Presentation is loading. Please wait.

Presentation is loading. Please wait.

CCTV and Surveillance October 2016.

PublishJoella Aubrey Evans Modified over 6 years ago

Similar presentations

Presentation on theme: "CCTV and Surveillance October 2016."— Presentation transcript:

1 CCTV and Surveillance October 2016

2 As you will probably know, the Data Protection Act (DPA) is the legislation that applies to the processing of personal data, including personal data that is recorded by surveillance camera systems. The focus of this presentation is around decisions regarding the recording of people, how they are informed about it and how their data is looked after. It is the responsibility of the data controller to ensure personal data is processed in a way that is compliant with the DPA. The definition of personal data is broad: it is any data that can lead to the identification of an individual. This can be obvious, like a name, address or a face but it can also be a number plate or a piece of clothing. It is up to the data controller to work out what is personal data based on context and other information that is available. The framework for the DPA is its eight legally binding principles. The definitions for each of these principles appear on this slide.

3 So, what is good practice?

4 Privacy Impact Assessments (PIA)
Robust message Privacy Impact Assessments (PIA) Transparency The DPA requires that the Information Commissioner publishes codes of practice that can support data controllers in being compliant with the legislation and provides practical advice on good practice. The third revision of the ICO’s CCTV code, In the Picture, was published in late 2014. The code recognises that surveillance capabilities are constantly increasing and expanding and takes a more robust and specific view on certain points, for example, when recording audio and when handling requests from individuals for a copy of their data.  It also includes specific guidance on BWV (Body Worn Video), ANPR (Automatic Number Plate Recognition) and drones. The CCTV code also urges data controllers to adopt a privacy by design approach, for example, the ability to turn off or mute audio. Before a camera is even purchased, data controllers should think about the reasons for using them. Proportionate processing should not have any greater effect on private interests than is necessary for achieving its purpose. Data controllers should have a clear understanding of what they are trying to achieve by using cameras and be able to justify the privacy intrusion. They should also consider how the effectiveness of CCTV use can be demonstrated ie is the quality of the recording sufficient to address the purpose? Remember there are big differences between managing deterrents and managing tools for detection and part of the process should be to consider what alternatives are available.

5 It’s interesting to consider the difference between deterring crime and investigating it. This informs approaches to take and whether surveillance is needed. Let’s take the example of litter: People may be more likely to stop dropping litter if more litter bins were installed or there was a sign asking them not to drop litter with a reminder about the penalties, rather than cameras being installed. Signs and bins may stop litter being dropped in the first place whereas cameras are more likely to be effective in showing who dropped the litter after the event but the litter was still dropped. Remember also that part of the process should also be to consider whether the level of the problem can justify the privacy intrusion. The ICO isn’t saying whether or not surveillance technology should be used, but if it is, it needs to be done in a compliant and fair way, that is tackling a pressing social need.

6 integral part of taking a privacy by design approach
An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. PIAs are an integral part of taking a privacy by design approach You should do a Privacy Impact Assessment if you are starting a project that involves the processing of personal data in a new way that may have an impact on individuals or risk breaching the DPA. PIAs can: Help you manage the compliance risks involved with using the surveillance system to address a particular purpose; Enable you to anticipate where challenges lie and may avoid costly mistakes; and Be used as a tool for transparency. PIAs are not yet mandatory but are increasingly being recognised as good practice and when new DP law is introduced by EU member states in 2018 they will have a mandatory role. Each project will be different but essentially data protection and privacy should be addressed throughout the project lifecycle rather than being bolted on as an after-thought or ignored altogether. The ICO has published a code on PIAs and the Surveillance Camera Commissioner has also done work in this area, specifically around surveillance technologies, as a PIA is likely to be appropriate if a new system of recording is introduced, ie BWV or facial recognition. Other examples that could trigger a PIA are if the location for the surveillance system changes or if different security measures are introduced.

7 Internal/ external stakeholder engagement
Describes the project, what it aims to achieve, impact on privacy Internal/ external stakeholder engagement Data flows, DC responsibility DPA (and HRA) compliance check Identify risks, solutions, accept or not A PIA should be about identifying privacy solutions. It should be completed by those who can advise on practical implications as well as those with data protection expertise – senior management buy in is key to the success of a PIA.

8 The redaction of third party data in subject access requests is a known risk area for compliance with the DPA. If you are recording footage of individuals, they are entitled to ask for copies of the footage that includes their personal data. Before it can be provided to them, it may be necessary to redact information that would lead to the identification of third parties, probably through pixilation, and probably by someone who can use specialist software to do this.

