CCTV code of practice

Document Control for Bassetlaw District Council  

 

Document Control for Bassetlaw District Council

Organisation Bassetlaw District Council
Title CCTV Code of Practice
Author Lesley Bianco, Craig Tweed & Jamey Middleton
Filename  
Owner  
Subject CCTV
Protective Marketing Open
Review Date May 2022
Revision History
Revision Date Reviser Previous Version Description of Revision
 23.05.2019 Lesley Bianco, Craig Tweed & Jamey Middleton  1.0 Updated Code of Practice to bring it up-to date with the Council’s current CCTV Policy.
 14.05.2020 Lesley Bianco, Craig Tweed & Jamey Middleton  2.0 Updated Code of Practice to bring it up-to date with the Council’s current CCTV Policy.
       
Document Approvals: This document requires the following approvals
Sponsor of Approval Name Date
BDC Interim Chief Executive David Armiger  31/03/2022
BDC Cabinet All Cabinet  07/07/2020 

Acknowledgement

This Framework Code of Practice is based upon a draft upon a draft code prepared by:

The Standards Committee of the CCTV User Group

PO Box 6023

Leighton Buzzard

Bedfordshire

LU7 0YU

 

Contents

Appendices

In conjunction with this document please refer to the new ICO Code of Practice version 1.2 (external link to ICO)

Introduction and Definitions

This Code of Practice shall apply to the closed circuit television surveillance scheme known as Bassetlaw CCTV scheme. The scheme initially comprises of cameras located in specific external and internal locations within the Bassetlaw area, with control, monitoring and recording facilities at a dedicated location. A problem-orientated process was utilised to assess the appropriateness of CCTV in the Bassetlaw area. The cameras have therefore been sited to capture images of identifiable individuals or information relating to individuals, which are relevant to the purposes for which the scheme has been established.

Ownership

The scheme is owned by Bassetlaw District Council who are the Data Controller responsible for the management, administration and security of the system. Bassetlaw District Council will ensure the protection of individuals and the public by complying with the Codes of Practice.

Closed Circuit Television Mission Statement

To promote public confidence by developing a safe and secure environment for the benefit of those employed, visiting or using the facilities of the area covered by Bassetlaw CCTV system. Bassetlaw District Council is committed to the recommendations contained in the Information Commissioners CCTV Code of Practice that can be found on the following website:
www.ico.gov.uk.

Codes of Practice Mission Statement

To inspire public confidence by ensuring that all public area Closed Circuit Television (CCTV) systems which are linked to the CCTV Control Room are operated in a manner that will secure their consistent effectiveness and preserve the civil liberty of law-abiding citizens at all times.

Definitions

The CCTV control room shall mean the secure area of a building where CCTV is monitored and where data is retrieved, analysed and processed.

CCTV scheme shall mean the totality of the arrangements for closed circuit television in the locality and is not limited to the technological system, staff and operational procedures.

The retrieval system means the capability, in any medium, of effectively capturing data that can be retrieved, viewed or processed.

CCTV system means the surveillance items comprising cameras and associated equipment for monitoring, transmission and controlling purposes, for use in a defined zone.

The distributed system means any subsystem, any part of which may be linked temporarily or permanently for remote monitoring within the CCTV system.

Data shall mean all information, including that about a person in the form of pictures, and any other associated linked or processed information.

Personal Data means data which relates to a living individual who can be identified:

  1. from that data or
  2. from that data and other information which is in the possession of or is likely to come into the possession of, the data controller.

Sensitive personal data is personal data which is deemed to be sensitive. The most significant of these, for the purposes of this code are information about:-

  • The commission or alleged commission of any offences
  • Any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.

An incident is an activity that raises cause for concern that the safety or security of an individual or property including vehicles that may be compromised or that an offence has been, is being or is about to be, committed, or that an occurrence has taken place warranting specific action by an operator.

The owner is Bassetlaw District Council, the organisation with overall responsibility for the formulation and implementation of policies, purposes and control of the scheme.

The manager has the responsibility for the implementation of the policies, purposes and methods of control of a CCTV scheme, as defined by the owner of the scheme. The manager of the scheme is a designated employee of Bassetlaw District Council.

Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are about to be processed. The Data Controller for the CCTV schemes is Bassetlaw District Council.

Operators are employees of Bassetlaw District Council and are specifically designated to carry out the physical operation of controlling the CCTV system and the data generated. All operators are screened, trained and licensed to the standards required in the Private Security Industry Act 2001.

Recording material means any medium that has the capacity to store data and from which data can later be recalled irrespective of time.

A hard copy print is a paper copy of a live image or images, which already exist on recorded material.

