The use of CCTV and other surveillance methods has reached unprecedented levels in the UK, and many people are naturally worried that their every move is being monitored.
In August of last year a new Surveillance Camera Code of Practice 2013 was brought into force under the Protection of Freedoms Act 2012 — its aim to ensure that CCTV use is “open and proportionate”. The 2013 code is intended to reassure people that the use of CCTV is being strictly monitored to prevent misuse or abuse. It seeks to strike a balance between the need to use CCTV to protect the public and respecting the rights of individuals and their privacy.
All organisations must comply with the Data Protection Act 1998 (the DPA) and the existing 2008 CCTV Code of Practice when operating CCTV and similar devices. The 2008 code applies to all organisations (subject to some very limited exemptions) while the 2013 code just applies to “relevant authorities” — primarily local authorities and the police.
The 2013 code does not replace the 2008 code and organisations that are subject to the 2013 code are expected to comply with both — but there are a number of reasons why private organisations may want to adopt the 2013 code. In particular, all organisations that use surveillance technology (including those that are private) are encouraged to adopt the principles laid out in the 2013 code (even where compliance is not a strict legal requirement) on the basis that it is considered to be best practice. Also, compliance may help organisations to discharge their other legal obligations (for example, compliance with the 2013 code might help an organisation comply with its DPA obligations).
We use the term “CCTV” here, but both codes apply to other devices that view or record images. We should also add that the codes are focused on “overt” surveillance — there are additional obligations when organisations carry out hidden or covert surveillance (but consideration of these points is another matter entirely).
Legal use of CCTV
The 2008 code does not restrict what CCTV may be used for as long as its use complies with the DPA and other legislation. This means balancing the need for CCTV against its impact on people’s privacy.
The 2013 code suggests what is arguably a more cautious approach. For example, it requires that CCTV must meet a “pressing need”. To illustrate this, the code states that “it is unlikely that a trouble-free community pub would present a pressing need”.
Audio recordings
Both codes of practice urge caution where audio recordings are being considered.
The 2008 code says audio recordings can be used only in very limited circumstances, such as recording conversations between police and individuals in a custody suite so that a reliable record of what was said is obtained.
Arguably, the 2013 code is more restrictive. It states that there is a “strong presumption that a surveillance camera system must not be used to record conversations”.
Even under the 2008 code, audio recordings may only be justified in very limited circumstances. For example, Southampton City Council’s policy requiring all taxis and private hire vehicles to install CCTV equipment to constantly record images and the conversations of both drivers and passengers (in a bid to protect vulnerable taxi passengers following reports of several serious violent and sexual offences) was found to be in breach of the DPA on appeal last February.
The 2013 code arguably makes it even more difficult to justify audio recordings.
What procedures should be in place
Both codes are very prescriptive on what procedures should be in place when using CCTV. The 2008 code provides that:
- Impact assessments should be used to decide if CCTV should be introduced;
- Training should be provided for staff on how to use CCTV systems;
- Retention periods should be established and documented; and
- The effectiveness of the CCTV system in place should be reviewed each year.
The 2013 code goes further on several issues by stating that:
- Systems of consultation with the public should be established to assist with reviewing existing CCTV systems and when establishing new ones;
- The objectives of using CCTV should be clearly defined to show they are in pursuit of a legitimate aim and necessary to address a pressing need;
- A consultation process should be in place to deal with situations where there is a proposed extension to the use of CCTV;
- Retention periods should be detailed and reviewed by the system operator; and
- Guidelines should be in place to deal with requests for information.
So it seems likely that compliance with the 2013 code will be more onerous, particularly in relation to the duty to consult with the public and duties concerning the carrying out of reviews.
Smile, you’re on CCTV
The 2008 code, reflecting DPA principles, requires operators to inform the public where CCTV is used. The code says signs are usually the most appropriate way to achieve this, however, it can also be expressed through audio messaging — as in stations and airports. The sign or message should say who operates the CCTV, for what purposes information is collected and where to find more information. For example, “CCTV images are recorded by […] between the hours of 5.30pm and 9am for the purposes of crime prevention and detection. For more information please call […].”
The 2008 code also states that in an area where it would be unexpected to have CCTV in operation (e.g, public toilets) it is important to take extra care to alert the public to its existence. This may be done by using additional or more prominent signs.
The 2013 code suggests that the obligation to let people know about CCTV might extend to publishing more general information such as information about the safeguards and procedures in place.
Consequences of breaching the codes
The 2008 code was introduced to assist businesses and organisations using CCTV to operate in line with the requirements of the DPA. Not sticking to the code may result in a breach of the DPA. Indeed, because the 2008 code arises from the DPA, a breach of the 2008 code may also amount to a breach of the DPA.
Breaching the DPA can lead to fines of up to £500,000 for the most serious infringements and having to pay compensation to those affected. DPA fines are normally reserved for security breaches (for example, leaving a memory stick containing sensitive data in a taxi or sending highly confidential documents to the wrong recipient). But it is not inconceivable that an organisation could be fined for breaching the DPA by CCTV use.
The consequences of breaching the 2013 code are less serious. Relevant authorities are under a duty to “have regard” to the code, but there are no criminal or civil penalties for not doing so. However, not adopting the principles under this code can be used as evidence against the relevant authority in any court proceedings. For example, not following the code might be used as evidence in connection with a claim that a local authority has breached the Human Rights Act.
Conclusion
The greater focus on consultation and review will make the implementation of CCTV more onerous and time-consuming where the 2013 code is followed.
The impact of the 2013 code may be limited in the short term, at least in view of the fact that it only applies to a limited number of public organisations and the consequences of breach are minimal. The position may change, however, if the government decides to extend the list of organisations caught by the code or if local authorities start to include contractual obligations requiring contractors to comply with the code.
