Legal Update: Data protection act

Where CCTV is concerned, facilities managers are deemed to be 'the data controllers' for buildings they manage. They're also liable for prosecution, writes Bernie Brooks.

20 September 2012

Businesses that use CCTV must comply with the Data Protection Act (DPA).

If you aren't compliant, you're breaking the law - it's that simple. Most companies are already aware of the requirements of the DPA, with respect to the collection and use of personal data (for example, staff and supplier databases). Yet every business should be fully aware of the relevant parts of the DPA regarding CCTV.

Strictly controlled
Using CCTV to capture images of visitors to your premises or to monitor tenants and employees is strictly controlled under the DPA.

Dependent on interpretation, the revised edition of the CCTV code of practice issued by the Information Commissioner's Office (ICO) contains some 70 legally enforceable standards that must be complied with.

For example, all data controllers should, prior to installing any CCTV system, conduct (or have conducted on their behalf) an impact assessment. This is to ascertain the proposed CCTV system's impact on people's privacy, and to determine whether it is justified, and if so, how the system should be operated.

If the CCTV system that you are responsible for has not had an impact assessment, and the findings documented in writing, you should get it done now.

Many facilities managers have a wide range of responsibilities and often claim they don't have time to get and stay compliant. Many believe that the CCTV installer 'must have made the system complaint'.

However, it is not up to the installer or your service company to make your system complaint. It is up to you, as the data controller, to ensure your system is managed and operated in full compliance and continues to be complaint on an ongoing basis.

If you are a data controller you have a number of options. One solution may appear to be to simply turn the system off. But the reality is you may have spent a long time as well as a lot of money configuring your system and are happy with the results, and can't see how you can do without it.

You could choose to tackle the compliance issues yourself: you will have to familiarise yourself with the act (and all its ramifications), as well as keeping abreast of further changes, such as technological developments.

If you ignore the act altogether, you are found contravening the Data Protection Act principles and don't comply, the penalties for operating a CCTV system outside of the law can be severe - even if the system does not record. A fine of up to £5,000 (for each offence) in a Magistrate's Court and a fine with no upper limit in a Crown Court.

Data Controllers found guilty of an offence under the act can be fined up to £500,000 or face conviction in a Crown Court. In August 2012 a business owner was prosecuted by the Information Commissioner's Office (ICO) for failing to register his premises' use of CCTV equipment.

Also, individuals who believe that they have suffered damage and distress as a consequence of a CCTV system can also seek unlimited compensation through the courts.

Criminals could walk free from court if an organisations fails to ensure that its CCTV system is not in compliance with the DPA, since the evidence gathered could be considered inadmissible in court.

Subject access request
All individuals whose images are captured on CCTV, classified under the act as 'personal data', have a legal right to request a copy of those images under what is termed 'a subject access request'.

Any such request must be responded to within 40 days, and any other individual captured on the footage requested must either give their permission for their images to be included, or must be pixilated out.

Insurance issues
Insurance companies who insist on a working CCTV system to be installed as part of their policy cover (details of which should be included in your premium), if made aware, may decide to look deeper into a claim if the only evidence is the data/images captured on CCTV that is then found to be non-compliant; this could have a serious bearing on the outcome of a claim.

It was commented on recently that the ICO is concerned that the CCTV and automatic numberplate recognition (ANPR) provisions in the Freedoms Bill are limited to police and local authorities, whereas the technology is widely used by others (in private car parks, for example), and in an potentially invasive way.

Many people make the same basic mistake when notifying and registering the purpose of use for their CCTV (including ANPR): invariably, this notification will not provide cover for all of the uses that the system will be used for, or may transpire in use.

Data processing
The first of the eight principles of the act requires that you process personal data fairly
and lawfully.

Data controllers must seek informed consent, normally done with signage in the correct location, size and, most importantly, wording, giving the correct details for which the data is to be processed, and how to contact the data controller or the representative of the data controller.

Simply putting up a sign that says 'CCTV in operation' in most cases is neither correct nor sufficient. Failure to comply with all of the requirements of the DPA can have serious consequences; aside from fines and the fact that the recorded data may not be admissible in a court of law.

Bernie Brooks is co-founder of security and intelligence firm, DatPro