System description

The Closed Circuit Television system referred to in this document has been introduced into the Bassetlaw area. Whilst the schemes is owned by Bassetlaw District Council and operated by our staff its implementation and/or expansion is supported by the following bodies (the partners)

  • Nottinghamshire Police
  • North Nottinghamshire BID
  • Local Management forums
  • Local Businesses
  1. a) All Images are recorded digitally from camera source onto Hikvision DS-9632-F4/N NVR’s (Primary estate Recorders); where cameras are networked from remote locations & Hikvision DS-7316HUHI F/4 NVR’s (Secondary Local Recorders; where cameras are situated locally) with 1-4no. 4 TB HDDs. The images are recorded at 25 Frames per second (full motion) and stored for a maximum 30 days before being deleted/reused.
  2. Images will be retained for 30 days. They will only be retained for longer if they are expected to be used as evidence in an investigation or its case history.
  3. Evidence will normally be issued to the prosecuting authorities producing two copies on DVD/CD known as a working copy and master copy and considered to be primary evidence. One copy will be labelled as the ‘Master Copy’ and the other will be labelled as the ‘Working Copy’. The working copy will be issued to the Police on request; the Master copy will be retained and securely stored in the Bassetlaw CCTV control room for a period of three years.
  4. In circumstances where a large amount of data is required, an encrypted USB hard drive or an encrypted USB stick may be utilised to hold large amounts of raw evidential data. Media player software is included in the process so that the data can be accessed by the Police using their own IT equipment. USB Hard Drives and or other mass storage devices must be supplied by the Police.
  5. All production and movement of evidential material is recorded both on the Meyertech Fusion Eclipse digital recording system management interface and on the CCTV control room paperless office management system, Meyertech Fusion Expert.

Changes to the code of practice

Consultation

Any major changes to this Code of Practice will take place only after consultation with the relevant management group and upon agreement of all organisations with a participatory role in the operation of the system.

Major changes to this code are defined as changes that affect its fundamental principles and shall be deemed to include: 

  • additions and omissions of cameras to the system
  • matters which have privacy implications
  • additions to permitted uses criteria e.g. purposes of the scheme
  • changes in the right of access to personal data, except statutory requirements
  • significant legal implications.

Minor changes to this Code of Practice are defined as operational and procedural matters which do not affect the fundamental principles and purposes; these include: 

  • additions and omissions of contractors
  • additional clarifications, explanations and corrections to the existing code
  • additions to the code of practice in order to conform to the requirements of any statutory Acts and changes in criminal legislation

A minor change may be agreed between the manager and the owner of the system. 

The Code of Practice will be subject to annual review which will include compliance with the relevant legislation and Standards. 

Supplementary Documentation

 The Code of Practice will be supplemented by the following documents:

  • CCTV Operations Procedural Manual
  • Manufacturers Equipment manual

Each document contains instructions and guidance to ensure that the objectives and principles set out in this Code of Practice are achieved. These documents will be restricted to the partners and staff members only.

Objectives of the CCTV scheme and code of practice

Purpose of and Compliance with the Code of Practice 

This Code of Practice is to detail the management, administration and operation of the closed circuit television (CCTV) system in the Bassetlaw area and the associated Control and Monitoring Facility.

The Code of Practice has a dual purpose, in that it will assist owners, management and operators to understand their legal and moral obligations whilst reassuring the public about the safeguards contained within it.

The owners, CCTV Operators and users of the CCTV systems and associated safety and security equipment connected to the Control, Monitoring and Recording facility shall be required to give a formal undertaking that they will comply with this Code of Practice and act in good faith with regard to the basic principles contained within it.

The owners, CCTV Operators, users and any visitors to the Control, monitoring and recording facility will be required to sign a formal confidentiality declaration that they will treat any viewed and/or written material as being strictly confidential and that they undertake not to divulge it to any other person.

Objectives of the scheme

The following objectives have been established for Bassetlaw CCTV and associated systems:

  • To help reduce the fear of crime
  • To help deter crime and detect crime
  • To assist in the overall management of Worksop, Retford, Harworth and Tuxford Town Centres
  • To enhance community safety, boost the economy and encourage greater use of the town centres/shopping areas, etc
  • To assist the Local Authority in its enforcement and regulatory functions within the town centres
  • To assist with traffic management
  • To assist in supporting civil proceedings
  • To assist in the safety and wellbeing of the public    

Within this broad outline, the Local Police Commander, in partnership with the Chief Executive will, where necessary, also draw up, and publish specific key objectives which may be reviewed annually.

Fundamental Principles & Policies

Rights of Privacy

Bassetlaw CCTV support the individual’s right to privacy and will insist that all third parties involved in the provision and use of public surveillance CCTV systems connected to the control, monitoring and recording facility accept this fundamental principle as being paramount.

Principles of management of the scheme

Prior to the installation of new cameras an ‘Impact Assessment’ to determine whether CCTV is justified and how it will be operated will be undertaken in compliance with the Surveillance Camera Commissioner’s CCTV Code of Practice.

The cameras have been sited to capture images which are relevant to the specified purposes for which the scheme has been established.

Cameras will be sited to ensure that they can produce images of the right quality, taking into account technical and environmental issues.

To accomplish the above an ‘Operational Requirement’ will be completed at the time of the ‘Impact Assessment’ for each proposed camera to dictate the quality of images required. This is a recommendation of the information Commissioner.  

If wireless transmission systems are used to control CCTV equipment, sufficient safeguards will be in place to protect them from being intercepted.

The scheme will be operated fairly, within the applicable law and only for the purposes for which it is established or which are subsequently agreed in accordance with the Code of Practice.

Operators are aware of the purpose(s) for which the scheme has been established and that the CCTV equipment is only used to achieve the identified purposes.

