Right side

This old legal adage is particularly applicable to CCTV systems, as Brian Sims explains in the latest instalment of SMT's review of The Security Institute's Client Guide to CCTV system procurement and use. When your CCTV system captures an image you will be processing personal data and, as such, that data must be dealt with according to the terms of the Data Protection Act. The installation will only fall within the remit of Human Rights if it's a public authority, or it can be successfully argued that your CCTV solution is performing a public function.

If your Data Protection Act processes are correct, it's highly unlikely that you will infringe the Human Rights Act. In this series of articles, we have already discussed camera positioning and the quality of rendered images (among other topics). These matters are hugely important. If either is wrong, it is likely that your surveillance installation will have breached the Data Protection Act. Badly sited and/or focused cameras may not provide an acceptable image of a given individual and, as such, you would not be processing that individual's personal data (ie image) fairly. This could be construed as a breach of Principle 1 of the Act.

Wanting to procure and install a CCTV system doesn't mean to say that you can. It must be justified. In itself, this isn't going to be a major problem. The security manager can cite crime prevention and detection as a reason, and the fact that the company needs perimeter security, but you cannot capture peoples' images just because you want to.

Consider for a moment the CCTV camera and its sole purpose - to monitor the flow of human traffic in a particular area. You want to know when there is a sufficient volume of such traffic to justify opening up another means of access or exit. In this instance, there is no need for you to identify any individual. It is merely a headcount, or an assessment of volume. Therefore, the camera in question should be located in a position where it can perform that function without capturing any facial images.

You have to achieve a balance of respect for privacy with the security function for which you have installed the CCTV cameras. Therefore, an impact assessment needs to be conducted.

Subject access requests

The Data Protection Act provides individuals with the right to know what information is being processed that identifies them. The Data Subject is entitled to a copy of any of the images you hold that do so. Any images have to be provided within 40 days. There is an argument to say that if it would be a ‘disproportionate effort' to provide those images, then you don't have to do so. Alas, the legislators and the Information Commissioner have not given a clear indication as to what that disproportionate effort might entail.

Any security manager will tell you that it could be an extremely expensive exercise for them to provide images, particularly in those instances where they have been targeted by a pressure group that may have spent the entire week walking around the perimeter fencing!

In terms of requests by law enforcement agencies, Section 29(3) of the Data Protection Act 1998 allows organisations to disclose information to law enforcement agencies for the purposes of the prevention and/or detection of crime, or the apprehension and prosecution of offenders. That information can be in the form of CCTV images. By applying the exemption, the organisation is not bound by any of the non-disclosure provision of the Act. These are the first Data Protection Principle, the second, third and fourth Principles, Section 10, Section 14 and Section 29(1) (details on all of these Principles can be found on the web at www.informationcommissioner.gov.uk ).

Always remember that Section 29(3) allows the Data Controller to provide necessary information to any law enforcement or other relevant organisation (including private investigators or companies' in-house investigation teams). It does not mean that they have to, though. It is the onus of the Data Controller to make a judgement call as to whether or not providing information would prejudice the investigation.

It's perhaps worth noting that many organisations (including banks) do not divulge information to the police under a Section 29(3) request. Rather, they require the police to subpoena the records.

The dilemma facing the security manager is recognised. They want to maintain good relations with law enforcement agencies, but the non-disclosure of information where those agencies feel it is necessary could prejudice that situation. On the other hand, the security manager must recognise their own responsibilities (and the consequences should anything go wrong).

The pre-disclosure checklist

Before disclosing any information, the security manager must be sure that the purpose for doing so is indeed related to crime, and that to apply any part of the Act from which they are exempted would, in fact, prejudice the purposes of the disclosure (and be inconsistent with that disclosure).

The security manager is also expected to be certain there would be a substantial chance - rather than a mere risk - that, in a particular case, the purposes of the disclosure would be noticeably damaged. It is the security manager's responsibility to ensure that, if a Section 29(3) exemption is to be applied, they are applying that exemption properly. If the manager ‘gets it wrong', it is the Data Controller and his or her organisation that must face the music.

