CCTV and The Data Protection Act 1998

Are you committing a criminal offence?

The Data Protection Act 1998 (which formally implements the EU Data Protection Directive (95/46/EC) and which also replaces the Data Protection Act 1984) finally came into force on 1st March 2000. As readers will be aware, since the passing of the Act there has been much speculation as to whether the Act applies to CCTV systems; particularly those which are now commonly to be found in shopping centres, leisure complexes and many individual shop premises.

The reason for such speculation lies in the fact that CCTV camera footage is not specifically referred to in the Act. However, the Act defines data as "information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose" and since the Act does not distinguish between types of equipment, it has been argued that the definition of data must include images recorded by CCTV cameras.

Any residual doubt as to the application of the Act to CCTV systems should finally have been laid to rest by the recent issue of a draft code of practice "for users of CCTV and similar surveillance equipment monitoring spaces to which the public have access" (footnote 1)by the Data Protection Commissioner, under section 51(3)(b) of the Act. There is no obligation to comply with the code under the Act, but the code is intended to provide guidance which, if followed, should help to ensure that users of CCTV systems do not breach the provisions of the Act.

Section 4(4) of the Act requires all "data controllers" to comply with the "data protection principles" (set out in schedule 1 to the Act) in relation to all personal data which they control. These lay down standards of fairness and lawfulness with regard to the processing, storage and accessing of the data. If a data controller is found to be in contravention of any of the data protection principles the Commissioner can serve an enforcement notice under s.40. Failure to comply with any such notice renders the data controller guilty of a criminal offence.

The most important requirement for all CCTV operators is that of notification under section 18 of the Act, as it is a criminal offence for any person to start collecting, holding or processing personal data of any kind, unless the "registerable particulars" set out in section 16 (broadly, the name and address of the controller, the purposes for which the data is to be obtained and to whom it may be disclosed) and a general description of the security measures to be adopted, have been notified to the Commissioner and entered on the register to be maintained under section 19 of the Act.

Further, once notification has taken place, the controller is under a continuing duty to notify the Commissioner's office of any change of the registrable particulars. Failure to comply with this duty is also an offence, unless the data controller can show that "all due diligence" has been exercised in attempting to comply.

The most important issue with regard to compliance is, therefore, to identify the person who will be the data controller. The Act defines the "Data Controller" as the "person who (either alone or jointly in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed".

In most cases landlords or their managing agents will be the data controller in respect of CCTV systems installed in common areas. Tenants of individual shop premises will usually be the data controllers for their own CCTV systems and the Act also allows for the possibility of there being more than one data controller where, for example, a police force, local authority and local retailers install a CCTV system in a town centre to help in preventing and detecting crime and to protect public safety.

It is recognised that a data controller can devolve the day-to-day recording/processing etc of the data to an employee as manager of that data, but the manager must act strictly within the instructions of the data controller. If the manager acts outside such instructions, a criminal offence may be committed under section 55 of the Act.

Where a third party (not being an employee) is brought in to "process" any information on behalf of the data controller (which includes obtaining and recording data) they will be a "data processor" for the purposes of the Act. Where a data processor is employed, the data controller must ensure that the data processor is able to guarantee the provision of proper security measures and that the processing is governed by a written contract under which the data processor is to act only on instructions from the data controller. The data controller is also required to take "reasonable steps" to ensure that the data processor complies with the security measures provided for in the contract.

The draft code also provides useful guidance with regard to the siting of cameras (which must not overlook any private property outside the scheme to which the public do not have general access); the provision of clearly visible signs advising the public that they are entering a zone which is covered by surveillance equipment (to ensure compliance with the first data protection principle which requires personal data to be processed fairly and lawfully); the processing of images (as to which the Commissioner recommends that images should not be retained for longer than 28 days unless they are required for evidence in legal proceedings); security issues (there should be a secure control room with entry restricted to trained operators) and procedures for dealing with rights of access to images by both third parties and data subjects.

For further information on this topic, please contact Mark Heighton at [email protected] or Clive Newnham at [email protected] or on +44 (0)20 7367 3000.

Footnote 1
The draft code can be obtained through the government's website at www.dataprotection.gov.uk/cctvcop.htm