The scheme will be operated with due regard for the privacy of the individual.

The public interest in the operation of the scheme will be recognised by ensuring the security and integrity of operational procedures.

The system will only be operated by trained and authorised personnel.

Policy of the Scheme and Signage

Signage

The scheme aims to provide surveillance of the public areas within designated areas of Bassetlaw in order to fulfil the stated purposes of the scheme. The area protected by CCTV will be indicated by the presence of signs. The signs will be placed so that the public are aware that they are entering a zone which is covered by surveillance equipment. The signs will state the organisation responsible for the scheme, the purposes of the scheme and a contact telephone number. Data will not be held for longer than necessary and disposal of information will be regulated.  

Point of contact

Should the public wish to make contact with the owners of the scheme they may write to:                     

Data Protection Manager
Bassetlaw District Council
Queen’s Buildings
Potter Street
Worksop
S80 2AH

The contact point will be available to members of the public during office hours. Enquirers will be provided with the relevant documentation.

Release of information to the public

Information will be released to third parties, itemised in Section 8 who can show legitimate reasons for access. They will be required to request any information with reasons in writing and identify themselves.  

Information will only be released if the data captures identifiable individuals or information relating to individuals and the reasons are deemed acceptable, the request and release of information complies with current legislation and on condition that the information is not used for any other purpose than that specified.

Individuals may request to view information concerning themselves held on record in accordance with the Data Protection Act 2018 and the General Data Protection Regulation. The procedure is outlined in Section 8.9 of this Code of Practice.

Release of information to statutory prosecuting bodies

The policy is to assist statutory prosecuting bodies such as the Police, and statutory authorities with powers to prosecute and facilitate the legitimate use of the information derived from the scheme. Statutory bodies may have access to information permitted for disclosure on application to the owner of the scheme or the manager, provided the reasons and statement of purpose, accord with the objectives of the scheme and conditions outlined in section 8.0.  The information will be treated as evidential exhibits.

Annual policy review

There will be an annual policy review covering the following aspects:

  1. whether the purpose and objectives statements remain valid
  2. change in extent of the scheme
  3. contracts with suppliers
  4. a review of the data protection or legal requirements
  5. maintenance schedule and performance test of the system
  6. scheme evaluation findings
  7. complaints process and evaluation

Data protection act 2018 and other legislation

The scheme will be managed in accordance with the principles of the Data Protection Act 2018 and the Articles of the General Data Protection Regulation. 

Human Rights Act 1998

The system will be operated by or on behalf of a public authority, the authority has considered the wider human rights issues and in particular the implications of the European Convention on Human Rights, Article 8 (the right to respect for private and family life). 

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.
  2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Therefore, to comply with Article 8 (1), and Article 8 (2) Bassetlaw CCTV will always consider the following:

  • Proportionality - Article 4.2.1, 4.2.2, 4.2.3 and 4.2.6 of the code of practice 
  • Legality - Article 4.2.7 and 4.2.8 of the code of practice
  • Accountability - Article 4.2.10 and 4.2.11 of the code of practice Necessity/Compulsion - Article 4.2.3 of the code of practice

Any infringement by a public authority of another’s rights must be justified. If this is not the case then it will not be appropriate to use CCTV.

Criminal Procedures and Investigations Act 1996

The Criminal Procedures and Investigations Act 1996 came into effect in April 1997 and introduced a statutory framework for the disclosure to defendants of material which the prosecution would not intend to use in the prosecution of its own case (known as unused material) but disclosure of unused material under the provisions of this Act should not be confused with the obligations placed on the data controller by the Data Protection Act 2018 and the General Data Protection Regulation (known as subject access).

Freedom of Information Act 2000

If a request for images is received via a FOIA application and the person requesting is the subject, these will be exempt from the FOIA and will be dealt with under The Data Protection Act 2018 and The General Data Protection Regulation.

Any other requests not involving identification of individuals can be disclosed but only if it does not breach the data protection principles.

Regulation of Investigatory Powers Act 2000

Introduction

The Regulation of Investigatory Powers Act 2000 came into force on 2nd October 2000. It places a requirement on public authorities listed in Schedule 1: Part 1 of the act to authorise certain types of covert surveillance during planned investigations.

Background

General observation forms part of the duties of many law enforcement officers and other public bodies. Police officers will be on patrol at football grounds and other venues monitoring the crowd to maintain public safety and prevent disorder. Officers may also target a crime "hot spot" in order to identify and arrest offenders committing crime at that location. Trading standards or HM Customs & Excise officers might covertly observe and then visit a shop as part of their enforcement function to verify the supply or level of supply of goods or services that may be liable to a restriction or tax. Such observation may involve the use of equipment to merely reinforce normal sensory perception, such as binoculars, or the use of cameras, where this does not involve systematic surveillance of an individual. It forms a part of the everyday functions of law enforcement or other public bodies. This low-level activity will not usually be regulated under the provisions of the 2000 Act.

Neither do the provisions of the Act cover the normal, everyday use of overt CCTV surveillance systems. Members of the public are aware that such systems are in use, for their own protection, and to prevent crime. However, it had not been envisaged how much the Act would impact on specific, targeted use of public/private CCTV systems by ‘relevant Public Authorities’ covered in Schedule 1: Part1 of the Act, when used during their planned investigations.

