The Surveillance Code Of Practice
It was interesting to hear Tony Porter the new Surveillance camera commissioner give a webinar on the 12 guiding principles of the surveillance camera code practice.
Appointed just last March, he was addressing the use of CCTV on University and college campuses but much of what he said stood true for most organisations.
He described his remit as being to ensure that CCTV was used to “support & protect communities” and in just 9 months has already produced a number of guidance documents and self assessment tools to help ensure that this is brought about.
Although the Code of Practice is only enforceable for Police & Local Authority bodies, he suggests that it should be used as a good practice code that any organisation strives for and that most will already be following to some extent in their natural day to day procedures.
The 12 principles of the code look to ensure that CCTV is used in 3 key ways:
In essence, Tony Porter remarked that CCTV should not impinge on an individual’s right to privacy, it should make them feel “looked after” not “looked at”.
Porter noted that in most cases operating to a good practice level can have a number of positive effects to any organisation including cost savings at review time and openly publishing your data protection practices in a formal document on-line offers transparency, which can in turn give confidence and earn trust from organisational stakeholders.
He also intimated that a BS type kitemark might be in the offing in the future that any organisation can aspire to and called for case study information from any compliant organisation to help toward this.
So where should you start?
Well I’ve personally spent a lot of time reading the Data Protection Act and all sorts of subject matter around it (believe me that’s a day of my life I will never get back!) and the general gist of it is just good common sense. I’ve listed 6 tips here that I think will get you on the right track to compliance within days:
6 Tips To Get You On Track With CCTV Data Compliance
1. Put someone in charge and make them the “go to” person for all things CCTV. This isn’t a full time role and doesn’t need to be a technician’s role. In fact it is probably best kept in an HR role or part of a Branch Manager’s role where they are part of the general induction process for new staff. The point that someone takes it on as their responsibility is the key to it.
2. Look at an off the shelf guide for CCTV & Data Compliance. They cost less than £100 and offer a step by step checklist of what to do, template copies of paperwork forms and log books that needs to be filled in if an incident occurs as well as handy stickers for police evidence submission. It would cost way over this for any member of staff to even just read the Act. They also will advise you whether your scheme needs registering with (ICO) the Information Commissioner’s Office.
3. Get Signed up – by that I mean make sure you display compliant signage that warns staff and visitors that CCTV is in operation. This also needs to be the right size, in the right place and as Tony Porter denotes include “a point of contact”. I suggest here that your designated person in charge does 2 things. Firstly take a tour around your site on foot on well utilised paths, entrances and gangways making a note of where the CCTV camera becomes visible. An A4 sign would be appropriate in those spots. Next they should get in a car and do exactly the same thing (where possible) and choose a larger format A3 sign for these spots. It is just common sense but this is an easy rule of thumb.
4. Giving a ”point of contact” for visitors is a trickier problem. One option is to have your own signage made but this can be costly and can become dated very quickly if there is a change of staff. I recently came across a new range of signage from “Whoiswatchingme.org” they offer a range of low-cost, off-the-shelf signage that includes a QR code for mobile phone users to scan and display the scheme’s point of contact details in seconds. This system makes it easy to update but they also allow you to add extra optional information to your record that tells the CCTV subject your policy on it’s purpose and how long you are keeping the recorded data.
5. Privacy matters – I delved into this further looking at the Information Commissioner’s Office (ICO.gov.uk) guide to carrying out a Privacy Impact assessment. To summarise another 50 pages of reading, first assume that if you have CCTV fitted then you should do a PIA (Privacy Impact Assessment). I understand the SSC does intend to publish a template for this but to date I cannot find it on-line. For the most part if you follow an off the shelf guide you will be conformant but key considerations are to set up your DVR to rewrite after a certain period deemed acceptable. Keep security of the DVR and access to it whether physical or remotely very tight so footage doesn’t end up in the wrong hands. Finally make sure the CCTV location and field of view is appropriate using Tony Porter’s rule of thumb to look after and not look at.
6. Finally take the Surveillance Camera Commissioner’s new Self Assessment Tool. It will only take 10 minutes and if you’ve already followed the above tips, you should score quite highly.
I hope this article helps demystify some of the key point of Data Protection with regards to CCTV, remember most of it just good manners and common sense. Next time around, I’ll be looking at the challenges involved with cyber security.