All Closed Circuit Television (CCTV) systems that process data must be notified to the Information Commissioner.

A system is deemed as ‘automatically processing’ data, when that data can be retrieved automatically, by a method of sequences. Therefore, if a system has a fast forward or rewind facility on the VCR as its only means of searching for an image, it means you are effectively using your eyes and judgment, which means it would not be classified as ‘automatic processing’.

If the VCR records and permits immediate location of an image, e.g. by time and date, or frame numbering, where it is known that particular data is stored, the system will come under the Data Protection Act. So if a digital VCR can use technology that enables it to search automatically for a known incident, then it falls within the Act.

The DPA requires information to be obtained fairly and lawfully. For CCTV, this means that appropriately sized and placed signs are positioned in and around the area under surveillance. They should contain a simple ‘purpose for the system message’ e.g. to prevent and detect crime, and who owns the system with a contact telephone number.

All recorded data/images need to be accurate. This is particularly true if they are used as evidence or in a disciplinary dispute with employees. The Information Commissioner recommends that every effort be made to ensure clarity of image.

Users of CCTV systems must prevent unauthorised access to CCTV control rooms/areas; all visitors must be authorised and recorded in the visitors log and have signed the confidentiality proforma.

The DPA supports the right of the individual to a copy of any personal data held about them. Therefore data controllers are obliged to provide a copy of the tape if the individual can prove that they are identifiable on the tape, and they provide enough detail to locate the image (e.g. 1 hour before/after the time they believe they were captured by CCTV, their location and what identifiable features to look for). However, the request can be refused if there are additional data/images on the tape relating to a third party. These additional images must be blurred or pixelated out, if shown to a third party.

All new systems installed since 1st March 2000 are required to register under the DPA 98.

Data Protection Act 1998

S.C.A.M.P. Security has a responsibility under this agreement to;

• Install the CCTV system in accordance with the specification and agreement that provides all means capable for the end user/client to comply with the data protection Act 1998.
• To provide (not install) warning signs
• To provide an evidential down load pack that allows the end user/client to remove images in accordance with the Act.
• To provide training on commissioning of the system that will allow the end user/client to be competent in the use of the system.
• To maintain the system, as per the agreement - with one or more service visits per annum to ensure that the system has the best means of producing quality images and clear evidence.

The client/end user has a responsibility under this agreement to;

• Register the system with the office of the information commissioner www.dataprotection.gov.uk and pay any license or registration fee applicable.
• To complete and erect the warning signs provided by S.C.A.M.P. Security with the name and telephone number of their responsible person (data controller) who will be operating the management of the CCTV system.
• To document the purpose of the CCTV scheme to nominate a responsible person as the data controller and the record the data process of images in accordance with the principles of the data Protection Act 1998.
• To report any faults to the maintaining company and to ensure that they’re nominated and responsible staff are trained in the use of the system.