The consequences of not obtaining an authorisation under this Part may be, where there is an interference by a public authority with Article 8 rights (invasion of privacy), and there is no other source of authority, that the action is unlawful by virtue of section 6 of the Human Rights Act 1998 (Right to fair trial) and the evidence obtained could be excluded in court under Section 78 Police & Criminal Evidence Act 1984.

The Act is divided into five parts. Part II is the relevant part of the act for CCTV. It creates a system of authorisations for various types of covert surveillance. The types of activity covered are "intrusive surveillance" and "directed surveillance". Both types of surveillance if part of a pre-planned operation will require authorisation from specified persons named in the Act. In addition, the reasons for such surveillance must be clearly indicated and fall within the criteria outlined by this legislation. A procedure is in place for regular reviews to be undertaken into authorisation.

Bassetlaw CCTV scheme will observe the criteria laid out in the legislative requirements.

Further information is available from the Government website

Surveillance Camera Code of Practice

The Code of Practice was a requirement of the Protection of Freedoms Act 2012 and sets out guidelines for the CCTV system to ensure their use is open and proportionate and that they are able to capture quality images that give police a better chance to catch criminals and cut crime.

The code has been built upon 12 guiding principles, which provide a framework of good practice that includes existing legal obligations. Those existing obligations include the processing of personal data under the Data Protection Act 2018 and the General Data Protection Regulation, a public authority’s duty to adhere to the Human Rights Act 1998 and safeguards under the Regulation of Investigatory Powers Act 2000 associated with the use of directed and covert surveillance by a public authority. The use of a surveillance camera system must:

  1. Always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need
  2. Take into account its effect on individuals and their privacy
  3. Have as much transparency as possible, including a published contact point for access to information and complaints
  4. Have clear responsibility and accountability for all surveillance activities including images and information collected, held and used
  5. Have clear rules, policies and procedures in place and these must be communicated to all who need to comply with them
  6. Have no more images and information stored than that which is strictly required
  7. Restrict access to retained images and information with clear rules on who can gain access
  8. Consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards
  9. Be subject to appropriate security measures to safeguard against unauthorised access and use
  10. Have effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with
  11. Be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value, when used in pursuit of a legitimate aim
  12. Be accurate and kept up to date when any information is used to support a surveillance camera system which compares against a reference database for matching purposes.

Whilst the above principles are voluntary, Local Authorities must have regard to them and Bassetlaw CCTV will work to achieve continued compliance with the requirements.

Crime & Courts Act 2013

The Crime and Courts Act became law on 1st October 2013 and replaced the Serious Organised Crime and Police Act 2005. CCTV Control Rooms, RVRC's and the like are under Section 7 of the Crime & Courts Act 2013 required by law to share information (CCTV images) to the National Crime Agency (NCA).  If a request is received from the NCA then Bassetlaw CCTV Control Room MUST comply with the request and provide the data.

Section 7, Subsection (3) provides information obtained by the NCA in connection with the exercise of any NCA function may be used by the NCA in connection with the exercise of any other NCA function. For example, information obtained in the course of gathering criminal intelligence may be used in connection with NCA’s crime reduction function.

Section 7, Subsection (4) provides that the NCA may disclose information in connection with the exercise of any NCA function if the disclosure is for any “permitted purpose” as defined within Section 16(1) of the Act. This would apply in situations where, for example, the NCA has received information on suspected criminal activity (such as a ‘Suspicious Activity Report’ – which help banks and financial institutions protect themselves and their reputation from criminals and help law enforcement to track down and arrest them) and has decided to share this information with an organisation or person outside the NCA (such as a financial institution) for the purpose of preventing or detecting crime.

Accountability

Bassetlaw CCTV support the principle that the community at large should be satisfied that the Public surveillance CCTV systems are being used, managed and controlled in a responsible and accountable manner and that in order to meet this objective there will be independent assessment and scrutiny. It is the responsibility of all parties to maintain a continuous review of its integrity, security, procedural efficiency, methods of operation and retention and release of data.

Hierarchy of Responsibilities

The Owner

The owner shall be responsible for policy, effective management and public relations of the scheme. They shall produce a written policy and be responsible for its implementation. This shall be carried out in consultation with users of the scheme and provide for the release of information relating to the operation of the system.  The owner is responsible for dealing with complaints and ensuring a fair system of staff selection and recruitment is adopted for staff employed in the control and monitoring environment. The role of owner also includes all statutory responsibilities including the role of “data controller” as prescribed by the Data Protection Act 2018. The Single Point of Contact for Bassetlaw CCTV is the Director of Regeneration and Neighbourhoods.

The Manager

The manager or designated member of staff should undertake regular reviews of the documented procedures to ensure that the provisions of this Code are being complied with. These should be reported back to the owner of the scheme. To facilitate this, regular meetings will be held with the Supervisor to go through the points listed below:-

The manager is the person who has direct control of the scheme and as such, he/she will have authority for the following:

  • Staff management
  • Observance of the policy and procedural practices
  • Release of data to third parties who have legal right to copies (in cooperation with the Council’s Data Protection Team)
  • Control and security clearance of visitors
  • Security and storage of data
  • Security clearance of persons who request to view data
  • Release of new and destruction of old data
  • Liaison with police and other agencies
  • Maintenance of the quality of recording and monitoring equipment

The manager should retain responsibility for the implementation of procedures to ensure that the system operates according to the purposes for which it was installed and in accordance with the objectives identified for the system.

