CCTV runs risk of data protection breach

Code of practice consultation sparks debate whether use of surveillance cameras could create breaches of privacy and data laws.

By Miya Knights

CameraWatch has warned UK businesses risk breaching Data Protection Act (DPA) regulations with increased reliance on CCTV technology.

The UK-wide group welcomed last week’s launch of the Information Commissioner’s Office (ICO) consultation on its redrafting of the CCTV code of practice.

Paul Mackie, CameraWatch’s CCTV compliance adviser and consultant for data protection specialist Datpro, told IT PRO that many businesses fail to realise the compliance requirements of installing CCTV systems.

“If you are captured by a CCTV camera, that is your personal information and subject to DPA regulation,” he said. But CameraWatch’s own research has found 90 per cent of CCTV installations are non-compliant.

“The main function of CCTV is often security, but many businesses are unaware of the compliance implications of using modern systems for things like footfall and staff monitoring,” added Mackie.

When CCTV imagery was incorporated into the Act in 2001, the introduction of the original ICO code of practice mandated each new installation be registered for its specific purpose.

But Mackie said often new digital surveillance technology, like systems that can mine data to find specific footage of suspect transactions for example, go beyond the use they were originally registered for.

He said companies risk having CCTV evidence deemed inadmissible under the law if the imagery used doesn’t comply with the use the system was originally registered for. “Many systems would be found in breach of the DPA for use to access excessive data,” said Mackie.

“A good example is signage,” he added. “Just as when you sign a form that says your data will be held securely and not transmitted to third parties under the DPA, signage essentially informs people of CCTV use. But many companies don’t have adequate signage, where staff and the public don’t know what the imagery is used for.”

In particular, he welcomed the ICO calls for greater powers and the introduction of impact assessments to evaluate the need for surveillance technology before budgets have been allocated on expensive new equipment.

“Often the legal team isn’t even involved,” he added, saying CameraWatch will be studying the draft Code in more detail, raising the issues with industry and users’ representative members of the CameraWatch Forum on 18 September in Edinburgh. “We will then respond to the ICO in full on the draft CCTV code of practice before the consultation period closes on 31 October 2007.”

CameraWatch, launched on 30 May, is an independent, not-for-profit, self-funding advisory body formed to increase awareness of CCTV and compliance data protection issues.