Legal checklist: Guidelines for operating CCTV

08-Feb-2013 - Last updated on 08-Feb-2013 at 09:40 GMT

CCTV: Anyone that operates CCTV must adhere to the Data Protection Act

Increasingly, we are being called to give advice about the licensee’s responsibilities regarding CCTV. Police and other regulatory agencies will want to have conditions on your premises licence that require you:

1. To have CCTV operational during the time you are open

There may also be a raft of conditions that apply to the way in which the CCTV operates, and result from the initial requirement to have the system available in your premises.

2. To deal with requests from agencies (like the police) who may wish to have access to information that has been downloaded as a result of your CCTV system operating

“Immediate access”, “immediate download”, “available on request”, are some of the conditions that may be present on your premises licence, following the requirement to have CCTV operational. Ensuring you are compliant with your premises licence conditions is only half of your responsibility.

Any organisation that operates CCTV where data is captured about the movements or activities of the general public also has a duty to adhere to the Data Protection Act (DPA). The DPA is not restrictive in enabling data to be shared as long as the correct procedure is followed. The following checklist should assist:

Is the person or organisation responsible or identified as being in charge of the CCTV system registered as the data controller?
Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner’s Office (ICO), unless they are exempt. The ICO’s website will quickly identify the requirements of registration as a data controller.

Has the premises in which the CCTV operates identified that it is using CCTV?
There is a legal responsibility to advise every member of the public that CCTV is operating. This is most easily achieved by displaying notices

Are there clearly documented policies and procedures for how the images should be handled?
This should include a record of requests for CCTV and how the requests were handled. Even law enforcement agencies such as the police should not be provided with CCTV images that are not relevant to, for example, an incident of crime or disorder they are investigating. ‘Fishing exercises’ are not permitted, and requests for CCTV should include relevant times and views from specific cameras, if appropriate.
Are disclosure details logged, and has the person requesting the images been identified?
Where there is an overriding legal obligation to disclose CCTV (for example, to assist the police in detecting a crime) then obligations under the DPA are passed in respect of the data controller to the person who is receiving the copy CCTV, and they’ll be responsible for complying with the DPA.
If necessary, as part of the policy or procedure of your premises, when you hand over CCTV to a third party, it should be made clear that the responsibilities under the DPA for the information that’s being transferred will vest with the recipients of the information.
The overriding principle requires that the data controller be compliant with the requirements of the Act. Documentation regarding responsibility and training is very important and serves as a due diligence defence in any proposed prosecutions. Regular compliance audits should be undertaken, and remedial measures put into action to ensure you remain completely compliant with the DPA.

Collection of data through a CCTV system installed in your premises should not proceed without a data controller being identified to the ICO.