The manager shall also ensure that on a day-to-day basis all equipment is working correctly and that the operators of the scheme comply with the Code of Practice and Procedural Manual.

The manager of Bassetlaw CCTV is the Council’s Commercial Manager.

The Supervisor

The supervisor has a responsibility to ensure that at all times the system is operated in accordance with the policy and all procedural instructions relating to the system, and for bringing to the immediate attention of the manager any matter affecting the operation of the system, including any breach or suspected breach of the policy, procedural instructions, security of data or confidentially.

In the Managers absence, the Supervisor will have responsibility for:

  • Release of data to third parties who have legal right to copies (in cooperation with the Council’s Data Protection Team)
  • Control and security clearance of visitors
  • Security and storage of data
  • Security clearance of persons who request to view data
  • Release of new Media
  • Liaison with police and other agencies

The supervisor should ensure that at all times operators carry out their duties in an efficient and responsible manner, in accordance with the objectives of the scheme. This will include regular checks and audit trails to ensure that the documentation systems in place are working effectively.  These systems include:   

  • The media log
  • The media register
  • The operators log
  • The incident log
  • Witness statements
  • Faults and maintenance log
  • The security of data
  • Audit logs
  • Authorisation of visitors – to be checked & counter-signed by the Supervisor

The supervisor will ensure operators comply with Health and Safety Regulations. 

The Operators

The operators will be responsible for complying with the code of practice and procedural manual. They have a responsibility to respect the privacy of the individual, understand and comply with the objectives of the scheme. They are required to be proficient in the control and the use of the CCTV camera equipment, recording and playback facilities, media erasure, and maintenance of all logs.  The information recorded must be accurate, adequate and relevant to the purpose of the scheme. They should bring to the attention of the supervisor immediately any equipment defect that may occur.

In the Managers/Supervisors absence, the Operator will have responsibility for:

  • Release of data to third parties who have legal right to copies (in cooperation with the Council’s Data Protection Team)
  • Control and security clearance of visitors
  • Security and storage of data
  • Security clearance of persons who request to view data
  • Release of new Media
  • Liaison with police and other agencies

Contractor’s Responsibilities

There is a contractor responsible for the Maintenance of CCTV equipment. The response provided by contractors is subject of a written contract and records of responses are maintained.

Accountability

The manager/supervisor shall be accountable to the owner of the scheme and will provide periodic progress reports on the scheme. The manager/supervisor will resolve technical and operational matters.

Failure of the operators to comply with the procedures and code of practice should be dealt with by the manager/supervisor. Person(s) misusing the system will be subject to disciplinary or legal proceedings in accordance with the employer’s policy. 

Annual Assessment

An annual assessment of the scheme will be undertaken by an independent consultancy appointed by the owner to evaluate the effectiveness of the system. This will include annual reviews of the scheme’s operation, performance and working practices and, where appropriate make recommendations for improvements. The results will be assessed against the stated purposes of the scheme. If the scheme is not achieving its purpose modification and other options will be considered.

It is a recommendation of the Information Commissioner that the CCTV system should be reviewed annually to determine whether CCTV continues to be justified.

Audit

Regular independent random audits will check the operation of the scheme and the compliance with the code of practice.  It will consider the following:

  • The level of attainment of objectives and procedures
  • Random audits of the data log and release of information
  • The review policy
  • Standard costs for the release of viewing of material
  • The complaints process
  • Compliance with procedures

Complaints

A member of the public wishing to make a complaint about the system may do so through Bassetlaw District Council complaint procedure. Copies of the complaints process are available by writing to:

Office of the Chief Executive

Bassetlaw District Council

Queen’s Buildings

Potter Street

Worksop

S80 2AH

A complaints process has been documented. A record of the number of complaints or enquiries received will be maintained together with an outline of the action taken.

When a complaint is received, a written acknowledgement will be sent within five working days. A copy of the completed complaint form will also be sent, so the complainant can check that the details are correct.

An investigation will follow, and a written answer will be sent to the complainant within fifteen working days stating that:-

  • the investigation is complete giving details of any proposed action, or, the investigation has not been completed giving the reason why and a date when a full reply can be expected.

Should a complainant not be satisfied there is an appeals procedure and this is detailed in the full complaints process. 

A report on the numbers of complaints will be collated by the systems manager or designated member of staff in order to assess public reaction to, and opinion of, the use of the system. The annual report will contain details of the numbers of complaints received, the time taken to acknowledge and respond to complaints, the method of receiving and handling complaints and the degree of satisfaction in handling complaints.

Personnel

Security screening

Each operator will be fully SIA licensed (CCTV Public Space Surveillance Operations) and whereby an operator is in training, they will be monitored by a fully licensed operator.

