Tuesday 27 May 2014

ICO’s revised CCTV Code misses a trick

The ICO has missed a golden opportunity to show just how radical, innovative and helpful it can be.


Because it’s consulting on revisions to its CCTV Code of Practice, which was last revised in 2008.

Yes, technology has moved on since the publication of that Code. But so, importantly, has the regulatory environment.

Back in 2008, the ICO basically monopolised the CCTV regulatory market. Of course it didn’t regulate the use of CCTV for sneaky stuff – that was a task for the Surveillance Commissioner. But as far as non-covert regulation was concerned, the ICO ruled.

Now, let’s shift forward to 2012 – which was significant in that the post of the Surveillance Camera Commissioner was created by the Protection of Freedoms Act. This Commissioner didn't regulate the use of CCTV (or other camera systems) for sneaky stuff either. But the Act did carve out a special role for someone to promote good standards concerning the use of some camera systems operated for the benefit of public authorities, particularly with regard to parking and policing, and in a few cases where the ICO’s remit might not quite have stretched.

The 2012 Act also provided that the SCC must publish a Code and, despite having no enforcement or inspection powers, he should encourage compliance with it. This document, published in June 2013, is some 22 pages long and contains 12 guiding principles. The Act didn't, however, prohibit the Commissioner from working with like-minded Commissioners to craft a joint Code.

Significantly, the introductory blurb to the Code explains that: “In order to fulfil these functions effectively, the commissioner must work closely with other regulators including the Information Commissioner and the Chief Surveillance Commissioner. It is for the commissioner and other regulators to determine how best to maintain and formalise these relationships, to agree gateways through which issues flow between the public and the commissioners and how best to publicise and report on arrangements to support these relationships which will be critical in ensuring the success of the code in meeting its purpose.”

Now, let’s shift forward to 2014, and look at the ICO’s revised CCTV Code. Let’s be clear – not much has changed. This document, some 31 pages long, contains a useful “Checklist for users of limited CCTV systems monitoring small retail and business premises”.  Fancy that! The checklist contains 12 key points, almost any of which could be swapped with one of the SCC’s 12 principles, and hardly anyone would notice.

So why on earth should we require two regulators to publish independent Codes on basically the same subject?

Why can’t we require, in a spirit of joined-up Government – and joined-up regulation, the ICO and the SCC to work together to publish a single document, containing a single set of standards, on the subject?

Now, that would be really radical, innovative and useful.

One set of standards that accommodates the considered views of different regulators. One code to rule them all!

Bring it on.

Technical Note:
For the anoraks who like to digest the subtle differences of view between different regulators, I set out below the different sets of principles promulgated by each regulator. They are so similar it really makes sense for a single set of points to be published in a single document.

If we want a simple life, that is.

SCC Guiding Principles

  1. Use of a surveillance camera system must always be for a specified purpose which   is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
  2. The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
  3. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  4. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  5. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
  6. No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
  7. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
  8. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
  9. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
  10. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
  11. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
  12. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

ICO Guiding Principles

  1. Notification has been submitted to the Information Commissioner and the next renewal date recorded. 
  2. There is a named individual who is responsible for the operation of the system. 
  3. The problem we are trying to address has been clearly defined and installing cameras is the best solution.
  4. A system has been chosen which produces clear images which the law enforcement bodies (usually the police) can use to investigate crime and these can easily be taken from the system when required. 
  5. Cameras have been sited so that they provide clear images. 
  6. Cameras have been positioned to avoid capturing the images of persons not visiting the premises. 
  7.  There are visible signs showing that CCTV is in operation. Where it is not obvious who is responsible for the system contact details are displayed on the sign(s). 
  8. Images from this CCTV system are securely stored, where only a limited number of authorised persons may have access to them. 
  9. The recorded images will only be retained long enough for any incident to come to light (e.g. for a theft to be noticed) and the incident to be investigated.  Except for law enforcement bodies, images will not be provided to third parties
  10. The potential impact on individuals’ privacy has been identified and taken into account in the use of the system.
  11. The organisation knows how to respond to individuals making requests for copies of their own images. If unsure the controller knows to seek advice from the Information Commissioner as soon as such a request is made. 
  12. Regular checks are carried out to ensure that the system is working properly and produces high quality images.