So while you are getting to grips with what constitutes “evidential quality” and “frontal identification”, here are some pointers to help you understand what you have to do when someone asks to view your CCTV.
- If you use CCTV at your premises, you must register with the Information Commissioner’s Office (ICO) as a ‘data controller’.
- A data controller has responsibilities to provide CCTV to the police and certain other people where there is an ongoing investigation in respect of crime and disorder. You may also have premises licence conditions setting out your duties to provide CCTV to the police. You should be aware that the Data Protection Act requires the police to be able to justify their requests for CCTV images to be disclosed to them and they should not be simply ‘fishing’ for information.
- Where an individual requests CCTV footage of images of themselves then this is deemed a ‘subject access request’. This may occur, for example, where a customer who has been in your premises requests the CCTV if they believe their property was stolen while they were there and they are making an insurance claim. We have also known of situations where an individual requests CCTV footage because they claim they have been assaulted on the premises. There are many reasons why an individual would want to view the CCTV and you may be required to comply with the request.
- The data controller is not obliged to supply any information to a third party unless they have received a request in writing.
- You can charge a fee for providing the footage. The current maximum is £10, although this is subject to change.
- The person making the request must provide you with enough information to establish their identity or locate the information. If you make a reasonable request for more information, you do not have to comply with the subject access request unless that information is required.
- CCTV should be disclosed where it is appropriate and available. However, there must be no risk to the confidentiality of any other person. If providing the information would involve an unfair intrusion into the privacy of a third party or cause them unwarranted harm or distress, then they should be obscured, for example, by blurring the faces of the other parties.
- You should respond to the request within 40 days.
- If you become aware that you have breached your obligations as a data controller, you must inform the ICO of this breach. The penalty for a breach of your obligations as a data controller can range from a ‘warning letter’ and advice from the ICO to a fine.
- The data controller must maintain a log which details requests for CCTV, and a signature should be obtained by those receiving the downloaded images to ensure that they are aware that they now become the data controller for the images provided.
Where you are unsure as to your obligations on disclosing CCTV footage, you should seek legal advice or contact the ICO for guidance.
The ICO provides helpful and detailed advice on its website.