On 1 February, the Information Commissioner issued a new short guidance note - CCTV systems and the Data Protection Act 1998 (Ref JB v.5. 01/02/04). The guidance makes clear that many organisations that only use basic CCTV systems will no longer have to comply with the Data Protection Act 1998.
Why was the new guidance necessary?
The previous Information Commissioner had issued a Code of Practice on the use of CCTV in July 2000. This Code assumed that all users of CCTV would have to comply with the Act, unless CCTV was used by individuals for home security purposes (personal data processed by an individual only for domestic purposes are exempt under s 36 of the Act).
The Durant case (Durant v Financial Services Authority  EWCA CIV 1746, Court of Appeal, 8 December 2003) restricts the types of data to which the Act applies. In particular, the Durant case concluded that personal data is only caught by the Act if:
“the information is biographical in a significant sense, that is, going beyond the recording of [the individual’s] involvement in a matter or an event which has no personal connotations”; or
“the information [has] … the [individual] as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or had an interest”.
It follows from this that the fleeting images of people recorded by a CCTV camera in a shopping centre will not be covered by the Act, even if the individuals are identifiable. This new restrictive approach to data protection is at odds with the Code of Practice – hence the need for new guidance.
What does the new guidance say?
The guidance applies the two tests suggested in Durant to CCTV systems. It suggests a simple three-part test to establish if CCTV systems are covered by the Act:
“Do you ever operate the cameras remotely in order to zoom in/out or point in different directions to pick up what particular people are doing?
Do you ever use the images to try to observe someone’s behaviour for your own business purposes such as monitoring staff members?
Do you ever give the recorded images to anyone other than a law enforcement body such as the police?”
An organisation that uses CCTV without doing any of these things will no longer have to comply with the Act.
The guidance notes that this is likely to exempt organisations who only have basic CCTV systems – for example small retailers who only have a couple of cameras which they can’t move remotely and who merely record images (without further analysis) to be given to the police if necessary to investigate an incident in their shop. Even though users of basic CCTV systems do not need to comply with the Act, the guidance suggests that the CCTV Code of Practice may still be useful – as it gives practical advice on image quality, which will help to ensure that the images are appropriate for crime prevention purposes.
Users of more sophisticated CCTV systems will find that some images recorded by the system will be caught by the Act, but that some will not – depending on whether the data “relate” to individuals, in the way described in Durant. The guidance suggests a simple test to check this:
“The simple rule of thumb is that you need to decide whether the image you have taken is aimed at learning about a particular person’s activities”.
So, a shopping centre that uses sophisticated CCTV systems to identify known shoplifters would still be caught by the Act as the system is being used to learn about those persons’ activities. Similarly, CCTV systems that monitor staff performance would still be caught by the Act. However, transient images of shoppers would not be covered by the Act as the organisation using CCTV does not wish to learn anything about the shoppers.
An organisation using a sophisticated CCTV system will still have to comply with the Act and should, therefore, have regard to the Code of Practice. The main difference is that it will no longer have to comply with subject access requests made by individuals whose details are recorded incidentally by the system.
The Information Commissioner’s Office is working on a revised Code of Practice for CCTV at the moment – and the guidance notes that this will be published this year. I understand from the Information Commissioner’s Office that this is likely to be issued in the second half of this year.
The approach taken by the Information Commissioner in the new guidance is to produce a pragmatic, user-friendly guide to the impact of Durant on CCTV systems. This does, however, mean that there are some issues that the guidance does not address.
The new guidance advises that images recorded on CCTV will only be covered by the Act if they focus on an individual’s activities. However, this is only one of the tests suggested by Durant to decide whether personal information will be covered by the Act. The other test, as mentioned above, is:
Whether the information is biographical in a significant sense, that is, going beyond the recording of [the individual’s] involvement in a matter or an event which has no personal connotations …”
It is possible that a CCTV system could record images which will satisfy this test. For example, a recording of an assault would amount to the recording of information that is biographical in a significant sense about the victim of the assault. It would, therefore, be personal data covered by the Act. Probably relatively few images recorded on CCTV systems would fall into this category. Organisations using CCTV should consider if the environment in which they use CCTV makes these kind of images more likely.
Public authorities that operate basic CCTV systems will still find it useful to follow the CCTV Code of Practice even though they do not have to comply with the Act. This is because the Code of Practice will assist them to comply with the Human Rights Act 1998. A public authority’s use of a CCTV system may engage the right to privacy under Article 8 (1) of the European Convention on Human Rights (for example, as in Peck v United Kingdom, application number 44647/98 The Times, Feb 3 2003, where CCTV footage of the applicant with a knife, shortly before a suicide attempt, was released to the media). The guidance in the CCTV Code of Practice will assist a public authority to show that the CCTV system is proportionate and necessary, in accordance with Article 8 (2) of the Convention. Of course, a public authority which wishes to use CCTV for covert surveillance will also need to comply with the authorisation procedures set out in the Regulation of Investigatory Powers Act 2000.
The European Perspective
Organisations that use CCTV systems in other EU member states should be aware that the more limited approach now taken by the Information Commissioner is unlikely to be followed elsewhere.
On 11 February 2004, the Article 29 Data Protection Working Party, adopted its Opinion on the Processing of Personal Data by means of Video Surveillance (Opinion 4/2004 WP29). This assumes that any image of an identifiable individual will be covered by data protection legislation. The Opinion specifically notes, at page 5, that fleeting images of individuals will attract protection:
“Such an individual in transit may well expect a lesser degree of privacy, but not expect to be deprived in full of his rights and freedoms as also related to his own private sphere and image”.
I understand from the Commissioner’s Office that the preparatory work for this opinion took place before the publication of judgment in Durant. Accordingly, the Article 29 Data Protection Working Party was spared the difficult task of reconciling the current UK approach to data protection with that adopted elsewhere in the EU.
What should users of CCTV systems do now:
Users of existing CCTV systems do not need to take any immediate action. Users of basic CCTV systems that now fall outside the Act may choose to remove references to CCTV from notifications that come up for renewal. Organisations can also decide not to allow access rights to individuals who are not the focus of CCTV records.
Organisations that are implementing a new CCTV system will need to follow the Commissioner’s new guidance to establish whether the system is covered by the Act or not. If it is not covered by the Act they may still find the CCTV Code of Practice of value.
Public authorities should carry on referring to the CCTV Code of Practice even if they use basic CCTV systems, as this will assist them in compliance with the Human Rights Act 1998.
First published in the March 2004 issue of Data Protection Law & Policy.
Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.