|
A feature by Chris Brogan regarding the Data Protection act 1998 and how it effects user's of CCTV equipment.
Chris Brogan has been a student of Data Protection since 1986 and has lectured on the subject all over the world. He has appeared on the same platform as officials from the Home Office and the Information Commissioner's office. In 2002 he was on the same platform as the then Information Commissioner, Elizabeth France, at the CCTV Users? Group Annual General Meeting.
I am often told (and indeed read it in numerous publications) that if security is for domestic purposes then the Data Protection Act does not apply. Can I dismiss that myth immediately. The Data Protection Act most certainly applies to any processing of personal data, which would include CCTV images and details of persons accessing premises.
However, the Act does afford certain exemptions with some of the processing of personal data that takes place. Section 36 of the Data Protection Act states that:-Personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) are exempt from the Data Protection Principles and the provision of Parts 2 and 3 of the Data Protection Act 1998.
However (there is always an "however"), consider the following.
Mr. Smith at 11 Acacia Avenue has a CCTV system installed which monitors persons accessing his premises. It picks up any visitor as soon as they enter the gate and only captures their images whilst they are on his property.
(a) Mr. Smith is entitled to do this.
(b) He does not need to provide a notice saying that the person is entering a CCTV controlled area.
(c) He is not required to provide a copy of the footage he has captured to the Data Subject if they make a request. However, if that CCTV camera picks up images outside Mr. Smith's premises, such as the entrance to his neighbour's premises or persons walking down Acacia Avenue, then he has to consider the implications of the Data Protection Act.
He must consider what justification he has in capturing the images of visitors to his neighbours, or those persons on Acacia Avenue. Note, I am not saying that he can't, only that he has to justify it. Schedule 2 of the Data Protection Act lists six conditions that can justify processing of personal data. Mr. Smith would have to satisfy just one of them in order to capture those images. Personally, I feel he would be hard put to find one of the conditions that would meet this requirement. Even if he proved me wrong, he would have to put up a notice to notify the persons walking into his neighbor's garden or walking along Acacia Avenue that they were being caught by CCTV camera, the purposes of those images being caught, and who was responsible for the processing. He would also have to provide a copy of the images if the Data Subjects made an access request.
Clearly the solution to this is to ensure that the CCTV camera does not pick up any images that are not within Mr. Smith's premises.
Now you might think that this is a non-issue. There are numerous Councils faced with this problem where complaints are being made by residents that their activities are being monitored by the neighbor's CCTV system. There is a reported case where an individual's car was being vandalized whilst it was parked outside his home. He suspected that it was the youths from the local youth club and as the police could not help him he set up a camera to monitor his vehicle. His vehicle was parked in the road and he picked up all persons passing by. He eventually picked up some youths vandalizing his vehicle who had come from the youth centre. The police decided not to prosecute because they were concerned that the CCTV footage would not be admissible in a court of law because the system had not been notified to the Information Commissioner and there were no signs showing that the area was being monitored. If there are no signs, then that would be covert videoing and in order to covertly video someone you need their permission (which is not as stupid as it may initially sound), or comply with the Regulation of Investigatory Powers Act, which subject is best left for another article. Recent case law would indicate that they may be wrong in that assessment, but the point is that this is the current thinking that the police generally have.
Before we leave this domestic exemption, consider the following.
The owners of corner shops often live above the premises. They normally install CCTV cameras to protect their premises. Normally they would not even have considered the implications of Data Protection, but, from one or two that I have found who have, they are relying on the domestic exemption referred to above. This I feel is fraught with danger. The CCTV camera is in fact monitoring a business premises, i.e. the shop. It is there to help the shopkeeper safeguard his premises from shoplifters. This is a perfectly justifiable reason, and you can do this under Section 29 of the Data Protection Act, Crime Prevention and Detection. However, it does mean that the owner of the shop has to put up a sign notifying persons that they are about to enter a CCTV controlled area. It also means that that shopkeeper has to notify the Information Commissioner that he is processing personal data. Failure to notify the Information Commissioner that you are processing personal data when required to do so is a criminal offence (strict liability). The current ACPO (Association of Chief Police Officers) policy on Data Protection says that where an investigating officer finds that a breach of the Data Protection Act has taken place, they must report that to the Force Data Protection Officer, who in turn should notify the Information Commissioner. Consider the following scenario.
A mugging takes place outside the corner shop. The police are immediately on the scene and arrest a suspect. The vigilant officer notices a CCTV camera in the shop and suspects that it may well have caught the incident. He goes into the shop and asks the proprietor if he can have a copy of the tape. (Let's assume that this request is made in accordance with the Data Protection Act ? the subject of another article perhaps.) The shopkeeper, an upstanding citizen, is only too willing to help the police and gives them the tape. The police officer is then required to ask whether this CCTV system has been notified to the Information Commissioner. The shopkeeper has no idea who the Information Commissioner is, and knows even less about the Data Protection Act. The police officer then has to warn him that this criminal offence will be reported to the Force Data Protection Officer, who will inform the Information Commissioner. Don't you think that is scary? How long before word of this incident gets round the parade of shops? How long before the proprietors of those shops then refuse any assistance to the police?
This is a serious dilemma for the police and they have decided to address it in the following manner. They will remove this paragraph from the ACPO Data Protection policy. They will send a letter of guidance to the shopkeeper pointing out that his system should be notified to the Information Commissioner and they will use their discretion as to whether they notify the Information Commissioner.
How does this affect you as the installer? I can hear you asking.
The shopkeeper or Mr. Smith at 11 Acacia Avenue has asked you to install one camera and that is what you have done. You have, however, entered into a contract with him. The equipment you have supplied should be fit for the purpose for which it is supplied. Could you be held liable if the CCTV camera that you installed breaches the Data Protection Act? Wouldn't you be considered the professional in that contractual agreement? Don't you have a duty of care to your customer? Isn't that a legal duty of care? Did you advise him about compliance with the Data Protection Act and the other privacy laws? Just a thought.
One assumes that you keep a list of your clients, especially if you have on-going service agreements with them. One assumes that because your client has used you for installing CCTV, or an alarm system, or other security device, that they are security conscious. Whilst conducting your survey you note that the back gate is insecure and you have a colleague who would be interested in providing them with a more secure gate, and you pass the details on to your colleague without the customer's permission. You could well have breached the Data Protection Act on that, even though you had the best of intentions (I am assuming that you were not getting commission on the recommendation). You can't just pass on other people's personal details, without their permission or complying with one of the conditions in Schedule 2 that I referred to earlier.
Mr. Smith at 11 Acacia Avenue, one of your clients, is one of the more troublesome ones, and is constantly calling you back or complaining. You make various comments about Mr. Smith on your client file. Do realize that Mr. Smith would be entitled to see those comments. All he has to do is pay you Ten Pounds, make a request in writing, and you would have to provide him with everything that you hold on him. May I suggest that you only make comments on your client file that you can prove and that have relevance to your business relationship.
The Data Protection Act is the most complex piece of legislation we have ever been faced with. You ignore it at your peril. The above is just a brief insight into some of the pitfalls. If you would like to take it further, can I advise that you visit the following websites:-
|