Arrangement may be made for a police liaison officer to be present in the monitoring room at certain times, subject to locally agreed protocols.  Any such person must also be conversant with these Codes of Practice and associated Procedural Manual/Assignment Instructions.

Training

All operators are or will be trained to the criteria required by the private Security Industry Act 2001 and licensed by the Security Industry Authority for Public Space Surveillance systems.

All persons employed to act as operators of the system are trained to the highest available industry standard. Training has been completed by suitably qualified persons and has included:

  • Terms of employment
  • The use of all appropriate equipment
  • The operation of the systems in place
  • The management of recorded material including requirements for handling and storage of material needed for evidential purposes.
  • All relevant legal issues including Data Protection and Human Rights
  • Progression to nationally recognised qualifications
  • Recognise and understanding privacy and disclosure issues
  • The disciplinary policy

Contractor’s

There are special conditions imposed upon contractor’s carrying out works on the system. It should be noted that wherever possible contractors should not have sight of any recorded data.

Control room management and operation

Access to Control Room

Access to the monitoring area will be strictly controlled. Security of the Control Room shall be maintained at all times.

Only those persons with a legitimate purpose will be permitted access to the Control Room.    

The Manager or in his/her absence the Deputy, is authorised to determine who has access to the Control Room.  This will normally be:

  • Operating staff
  • The Manager/Supervisor
  • Council Data Protection Staff
  • Police officers requiring viewing images or collecting/returning media being considered for intelligence or evidential purposes. These visits will take place by prior appointment.
  • Engineers and cleaning staff (These people will receive supervision throughout their visit)
  • Independent Inspectors appointed under this Code of Practice may visit the control room without prior appointment.
  • Organised visits by authorised persons in controlled circumstances

All visitors to the Control Room, including Police Officers, will be required to sign a visitor’s log and a declaration of confidentiality. 

Response to an incident

The Procedural Manual details:

  • What action should be taken           
  • Who should respond
  • The time scale for response
  • The times at which the observation should take place

A record of all incidents will be maintained in the incident log. Information will include anything of note that may be useful for investigative or evidential purposes.  

Who makes the response and the time scale

Incidents of a criminal nature will be reported to the Nottinghamshire Police. The response will be made by the Police Service in accordance with their policies.

Observation and recording of incidents

Recording will be throughout the 24-hour period in both real time and time-lapse later mode. Wherever possible the system will be monitored 24 hours a day. In the event of an incident being identified there will be particular concentration on the scene and the operator will activate real time recording.

A successful response

The criteria for measuring a successful response are:

  • A good observational record of the incident
  • A short time scale for response to the incident
  • Identification of a suspect
  • The prevention or minimisation of injury or damage
  • Reduction of crime and disorder
  • Improving public safety
  • Restoration of tranquillity

Operation of the System by the Police

  1. Under extreme circumstances, the Police may make a request to assume control of the CCTV System to which this Code of Practice applies. Only requests made on the written authority of a police officer not below the rank of Inspector will be considered. Any such request will only be accommodated on the personal written authority of the most senior representative available of the System owners, (or designated deputy of equal standing). The written request may be submitted via the secure email account to the Council’s Control Room. 
  2. In the event of such a request being permitted, the control room will continue to be staffed, and equipment operated by, only those personnel who are authorised to do so and who fall within the terms of Sections Six and Seven of this Code.
  3. In extreme circumstances, a request may be made for the Police to take total control of the System in its entirety, including the staffing of the control room and personal control of all associated equipment; to the exclusion of all representatives of the System owners. Any such request will only be considered personally by the most senior officer of the System owners (or designated deputy of equal standing). A request for total exclusive control must be made in writing by a police officer not below the rank of Assistant Chief Constable.

Privacy and disclosure issues

Privacy 

Cameras should not be used to infringe the individual’s rights of privacy. The cameras generally are sited where they will not be capable of viewing any residential properties. If it is found there is a possibility that cameras would intrude in private areas, privacy zones would be programmed into the cameras where possible and/or CCTV operators trained to recognise privacy issues. 

Disclosure Policy

The following principles must be adhered to:

  1. All employees will be aware of the restrictions set out in this Code of Practice in relation to access to, and disclosure of, recorded images.
  2. Images not required for the purposes of the scheme will not be retained longer than necessary. However, on occasions it may be necessary to retain images for longer period, where a law enforcement body is investigating a crime to give them the opportunity to view the images as part of an active investigation.
  3. The Data Controller will only disclose to third parties who intend processing the data for purposes which are deemed compatible with the objectives of the CCTV scheme.
  4. Monitors displaying images from areas in which individuals would have an expectation of privacy will not be viewed by anyone other than authorised employees of the user of the equipment.
  5. Recorded material will only be used for the purposes defined in the objectives and policy.
  6. Access to recorded material will be in accordance with policy and procedures.
  7. Information will not be disclosed for commercial purposes and entertainment purposes.
  8. All access to the medium on which the images are recorded will be documented.
  9. Access to recorded images will be restricted to those staff who need to have access in order to achieve the purpose(s) of using the equipment.
  10. Viewing of the recorded images should take place in a restricted area.