9 Data controller responsibility
Justification for recording Privacy Impact Assessment Remember these building blocks.

10 What can go wrong?

11 Case studies Audio and CCTV in the workplace Audio and CCTV in public
Body worn video footage Security Here are some case studies of where things have gone wrong.

12 Audio and CCTV in the workplace
Drivers working for a haulage company reported concerns to us that inward facing cameras were continuously recording audio and video of them as they worked. No consent had been obtained by the employer. No PIA had been carried out. The employer refused to stop recording. We took enforcement action.

13 Audio and CCTV in public
A chain of petrol stations installed cameras recording CCTV and audio continuously in a public area. We received complaints from customers. Cameras were considered necessary to tackle crime - There was no evidence to support this. Other solutions hadn’t been considered, such as a panic button. We resolved this informally through engagement.

14 Body worn video (BWV) footage
A company’s enforcement officers were provided with BWV. A complaint was received by us that the company had refused to provide information requested under subject access. We were concerned that this was a blanket policy because of concerns about the requester posting footage on social media. A balance was required, reflecting the duty of care to staff with the rights of the data subject. Redaction can be used and our code provides guidance. The company has revised its policy and we have found them to be compliant in refusing to provide footage where evidence could be shown that it was not reasonable to provide it, ie when it could be demonstrated that the requester had a history of posting malicious footage of enforcement officers on social media.

15 Security The Crown Prosecution Service was fined £200,000 after laptops containing videos of police interviews were stolen from a private film studio. The interviews were with 43 victims and witnesses. They involved 31 investigations, nearly all of which were ongoing and of a violent or sexual nature. This underlines the importance of understanding the entire flow of the data and ensuring that appropriate security checks are in place.

16 Useful references In the picture: A data protection code of practice for surveillance cameras and personal information Conducting privacy impact assessments: Code of practice In the picture: A data protection code of practice for surveillance cameras and personal information Conducting privacy impact assessments: Code of practice

17 Subscribe to our e-newsletter at www.ico.org.uk
Keep in touch Subscribe to our e-newsletter at or find us on… /iconews @iconews

Download ppt "CCTV and Surveillance October 2016."

Similar presentations

Health and Safety Chapter 10.

Health and Safety Chapter 10.
Big Data and data protection

Big Data and data protection
Delivering privacy and data protection messages in the world of drones Anne Russell Budapest Drones Conference 5 February 2015.

Delivering privacy and data protection messages in the world of drones Anne Russell Budapest Drones Conference 5 February 2015.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The Value in Conducting a Privacy Impact Assessment

The Value in Conducting a Privacy Impact Assessment
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
An overview of the Data Protection Act 1998. Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.

An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
Working together: Ensuring effective regulation Jonathan Bamford Head of Strategic Liaison.

Working together: Ensuring effective regulation Jonathan Bamford Head of Strategic Liaison.
Designing Smart Cities Conference University of Strathclyde, Glasgow 31 st March 2015 “Regulating Smart Cities: Policing & Privacy” Paul Mackie Chief Executive.

Designing Smart Cities Conference University of Strathclyde, Glasgow 31 st March 2015 “Regulating Smart Cities: Policing & Privacy” Paul Mackie Chief Executive.
Presentation to Senior Management 2007. MiFID for Senior Managers Introduction These slides introduce the big changes for senior management from MiFID.

Presentation to Senior Management MiFID for Senior Managers Introduction These slides introduce the big changes for senior management from MiFID.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet:

Privacy Impact Assessments Iain Bourne, Group Manager, Policy Delivery Information Commissioner’s Office, UK Workshop on data protection and the internet:
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Communications Data Consultations on access and a Code of Practice for voluntary retention Simon Watkin Home Office.

Communications Data Consultations on access and a Code of Practice for voluntary retention Simon Watkin Home Office.
European Data Protection reform: preparing for the future Richard Syers - Strategic Liaison, ICO 12 September 2014.

European Data Protection reform: preparing for the future Richard Syers - Strategic Liaison, ICO 12 September 2014.
Data Protection Guidance for Principals and Deputy Principals Anne Lyne Partner & Breda O’Malley Partner Kilkenny - 3 October 2015.

Data Protection Guidance for Principals and Deputy Principals Anne Lyne Partner & Breda O’Malley Partner Kilkenny - 3 October 2015.
Information sharing: the view from the ICO Vicky Cetinkaya, Senior Policy Officer, ICO One Staffordshire Information Sharing Protocol launch event Stafford,

Information sharing: the view from the ICO Vicky Cetinkaya, Senior Policy Officer, ICO One Staffordshire Information Sharing Protocol launch event Stafford,
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.

Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.

Similar presentations

Ads by Google