The licensed trade has been a principal purchaser of CCTV systems since the late 1990s. This has been due to either the requirement to comply with Licensing Board requirements, or through peer and media pressures on businesses to do their best to prevent crime and order. There is a common belief that by installing CCTV licensees can prevent crime and disorder in, or around the premises, as well as increasing the quality and veracity of evidence to prove, or disprove a fact for management purposes and legal action.
Until 2001 there were NO laws or regulations, other than possibly town planning affecting the installation in relation to the use of CCTV. Now CCTV evidence has been built into legislation, particularly since CCTV images became DATA in terms of the Data Protection Act 1998(DPA). The DPA effectively requires the CCTV system owner, known legally as the DATA CONTROLLER to treat CCTV recorded images in the exact same manner as they would any customer, finance, or employee DATA to ensure provision for audited management records on the handling of the DATA and protecting the DATA from
unauthorised access, abuse, misuse and loss.
The non-compliance with the DPA is a criminal offence (remember the News of The World newspaper ‘hacking scandal’ that is still ongoing) and is Regulated by the Information Commissioner’s Office who also have legal procedural financial penalties it can enforce for non-compliance (fines) which increased in June 2011 from £20,000 to £500,000, however the ICO do take a more pragmatic approach and attempt to mediate in a complaint first but if this is not achieved they do have several courses of legal action open to them, such as an initial Regulators penalty of between £100 to £1000 that can be offered to an offender, or the ICO can report the matter as a criminal complaint to the Procurator Fiscal (C.O.P.F.S.) for prosecution in Scotland in the Sheriff Court.
In respect of CCTV images as evidence, the DPA, requires the images to meet the standards of ‘RECOGNISED’ or ‘IDENTIFIED’ which are established through formerly the Home Office and
Scientific Development Branch, now known as C.A.S.T. and these standards are adopted into the British Standards Institute (BSI) published standards in respective of CCTV of which there are 5 publications.
In 2010, the Government (Coalition) made the new appointment of a CCTV Regulator to compliment the ICO Regulator. The CCTV Regulator who was the Forensic Science (Evidence) Regulator and will be publishing in November 2012 a new ‘Code of Practice’ for CCTV which undoubtedly will be based on the requirement to meet strict criteria for evidence presentation. This new ‘Code of Practice’ will not replace, but will compliment the present ICO’s ‘CCTV – Code of Practice’.
I can hear you all say, “what has all this got to do with my business. I have never heard of anyone getting done for non-compliance”.
Recently I was at a prize award function in the City of Glasgow with many distinguished guests from the licensed trade present when the principal guest speaker eloquently stated how he enjoyed observing his staff working in both the kitchens and dining areas of his restaurants from the comfort of his laptop
(probably now his smart-phone). I did a quick check through the ICO website to check if his company or premises were registered ‘notified’ with the ICO and found that none were. I was also aware that the staff though aware there were CCTV cameras installed did not know of their purpose and certainly not that they were being ‘spied ‘upon by their employer. All of which are criminal offences in relation to the DPA.
This is method of CCTV surveillance is very prevalent and promoted by some installers…remember that installers are not bound by the DPA or any other legislation such as the Human Rights Act 1998 (HRA) that could affect your business reputation and be financially costly in
respect of litigation. CCTV in a business setting is NOT the television, it is NOT EastEnders or Coronation Street.
CCTV in a business setting is governed by both criminal and civil LAW. The ICO is now getting tough on the noncompliance of CCTV just checkout their website because it defaults on the centre of the ‘home
page’ to inform someone on how to gain their CCTV (DATA) image!
Recently as result of a complaint from a member of the public the ICO investigated the non-registration of a CCTV system installed at the LIME LOUNGE in Cleveleys, Lancashire, owned by Mohammed Ali Enayet.
On the 2nd of August 2012 Mr. Enayet was convicted of the criminal offence in terms of the DPA for failing to register the CCTV system and received a fine. The ICO immediately issued on the 2nd August a media statement which you can find on their website, resulting in negative media attention for the LIME LOUNGE and probably wrongly establishing a ‘bad reputation’ for the business.
This case will undoubtedly have opened the flood gates to other prosecutions, not only for ‘notification’ but for other aspects of DPA non-compliance.
Is your CCTV legally compliant?