Before data is viewed by a third party the Council’s Data Protection Manager should be satisfied that data is:

  1. The subject of a complaint or dispute that is unanswered
  2. The original data and the audit trail is maintained throughout
  3. Not part of a current criminal investigation by the Police, or likely to be so
  4. Not part of a civil proceeding or likely to be so
  5. Not removed or copied without proper authority
  6. The image obtained is aimed at identifying individuals or information relating to an individual.

Access to recorded images

Access to recorded images will be restricted to Directors, Head of Service and the Data Protection team who will decide whether to allow requests for access by third parties in accordance with the disclosure policy.  

Viewing recorded images

Where possible, the viewing of recorded images should take place in a restricted area. Other employees should not be allowed to have access to that area when viewing is taking place.

Operators

All operators are trained in their responsibilities in relation to access to privacy and disclosure issues, in addition to being licensed as previously mentioned.  

Removal of medium for Viewing

The removal of medium on which images are recorded, for viewing purposes, will be documented in accordance with the Data Protection Act 2018 and the procedural manual.

Access to data by third parties

Access to images by third parties will only be allowed in limited and prescribed circumstances. In the case of Bassetlaw CCTV scheme, disclosure will be limited to the following:- 

  1. law enforcement agencies where the images recorded would assist in a specific criminal enquiry
  2. prosecution agencies
  3. legal representatives
  4. the media, where it is assessed by the Police that the public’s assistance is needed in order to assist in the identification of victim, witness or perpetrator in relation to a criminal incident. As part of that assessment the wishes of the victim of an incident should be taken into account.
  5. The people whose images have been recorded and retained (Data Subject) unless disclosure to an individual would prejudice the criminal enquiries or criminal proceedings.

All requests for access or for disclosure will be recorded. If access or disclosure is denied, the reason should be documented.

If access to or disclosure of the images is allowed, details will be documented.

Recorded images should not in normal circumstances be made more widely available, for example, they should not be routinely made available to the media or placed on the internet.

If it is intended that the images will be made more widely available, that decision should be made by the Data Protection Manager or designated member of staff and the reason documented.

The owner should not unduly obstruct a bone fide third party investigation to verify the existence of relevant data.

The owner should not destroy data that is relevant to previous or pending search request which may become the subject of a subpoena.

The owner should decide which other agencies, if any, should have access to data and it should be viewed live or recorded, but a copy should never be made or released.

Disclosure in the public interest

Requests to view personal data that do not fall within the above categories, but that may be in the public interest should be considered. Examples may include public health issues, community safety or circumstances leading to the prevention or detection of crime.

Material may be used for bona fide training such as Police or staff training.

Data subject access disclosure 

All staff involved in operating the equipment must be able to recognise a request for access to recorded images by data subjects and be aware of individual’s rights under this section of the Code of Practice.

Individuals whose images are recorded have a right to view the images of themselves and, unless they agree otherwise, to be provided with a copy of the images. This must be provided within 30 calendar days of receiving a request.

Subject access rights are governed by the Data Protection Act 2018 and include the following provisions:

  1. a person gives sufficient and accurate information about a date, time and place
  2. Information required as to the identification of the person making the request.
  3. the Data Controller only shows information relevant to the search

If a copy is requested, it will be necessary to ascertain whether the images obtained are aimed at learning about the Data Subjects activities. If this is not the case and there has been no captured images of identifiable individuals or information relating to individuals then this may not fall within the Data Protection Act 2018 and access may be denied. Any refusal should be documented

If on the other hand images have been obtained and CCTV used to focus on the activities of particular people either by directing cameras at an individual’s activities, looking out for particular individuals or examining recorded CCTV images to find things out about the people in them such as identifying a criminal or a witness or assessing how an employee is performing. These activities will still be covered by the DPA and reference should be made to Section 8.2.2 of these Codes of Practice prior to the release of such data.

If images of third parties are also shown with the images of the person who has made the access request, consideration will be given whether there is a need to obscure the images of third parties. If providing these images would involve an unfair intrusion into the privacy of the third party, or cause unwarranted harm or distress, then they should be obscured. In many cases, images can be disclosed, as there will not be such intrusion.

The subject access request will be dealt with promptly and in any case within 30 days of receipt of the request or within 30 days of receiving all the information required. 

All subject access requests should be dealt with by the Council’s Data Protection Manager or designated member of staff.

A search request should provide sufficient information to locate the data requested (e.g. within 30 minutes for a given date and place). If insufficient information is provided a data controller may refuse a request until sufficient information is provided. 

Under certain circumstances (Data Protection Act 2018) the manager or designated member of staff can decide that a subject access request is not to be complied with. In such cases the refusal will be documented.  

Provision of data to the individual

The owner/manager having verified the validity of a request should provide requested material to the individual. Where a decision has been made that third parties should not be identifiable, then arrangements will be made to disguise or blur the images in question. It may be necessary to contract this work out to another organisation. Where this occurs, there will be a written contract with the processor which specifies exactly how the information is to be used and the provision of explicit security guarantees. The procedure outlined in Bassetlaw CCTV Procedural Manual will be followed.

If the individual agrees, it may be possible to provide subject access by viewing only.  If this is the case:

  • Viewing should take place in a controlled environment
  • Material not relevant to the request should be masked or edited out

Other rights 

All staff involved in operating the equipment must be able to recognise a request from an individual to prevent processing likely to cause substantial and unwarranted damage to that individual.

