Digital CCTV is fast becoming the norm in the security industry~ The use of CCTV is increasingly regulated by law because digital images are recognised as data and so fall under the Data Protection Act I998.

That much is clear. What is less certain is the precise impact this will have on CCTV users. Although we can be pretty sure of the broad content of the Act in relation to CCTV, recommendations in a Government Select Committee report give us some idea (see issue 10 of Security Matters). And the Data Protection Registrar’s Web site www.dataprotection.gov.uk examines many of the issues involved.

 What is data? -

A major point tackled by the Act is to define exactly what is meant by the terms ‘data’, ‘personal data’ and ‘processing’ (see panel).

You only have to think of members of the public in shopping centers, at football grounds or simply walking in the street to see that personal data can be obtained by CCTV. And that means people have certain rights — to protect them and to enable them to view data about them, should they wish.

Do your clients need to register?

As well as laying out the rules by which CCTV must operate,

the Act will also give details about who should register their use of CCTV with the Data Protection Registrar. When registering with the Data Protection Registrar a company only needs to register once, so if you have a chain of stores, it would usually be the head office that is registered. Each user/users should nominate a data controller/s. Installers need to think about how this affects their clients. Security departments are not necessarily going to be up to speed on the latest data protection legislation. That task is more usually the responsibility of a company’s IT department, where customer data is usually kept.
Definitions

Within the 1998 Data Protection Act there are several definitions of which a user of CCTV systems or similar surveillance equipment must consider in order to determine whether they need to comply with the requirements of the 1998 Act and to what extent the Act applies to them. (See panel)

Registration rules

The Data Protection Registrar suggests three criteria that determine whether a company should be registered. Firstly, does it use CCTV to collect data? Secondly, is this personal data? Thirdly, is the personal data automatically processed? The answer here is ‘yes’ if CCTV can be programmed to search for a specific time or frame reference at which it is known that personal data about a known individual is recorded. If this is how CCTV is used, then the operator should register (see panel). If equipment has been installed after 24 October 1998 then its use should be registered by 1st March 2000

The right balance

The 1998 Act seeks to protect the public and provide evidence that helps to convict the guilty. It’s not so much a question of the law becoming extra stringent but more a case of it keeping up with the times. In 1984, when the last Data Protection Act appeared, CCTV was far less widely used and digital images were not available. In the Intervening period, technology has advanced rapidly and at the same time the public have become more conscious of the presence of CCTV. People are aware of their rights in relation to being filmed without their permission. That’s why another requirement of the Act is for CCTV users to put up signs telling you when you are under surveillance (which is also a pretty good crime deterrent anyway). You should have signs placed in the proximity of the cameras so the public are aware they are entering an area which is covered by CCTV. The sign should be visible to the public, a minimum size of A3 and should list the person or organisation responsible for the scheme, the purpose/reason for the scheme and details of who to contact regarding the scheme.

Test case likely

One of the ways in which the limits of the law are defined is through test cases. Here, a court decides on how the law should be interpreted and a kind of ‘best practice’ is established based on precedent. The Select Committee and the DPR refer to court cases involving analogue CCTV. So far none have been resolved regarding digital evidence and so the ‘rules’ governing the use of digital CCTV have yet to be established by this route. However, industry experts think it likely that a digital CCTV test case will emerge sooner rather than later.
Know when to register

 Date system installed

Date you must notify the DPR

 After 24/10/98

1/3/2000
 Before 24/10/98

24/10/2001
   
Defining terms
Data
The data protection act 1998 defines data as "information which is being processed by equipment operating automatically in response to instructions; or is recorded with the intention that should it should be processed."
Data Controller
"A person who (either alone or jointly or in common with other persons) determines the purpose for which and the manner in which any personal data are, or are to be, processed."  For example, if the local authority and a group of local retailers decide to install CCTV in the area for detection of crime, to protect public safety, then both groups will be data controllers for the purpose of the scheme.
Personal Data
"Data which relates to a living individual who can be identified from;
    a) that data, or
    b) that data and other information which is in the possession of, or likely to come into the possession of the data controller."
Personal data means any information relating to an identifiable or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the persons physical, physiological, mental, cultural or social identity.
Getting registered
Installers don't need to be registered (unless they use CCTV themselves). it is the customers of installers who as CCTV users, probably need to register.

l Companies can register their use of CCTV with the     Office of the Data Protection Registrar (DPR) by phoning 01625 524740 0r on the web at www.dataprotection.gov.uk

l The purpose for using CCTV must be stated

l Failure to register is a criminal offence

l Once registered, a set of legally enforceable data protection principles apply

l These principles must be taken into account when a CCTV system is designed and be included in a code of practice governing its use

l The cost of registering is £35.00
Processing
The 1998 Act defines processing as "Obtaining, recording or holding data, carrying out any operation or set of operations on the data, organisation, adaptation or alterations, retrieval, consultation or use of the data, disclosure of the data by transmission, dissemination, or otherwise making available, alignment, combination, blocking, erasure or destruction."