Are You Using Your CCTV Legally?


Over the past decade we have seen CCTV becoming more accessible and easier to install. This has led to an increase in the use of cameras in the UK by both the general public and business owners. This has greatly helped to protect the people of the UK and their property, however there are a few legal pitfalls that some users may not know exist when capturing footage in both public and private property. This blog will highlight some of the main factors that need to be considered to have a legal CCTV system securing your property.

Your Legal Obligation As A CCTV User

In the UK we have some key obligations and legislation that need to be adhered to when using CCTV in the public domain, these acts are:

Data Protection Act 1998 (DPA): Users of CCTV need to act in accordance with the Data Protection Act. The Information Commissioners Office (ICO) regulate and enforce any breaches that lead to legal sanctions. Another factor to consider with regards to DPA legislation is that subject access requests (SARs) can come from people who are being filmed and these are usually processed through the ICO and will need to be responded to by the CCTV user by law.

Human Rights Act 1998 (HRA): Everyone has the right to privacy. Under the Human Rights Act courts take into account how you have used your CCTV system. If your monitoring is unreasonable and intrusive then this will be considered in the instance the film is used as evidence by the Police or courts.

The Data Protection Act and CCTV

Most use of CCTV will be covered by the Data Protection Act. This is because within the act any image of a person or image of property which gives away information on that person needs to be gathered, stored and released to strict DPA guidelines. A captured subject also has the right to see the footage and information held on them. These guidelines are enforceable by the ICO and follow the 8 principles of data protection.

Covert surveillance is actually covered by another separate act Regulation of Investigatory Powers Act (RIPA) 2000 and the Regulation of Investigatory Powers (Scotland) Act (RIPSA) 2000.

Before installing your CCTV you must consider whether the installation is necessary and its purpose. Businesses will need to complete a privacy impact assessment or PIA to decide if CCTV is the best solution. Companies should especially consider if security can be achieved in an alternative, less intrusive manner.

What CCTV Operators in Business Must Do

If you own a business that has CCTV you must:

  • Make sure someone in the organisation has responsibility for the CCTV images, deciding what is recorded, how images should be used and who they should be disclosed to;
  • Register with the Information Commissioner’s Office;
  • Have clear procedures on how to use the system and when to disclose information;
  • Make regular checks to ensure the procedures are followed;

What All Users Of CCTV Must Consider Before Purchasing

If you are thinking of purchasing CCTV then the ICO recommend you consider the following questions before installing.

  • Do I really need a camera to address my security concerns?
  • Would extra lighting or sensor lighting be as effective?
  • Is there an alternative to a camera?
  • Is there anyone who could advise me about alternatives?
  • What is the most privacy friendly way to set it up?
  • Can I avoid intruding into my neighbours’ property?

Warning The Public and Workers About CCTV

One of the principle rules of fairness under the Data Protection Act 1998 states that anyone who may be caught by CCTV will need to be informed of the presence of the cameras.  This means that adequate signage must be used on your property in conjunction with your CCTV system, the signs must state:

  • The identity of the camera and/or organisation collection the footage
  • Why it is being collected
  • Other information that makes processing the footage fair such as contact details

What If You Capture Footage Of Someone Beyond the Boundaries of Your Property

CCTV used in your private property is exempt from the Data Protection Act, unless you are capturing images of the public who are outside the boundaries of your property. If your camera covers (even partially) any areas beyond your boundary, be they public or another private residence you will no longer be exempt from DPA and must act accordingly to the guidelines set. This does not mean that you are breaching DPA just that you may have to take steps to comply with it. Before installing your CCTV system you must decide on the following 6 guidelines from the ICO;

  • consider what areas would need to be covered by CCTV, will the cameras capture images you actually need and how will you safeguard any recorded images so they can be used by the police to investigate crimes affecting you;
  • consider whether you can put up signs clearly explaining that recording is taking place and take steps to do so if it is practical;
  • have appropriate safeguards in place to ensure that the equipment is only operated in the ways you intend and can’t be misused. At its simplest, this means that anyone you share your property with, such as family members who could use the equipment, need to know how important it is not to misuse it;
  • ensure you have activated settings to enable the security of footage captured by the CCTV system and that any recordings of individuals are held securely. Make sure that you only allow access to people who need it;
  • consider speaking to your neighbours and explain what you are doing and any objections or suggestions they have. (It may be useful to invite your neighbours to view the footage that you capture, this may allay any concerns they may have about your use of a CCTV system.); and
  • consider purchasing equipment that enables you to control what you can record. This will enable you to keep privacy intrusion to a minimum.

Keeping Your Footage Secure

Within DPA it is stated that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. What this actually means is that any technology used to gather footage needs to be secure and those using the CCTV equipment need to be appropriately trained.

so with the technology you need to ensure:

  • If footage is to be stored it needs to be encrypted, password protected to prevent unauthorised access;
  • If the footage is stored on the cloud then it is up to the user to make checks to ensure that the service provider uses proper security;
  • If cameras use a wireless transmission then its networks should be kept secure;
  • Viewing of the footage should be restricted, in other words the monitor should not be in view of the general public;

and if you are using CCTV in a business, staff need to be trained in:

  • What the policies are for retaining the information captured;
  • How to handle the information securely;
  • What to do if they receive a subject access request (SAR);
  • Advice on the law and how misuse of the footage is a criminal offence;

Retaining Footage

DPA states that personal data should not be kept for longer than necessary. This means that users will need to think about how long they keep footage for. If you are a company you will need to create a section within your policy for this very reason stating an adequate time span for retaining the information/footage that is within DPA guidelines.

Obviously this rule does not apply to footage that needs to be kept for evidence and legal purposes, however this exception only applies to the footage that shows the evidence, not to superfluous footage which may have been caught on other cameras on the same system at the same time.

SARs - Subject Access Requests

If you own a CCTV system and someone asks for a copy of the footage of them, it is their right to be allowed access to that footage. It is also their right to request a copy of the footage with the subject in it, limited by exceptions made by DPA. If you do not do this then the subject is well within their rights to make complaint to the ICO. One exception is that if you believe that providing a copy may compromise the privacy of another member of the public then such requests can be refused. CCTV users have 40 days to comply with these requests once they receive a valid written request from the subject, whose identity must be verified.

I hope this has been a helpful insight into just some of the main regulations you need to think of when installing a CCTV system for security. For any further assistance on the legalities of CCTV visit the ICO website.