If a security manager feels that too much information has been requested by the law enforcement agencies, he or she should then ask for the request to be narrowed. For example, if the desire is for copies of all CCTV images processed on 29 March for the perimeter fencing, it is suggested that this is too broad. A request for the images of, say, six youths wearing such and such and loitering around the southern side perimeter fencing between the hours of 6.00 pm and 8.00 pm on 29 March is probably more acceptable. This allows the security manager to make a better-informed decision as to whether they should release the personal data and avoid accusations of being obstructive.

If the police come back and want to extend the period for which they need the images, that would be far more acceptable than a blanket request for the whole day's images.

Refusal to disclose

Whenever the time comes to process someone’s personal data, the security manager must balance the intrusion into that person’s privacy with what it is that they – as the incumbent security professional – are trying to achieve

Although it would probably go against the development of good relations between the in-house Security Department and the various local law enforcement agencies, the security manager should - if they feel applying the non-disclosure provisions would not affect an investigation - ignore the exemption and either refuse to disclose, or disclose only after gaining consent from the individual (which may begin to defeat the object of the exercise).

According to The Security Institute's Guide, "cautious co-operation" would appear to be the obvious line to follow.

It is sound advice that Security Departments responsible for CCTV monitoring should keep the ACPO Regulations to hand. Copies can be downloaded free of charge from: www.acpo.police.uk/asp/policies/data

Investigations can have a momentum all of their own. From time to time, for example, the police will require information in a hurry, and may not necessarily be in a position to go through the administrative process of a Section 29(3) request. They may even be ignorant of this procedure. Either way, this situation presents a dilemma for the security manager. He or she clearly needs to maintain good relations with the local police, and yet the legislation points out that there should be a Section 29(3) request. It's a difficult decision for the in-house manager to decline any request without the appropriate paperwork.

There is a belief among some senior police officers that if a CCTV information request is not made in accordance with Section 29(3), it may not be admissible in a Court of Law. There is some anecdotal evidence of Judges in the lower Courts excluding information not correctly requested under Section 29(3), but no legal precedent has yet been set.

It's also worth remembering that, should law enforcement agencies request any CCTV images for evidential purposes, they must do so under the Terms and Conditions of the Police and Criminal Evidence Act 1984. Images can then be handed over to the police. Nonetheless, a signature should still be requested and an entry made in the Log Book.

Before we leave the subject of Data Protection, it would be wise to mention the impact assessment. The Security Institute Guide states that, in practice, this is "really just a mindset". Whenever the time comes to process someone's personal data, the security manager must balance the intrusion into that person's privacy with what it is that they - as the incumbent security professional - are trying to achieve. The manager's efforts must be proportionate to the latter.

Note that you do not have to go through an impact assessment every time you or a member of the team processes an image, rather that when you are introducing a new system you consider its likely impact upon an individual's privacy.

Retention of CCTV images

Several recommendations on image retention were made in the Code of Practice issued by the Information Commissioner back in 2000. In terms of Standards, images should not be retained for longer than is necessary (in accordance with the fifth Principle of the Data Protection Act). For example:

• publicans may need to keep recorded images for no longer than seven days because they will soon be aware of any incidents (such as a fight occurring on their premises);
• images recorded by equipment covering town centres and streets may not need to be retained for longer than 31 days unless they are required for evidential purposes in the proceedings;
• images recorded from equipment protecting individuals' safety at ATMs may need to be retained for a period of three months in order to resolve customer disputes concerning cash withdrawals (that retention period being based on the intervals at which individuals normally receive their postal statements).

The Code of Practice then goes on to say that once the retention period has expired, the images must be removed or erased. It should be remembered that these are just standards suggested by the Information Commissioner.

If you are the Data Controller, you have determined the purpose for which you need the images. Therefore, it is solely down to you, the in-house security manager, to decide how long you want to keep them.

Don't be fooled into thinking that no-one can challenge your decision. They can.

Challenges against the operators

If you are processing an individual's image, they have the right to know how you are processing it, in what format and why. If you do not afford them sufficient time to exercise their rights, they could well make a challenge against you via the Information Commissioner.

Security professionals should constantly check the Information Commissioner's web site for the latest advice.