
@Facilitate_Mag
Facilitate Magazine
Facilitate Magazine
CONTACT US
Contact us
Tel: 020 7880 6200
​

IWFM

About IWFM
Become a member
Qualifications
Events

Information

Privacy Policy
Terms & Conditions
Cookie Policy
Think Green

Get in touch

Contact us
Advertise with us
Subscribe to Facilitate Magazine
Write for Facilitate Magazine

General

IWFM Jobs
Help

© 2022 • www.facilitatemagazine.com and Facilitate Magazine are published by Redactive Media Group. All rights reserved. Reproduction of any part is not allowed without written permission.

Redactive Media Group Ltd, 71-75 Shelton Street, London WC2H 9JQ