Can your business risk the negative publicity, and probably the attraction of further investigation into your business practices by the Authorities as a result of failing to ensure your CCTV system is legally compliant?
What this means for your business is a tightening of the ‘rules’ for the use of CCTV evidence and legal compliance with not only the DPA, but with the Human Rights Act 1998 and other legislation in relation to evidence.
What will you do if a member of the public, customer or even a member of staff makes a ‘written’ request for a copy of their recorded image(s), known as a SUBJECT RIGHT of ACCESS?
Do you have an audited management system to enable you to manage that request?
Are you aware that immediate denial of the request without written reason is a criminal offence in terms of the DPA (Section 7).
Are your procedures in relation to providing CCTV recorded images of an incident to the Police compliant with the DPA?
Again, I can hear the statements, “the Police come in view the incident and take the recording” and “the Police will need it for evidence so they know what they are doing, don’t they?”.
Do you as the owner of the CCTV system (DATA CONTROLLER) have an appointed DATA PROCESSOR (probably the ‘premises manager’) who will arrange a private viewing of the recorded images of the incident for the Police on written request from them on a DPA Section 29(3) form which they must provide and you retain… my experience is this is still NOT happening.
Consider how you would feel if the Police walked into your Doctor’s surgery and without written request or audited record of who they were started reading your personal (DATA) medical records…
it could be your insurance file, etc… I am sure you would protest!
You require a robust audited account of who requested the evidence and that this was required for a particular stated investigation by a particular
Police Officer, etc.
This is called the DPA Section 29(3) procedure and uniquely in Scotland a further procedure and documentation (certificates) must be provided to the Police for the Courts to comply with
the Criminal Procedure (Scotland) Act 1995 by the owner of the CCTV system. Once more I hear, “I have never had to do that and the Police don’t complain”…
Well C.O.P.F.S. have recently tightened their procedures for Court evidence and Defence Lawyers are becoming more aware to challenge the legality of the source of CCTV evidence, because all evidence must originate from a ‘lawful source’ to be admissible (allowed) in Court.
I was advised that a serious assault charge was ‘dropped’ at Kilmarnock Sheriff Court late last year (2011) as a result of the principal evidence held on CCTV recording of the incident in a licensed nightclub had originated from a system that had not been notified to the ICO and that other failures to comply with the DPA and other legislation.
The accused walked free, probably to the amazement of those witnesses involved and the victim, just think of the litigation that could follow from that scenario and the negative publicity for the
business.
It is not just install cameras and put up signs, it is a lot more complicated than that.
A lawyer may advise you on the DPA but not on the aspects of CCTV to meet rules of evidence and the DPA, or other matters of legal compliance as this is technically complicated and best
suited for a trained and qualified CCTV Legal Compliance Auditor.
Now ask yourself, how much did I pay for the CCTV system to be installed and what did the installer provide my business other than maintenance?
Did any of my staff get training in compliance with the DPA and management procedures to be compliant?
Can I use CCTV recordings for evidence, or will lawyers prevent the evidence being used at a ‘tribunal’ or other Court?
The question I hear most is I don’t need to ‘notify’ the ICO as I have only a small system installed with fixed cameras?
This is not true if it is required by an enactment of Parliament (Scottish or Westminster etc.) is detailed in Section 2(4) of the DPA, such as the Licensing
Conditions (Late Opening Premises)(Scotland) Regulations 2007 or the recordings are for criminal proceedings and can fit the ‘RECOGNITION’ and / or ‘IDENTIFICATION’ criteria then you must comply with ‘notification’ and even if you don’t legally require to notify the ICO the system must comply with the DPA and Human Rights Act 1998 (HRA).
I have also been told, “My cameras don’t work and I have signs up, so I don’t need to notify the ICO as the system does not record”.
You may not have to ‘notify’ the ICO to register the CCTV system, however as the cameras are visible and present – whether the signs are there or not – it is an offence in terms of the DPA as the system must be maintained to meet the ‘Principles’ of the Act.
Another statement made regularly to me is, ”the fine is not expensive; my business can afford to pay the fine”. Really can your business take that risk?
Colin J. Dickson, MSyI (Cert)
As well as serving in the police for 30 years, he has also been
employed by VERIFI CCTV and TELEVIGIL ASSOCIATES (TVA) as
an auditor for the Scotland Region providing their CCTV Legal
Compliance Auditing service.
