Cam-tech Security Systems Limited

The 1984 Data Protection Act (DPA 84) states that to be liable for registration under the DPA, you must be ‘capturing personal data that is processed automatically by reference to the data subject’.
All CCTV systems that record images are classed as recording personal data. 

 All CCTV systems that process data must be notified to the Information Commissioner (formerly the Data Protection Commissioner). This is the same as registering computer systems under the DPA 84 for being able to ‘automatically process’ data.

Failing to register may lead to fines. A system is deemed as ‘automatically processing’ data, when that data can be retrieved automatically, by a method of sequences. So if a digital recorder can use technology which enables it to search automatically for a known incident, then it falls within the Act.

EC Directive - 1st March 2000

1. This Directive first came out on 24th October 1998, but was implemented on 1st March 2000.
2. All new CCTV systems installed from 1st March 2000 are now required to be registered under the DPA. The issue of ‘automatic processing’ has now become redundant for new systems.

CCTV - Registration/Notification

1. When registering a system it must be stated what ‘the purpose of the system’ is. This ‘purpose’ can cover several sites. It costs £ 35 to register and registration lasts for 1 year (Cam-tech can assist you in writing this purpose document and take the hassle away from you).
2. Check whether the company/organisation is already registered for DPA, because if it is, they can simply extend their entry to include CCTV as well. You will however still need a purpose document.
3. Once registered/notified, compliance with a number of legally enforceable Principles is required.
4. All organisations, whether registered or not are expected to adopt these Principles. If a complaint is made against any system, the first area Data Protection will investigate is adherence to these Principles.

CCTV Signs

The DPA requires information to be obtained fairly and lawfully. For CCTV, this means that appropriately sized and placed signs are positioned in and around the area under surveillance; these should be A4 and A3 depending on application. They should contain a simple ‘purpose for the system message’ e.g. to prevent and detect crime, and who owns the system with a contact telephone number.

CCTV-Original purpose 

Obtaining information fairly means that the images/data captured by the system must be used for the original purpose intended for the scheme. Therefore it would be misuse if CCTV footage were sold to a commercial company or TV.

CCTV - privicy

The DPA requires careful consideration to the siting and direction of CCTV cameras to ensure that they avoid capturing data/images that are irrelevant or intrusive - a good example would be minimising the possibility of cameras over looking private property. This can also be achieved by fitting blockers or having privacy zones. Speak to Cam-tech for further information relating to privacy zones.

Recorded CCTV storage

All recorded data/images need to be accurate. This is particularly true if they are used as evidence or in a disciplinary dispute with employees. The Information Commissioner recommends that every effort be made to ensure clarity of image (recognition – 50% or identification standard 110 %.) A significant factor in avoiding image degradation is proper tape or disk management: use a 31-day cycle and record all uses in a management log book. If using tape use good quality SVHS tapes and store them correctly in a data cabinet (BS 7799). Use them no more than 12 times and then electronically wipe the tape using a degausser or by destroying the tapes using another method. If using a DVR check the system on a regular basis to ensue the recordings are of the same quality as when the system was installed.

Unauthorised processing 

Users of CCTV systems must prevent unauthorised access to CCTV control rooms/areas; all visitors must be authorised and recorded in the visitors log and have signed the confidentiality proforma. Operators/staff must be trained in equipment use and tape management. They should also be fully aware of the Codes of Practice and Procedures for the system. The observation of the data by a third party is to be prevented e.g. no unauthorised staff must see the CCTV monitors.

Data subject rights 

The DPA supports the right of the individual to a copy of any personal data held about them. Therefore data controllers are obliged to provide a copy of the tape if the individual can prove that they are identifiable on the tape, and they provide enough detail to locate the image (e.g. 1 hour before/after the time they believe they were captured by CCTV, their location and what identifiable features to look for).

They must submit an appropriate application to the Data Controller of the system and pay a £10 fee. However, the request can be refused if there are additional data/images on the tape relating to a third party. These additional images must be blurred or pixelated out, if shown to a third party. A good example would be a car accident where one party is attempting to claim against another. The data controller is obliged to say no to a civil request to view the tape, as consideration must be given to the other party. A request by the police is a different matter though. Remember, only the DP Registrar can withhold tapes to protect third parties; it is generally considered they can arbitrate in these sorts of matters. Also, if any individual suffers damage or distress because of any contravention of any of the requirements of the DPA, they are entitled to compensation.

Summary

1. Automatic processing means automatic registration.
2. New systems from 1st March 2000, means automatic registration.
3. All systems installed after 24th October 1998 had until October 2001 to register.
4. Systems installed before 24th October 1998 had to be registered by 2001.
5. All CCTV users now have to comply to the DPA Principles, whether registered or not.
6. The purpose of the system must be registered and can cover several sites.
7. Whoever sets the ‘purpose of the system’ is responsible for the Data Protection of that scheme.

More information can be found at the Information Commissionaire's Office (see the link on the left hand side of the page)