Information Commissioner’s Office (“ICO”) publishes consultation on CCTV and its Data Protection Policy

22 November 2007

Rhian Hill

Over the summer the ICO published a number of consultation documents relating to data protection. It published a revised consultation document on CCTV (the “Revised Document”) which updated the current CCTV Code that was published by the ICO in 2000 (the “Current Code”). The ICO also published its draft Data Protection Strategy and invited comments from its stakeholders.


In addition to altering the Current Code’s formatting and style to bring it into line with other guidance provided by the ICO, the Revised Document has been modified to reflect legal and technological developments since the Current Code was issued.

Many of the areas covered by the Current Code are readdressed in the Revised Document. The Revised Document continues to emphasise the importance of ensuring that organisations using CCTV have considered their justification for using this technology and that each organisation has an individual responsible for monitoring how CCTV is used. The Revised Document also reiterates the importance of ensuring that the CCTV cameras are placed in locations where clear, usable images can be produced. Cameras should also be positioned in such a way as to minimise the risk of individuals, especially bystanders being filmed where this is not necessary.

To reflect changes in CCTV technology the section on retention and disclosing information to third parties has been updated. The Revised Document acknowledges that CCTV images may not be held on video tapes any longer. It therefore advises users to consider how they will hand over CCTV images to the police (e,g can a recording be taken off the system) and to consider whether the police will find the CCTV images usable.

In contrast to the Current Code the Revised Document addresses the use of CCTV to monitor employees. In Appendix 3 to the Revised Document the ICO sets out a number of questions that employers should consider when monitoring their employees at work. The questions are designed to address two situations, firstly where employers film their employees as an incidental part of protecting their business (e.g. filming staff in a shop where CCTV is used for crime detection and prevention), and secondly where employees are filmed in order to ensure that they are complying with their employment contract. The guidance provided in the Appendix echoes similar guidance provided in the Employment Practices Code, emphasising the importance of ensuring that the employees are informed of the fact that they be monitored and considering in what locations it is appropriate to use CCTV.

The Revised Document deals for the first time with FOI requests and whether public bodies should be able to release CCTV images. The Revised Document also considers the extent to which organisations can give CCTV images to others; e.g disclose CCTV footage of a car park where a car has been stolen for insurance purposes. The guidance suggests that release of images may be appropriate in limited circumstances where [the Company’s needs] outweigh those of the individuals whose images are recorded.

Although the Revised Document’s style and formatting has changed from the Current Code, organisations familiar with the Current Code are unlikely to view this document as a marked change in approach by the Information Commissioner’s Office.

The consultation ended on 31 October 2007.

Consultation on the ICO’s Data Protection Strategy

The draft Data Protection Strategy published by the ICO highlights the approach it intends to take to data protection. This Strategy acknowledges that as a strategic regulator the ICO’s resources are limited, and its intention, therefore, is to set out how it will use its resources to ensure the organisations comply with the law and to minimise data protection risk.

The document acknowledges that in the past the ICO has taken a reactive approach to privacy issues. The ICO in this document sets out its vision to move from a reactive to proactive approach to data privacy; looking for long term reductions in risk not just short term solutions.

In practice the strategy suggests that this may mean working in partnership with other regulators; commercial and self regulatory bodies; the legislature and the media. The Strategy highlights the ICO’s perception of its role in influencing government and trade bodies to ensure "privacy friendly outcomes".

The Strategy also sets out the risk based approach that the ICO will take when deciding what issues to engage with. Its aim is to reduce serious risks and protect the vulnerable. In assessing what issues to engage with, the ICO will consider how serious and how likely the harm is, taking an objective approach to the likely affect of the breach of privacy. It will look at the impact on those affected by the security breach, concentrating specifically on whether it is likely to have a long term impact on them. However a key question that will be asked by the ICO is can they make a difference? The ICO may consider the potential media impact of the story in deciding whether to engage with any issue.

The consultation highlights the ICO expectation that its stakeholders will use the guidance they produce and tell them when they embark on something that may be a considerable risk. They highlight that their aim is not to act as a barrier to sensible progress but to help their stakeholders achieve their objectives in a privacy friendly way.

The consultation ended on 28 September 2007.