Some may regard it as the most potent infringement of their liberty. If users, owners and managers of these systems are to command the respect and support of the general public, they must be used with the utmost probity at all times, and in a manner which stands up to scrutiny and accountability to the people they are aiming to protect.
We believe that the people's private and family life should be respected. Although the use of CCTV cameras has become widely accepted in the UK as an effective security tool, those people who do express concern tend to do so over the handling of the information (data) which the system gathers.
After considerable research and consultation, a nationally recommended standard has been adopted by the system owners.
All requests for the release of data shall be channelled through the data controller or his nominated representative.
Primary request to view data
Requests to view CCTV data are likely to be made by third parties for any one or more of the following purposes:
- providing evidence in criminal proceedings
- providing evidence in civil proceedings or tribunals
- the prevention of crime
- the investigation and detection of crime (may include identification of offenders)
- identification of witnesses.
Third parties, which are required to show adequate grounds for disclosure of data within the above criteria, may include, but are not limited to:
- statutory authorities with powers to prosecute, (eg. Customs and Excise; Trading Standards, etc)
- claimants in civil proceedings
- accused persons or defendants in criminal proceedings
- other agencies, (as agreed by the Data Controller and notified to the Information Commissioner) according to purpose and legal status.
Upon receipt from a third party of a bona fide request for the release of data, the data controller shall:
- not unduly obstruct a third party investigation to verify the existence of relevant data.
- ensure the retention of data which may be relevant to a request, but which may be pending application for, or the issue of, a court order or subpoena. A time limit shall be imposed on such retention, which will be notified at the time of the request.
Where requests fall outside the terms of disclosure and subject access legislation, the data controller, or nominated representative, shall:
- be satisfied that there is no connection with any existing data held by the police in connection with the same investigation.
- treat all such enquiries with strict confidentiality.
Secondary request to view data
A 'secondary' request for access to data may be defined as any request being made which does not fall into the category of a primary request.
Before complying with a secondary request, the data controller shall ensure that:
- the request does not contravene, and that compliance with the request would not breach, current relevant legislation, (eg. Data Protection Act 1998, Human Rights Act 1998, section 163 Criminal Justice and Public Order Act 1994, etc);
- any legislative requirements have been complied with, (e.g. the requirements of the Data Protection Act 1998);
- due regard has been taken of any known case law (current or past) which may be relevant, (eg. R v Brentwood BC ex p. Peck); and
- the request would pass a test of 'disclosure in the public interest'.
If, in compliance with a secondary request to view data, a decision is taken to release material to a third party, the following safeguards shall be put in place before surrendering the material:
- in respect of material to be released under the auspices of 'crime prevention', written agreement to the release of the material should be obtained from a police officer, not below the rank of inspector. The officer should have personal knowledge of the circumstances of the crime/s to be prevented and an understanding of the CCTV system code of practice;
- if the material is to be released under the auspices of 'public well being, health or safety', written agreement to the release of material should be obtained from a senior officer within the local authority. The officer should have personal knowledge of the potential benefit to be derived from releasing the material and an understanding of the CCTV system code of practice.
Recorded material may be used for bona fide training purposes such as police or staff training. Under no circumstances will recorded material be released for commercial sale of material for training or entertainment purposes.
Individual subject access under data protection legislation
Under the terms of data protection legislation, individual access to personal data, of which that individual is the data subject, must be permitted providing:
- the request is made in writing;
- a specified fee is paid for each individual search;
- the data controller is supplied with sufficient information to satisfy him or her self as to the identity of the person making the request;
- the person making the request provides sufficient and accurate information about the time, date and place to enable the data controller to locate the information which that person seeks, (it is recognised that a person making a request is unlikely to know the precise time. Under those circumstances it is suggested that within one hour of accuracy would be a reasonable requirement);
- the person making the request is only shown information relevant to that particular search and which contains personal data of her or him self only, unless all other individuals who may be identified from the same information have consented to the disclosure.
In the event of the data controller complying with a request to supply a copy of the data to the subject, only data pertaining to the individual should be copied, (all other personal data which may facilitate the identification of any other person should be concealed or erased). Under these circumstances an additional fee may be payable.
The data controller is entitled to refuse an individual request to view data under these provisions if insufficient or inaccurate information is provided, however every effort should be made to comply with subject access procedures and each request should be treated on its own merit.
In addition to the principles contained within the data protection legislation, the data controller should be satisfied that the data is:
- not currently and, as far as can be reasonably ascertained, not likely to become, part of a 'live' criminal investigation;
- not currently and, as far as can be reasonably ascertained, not likely to become, relevant to civil proceedings;
- not the subject of a complaint or dispute which has not been actioned;
- the original data and that the audit trail has been maintained;
- not removed or copied without proper authority;
- for individual disclosure only (i.e. to be disclosed to a named subject).
Process of disclosure
Verify the accuracy of the request.
Replay the data to the requester only, (or responsible person acting on behalf of the person making the request).
The viewing should take place in a separate room and not in the control or monitoring area. Only data which is specific to the search request shall be shown.
It must not be possible to identify any other individual from the information being shown, (any such information will be blanked-out, either by means of electronic screening or manual editing on the monitor screen).
If a copy of the material is requested and there is no on-site means of editing out other personal data, then the material shall be sent to an editing house for processing prior to being sent to the requestee.
In the event of a request from the media for access to recorded material, the procedures outlined under 'secondary request to view data' shall be followed. If material is to be released the following procedures shall be adopted:
- the release of the material must be accompanied by a signed release document that clearly states what the data will be used for and sets out the limits on its use, and indemnifies the partnership against any breaches of the legislation.
- the release form shall state that the receiver must process the data in a manner prescribed by the data controller, e.g. specific identities/data that must not be revealed.
- it shall require that proof of any editing must be passed back to the data controller, either for approval or final consent, prior to its intended use by the media (protecting the position of the data controller who would be responsible for any infringement of data protection legislation and the system's code of practice).
- the release form shall be considered a contract and signed by both parties.