Licensed to spy – CCTV and the law

The British are said to be the most watched people in the world.  CCTV is seemingly everywhere these days and its use by private organisations is not only spreading but aggressively pushed by the police and other authorities.  The theory is that if potential offenders know that they are “on candid camera” they are less likely to break the law, and if there is an incident law enforcement is made far easier with a recording and, hopefully, a relatively clear mugshot.

Many businesses, of course, have CCTV as part of their security systems.  Pubs, clubs, off-licences and hotels are often forced down that route as the police will automatically try to insert a condition requiring that there be a working CCTV system (“to the approval of the Police”) as part of any licence issued under the Licensing Act 2003, pretty much regardless of the history of trouble (or the absence of it) in the premises.

Unfortunately, when requiring/requesting that businesses install CCTV, the corresponding requirements under the Data Protection Act 1988 are often overlooked.  Hopefully, any supplier of CCTV will assist with guidance on how the content of those recordings must be handled and when it can be released and provide details of how to register with the Information Commissioner’s Office (ICO) as a “data controller”.

Sadly, the standard approach by the police or other authorities is to insist that recordings should be handed over to them “immediately upon request”. The Data Protection Act, however, requires only that recordings should be handed over in the context of a criminal investigation or prosecution.  It would be wrong, for example, for the police or local authority to insist upon production of recordings to assess footfall, or in connection with a Review of a Premises Licence (which is not a criminal matter).  Failure to handle the data properly can also end up in prosecution, which would be ironic if it were as a result of a police request.  The fines can run into thousands of pounds in appropriate cases (Scottish Borders Council was penalised £250,000 last month when their employees’ pension records were found in an overflowing paper recycling bank!) so the systems involved must be professional, reliable and secure.

Businesses using CCTV must ensure that signs are displayed notifying the public of the presence of the cameras. That said, we see so many of these signs these days, that there is a concern that we no longer really pay them any attention!

The owner of a business using CCTV also needs to be registered with the ICO in relation to their CCTV.  Registration is a relatively simple process of notification and payment of an annual fee (currently £35).  Failure to register can also result in prosecution, a criminal record and a hefty fine.

Finally, a business will need to have a data protection policy in place, covering the use, storage and release of all the personal data it collects about individuals.  That policy (as well as being a good basis for training staff involved, and assuming it is followed!) will be very helpful in persuading the ICO not to take action against a business in the event of a complaint that it may not be taking its data protection responsibilities sufficiently seriously.

CCTV can undoubtedly be an asset to the security of almost any business, but the Data Protection Act does impose corresponding responsibilities on the operator.  If you have concerns about compliance with rules relating to CCTV or any other regulations affecting your business, please contact Mark Banham: [email protected].