In relation to a request to prevent processing likely to cause substantial and unwarranted damage, the manager or designated member of staff’s response should indicate whether he or she will comply with the request or not.

The member or designated member of staff must provide a written response to the individual within 30 days of receiving the request setting out their decision on the request.

If the manager or designated member of staff decide that the request will not be complied with, they must set out their reasons in the response to the individual.

A copy of the request and response will be retained.

Media disclosure

Disclosure of images from the CCTV system must be controlled and consistent with the purpose for which the system was established. For example, if the system is established to help prevent and detect crime it will be appropriate to disclose images to law enforcement agencies where a crime needs to be investigated, but it would not be appropriate to disclose images of identifiable individuals to the media for entertainment purposes or place them on the internet. Images can be released to the media for identification purposes; this will not generally be done by anyone other than a law enforcement agency.

Recorded material management

Retention of images

Images, which are not required for the purpose(s) for which the equipment is being used will not be retained for longer than is necessary. As mentioned previously, on occasions images may need to be retained for longer periods as a requirement of an investigation into crime. While images are retained access to and security of the images will be controlled in accordance with the requirements of the Data Protection Act 2018.

Recorded material should be of high quality. In order for recorded material to be admissible in evidence, total integrity and continuity must be maintained at all times.

Security measures will be taken to prevent unauthorised access to, alteration, disclosure, destruction, accidental loss or destruction of recorded material.

Recorded material will not be released to organisations outside the ownership of the system other than for training purposes or under the guidelines referred to previously.  

Images retained for evidential purposes will be retained in a secure place where access is controlled.

Quality and Maintenance

In order to ensure that clear images are recorded at all times the equipment for making recordings and any associated security equipment will be maintained in good working order with regular servicing in accordance with the manufacturer’s instructions.  In the event of a malfunction, the equipment will be repaired within specific time scales which will be scheduled within the maintenance agreement. All documentation relating to the equipment and its servicing and malfunction is retained in the control room and will be available for inspection and audit. 

Digital Recordings

In a digital CCTV system, where possible, the register should show the life of the recorded media at all stages whilst in the owner’s possession. Such a register may also show itself to be useful in enabling evaluation of the CCTV scheme.

The register should include the following:

  1. unique equipment reference number(s);
  2. time/date/person removing medium from secure storage for use;
  3. time/date/person returning medium to secure storage after use;
  4. remarks column to cover additional points (e.g., erase/destroy/handed over to law enforcement agencies/removed from recording machine);
  5. time and date of delivery to the law enforcement agencies, identifying the law enforcement agency officer concerned;
  6. in the event of a non-automated system of erasure of data, the time/date/person responsible for erasure and/or destruction;
  7. details of all reviews of images, including persons present and results.

Making Recordings

Details of the recording procedures are given in the Procedural Manual.

Recording mediums containing original incidents should not be replayed, unless absolutely essential to avoid any accident, damage or erasure. If recorded images need to be reviewed the reasons and details of those present will be logged, and the medium returned to secure storage, if appropriate.

Video Prints

Video prints will only be made when absolutely necessary. Video Prints requested by police must be on written authority of an officer of the rank of Inspector or above. All video prints will remain the property of the scheme owner and those not handed to the police will be retained in a secure cabinet until destruction is authorised. The taking of video prints will be recorded in a register to be retained in the control room. 

Documentation

Logbooks must be sequential in order that pages or entries cannot be removed and full and accurate records kept.

Logs

An accurate log of operator working times will be maintained. Each operator will maintain a log of any event or occurrence.

Administrative documents

The following shall be maintained:

  • video/digital tracking register
  • occurrence/incident Book
  • visitors register
  • maintenance of equipment, whether routine or breakdown
  • staff signing on and off duty video print log
  • list of installed equipment

Directed surveillance

RIPA

There will be occasions when the Police need to, or plan to observe people, vehicles, premises or people entering and leaving premises as part of an investigation. The Human Rights Act 1998 aims to protect the individual’s right to privacy. The RIPA Act 2000 (Regulation of Investigatory Powers Act) has been introduced to enable the Police to incorporate legislation and to formalise surveillance procedures in line with provisions of the Human Rights Act. 

Surveillance

When assisting the Police, there are two categories of surveillance:

  1. Directed surveillance - surveillance undertaken for a specific investigation or operation, in a manner likely to obtain private information.
  2. Intrusive surveillance - surveillance-taking place in or into private premises or a private vehicle, in a manner intended to obtain private information.

It is very unlikely that as an overt CCTV system, we would be asked to assist with an intrusive surveillance.

An agreed protocol incorporating the use of RIPA where required is provided (agreed by the Police and Bassetlaw District Council) to cover the use of the camera system by the Police for targeted or specific investigations and operations, (The Protocol is maintained within the CCTV Control Room).

Directed surveillances must be authorised, and managed in accordance with the agreed protocol. The Director of Regeneration and Neighbourhoods or his/her nominated Officer, will be informed of every authorised surveillance that is to be carried out which involves the use of cameras managed by Bassetlaw District Council.  He/she will ensure that authorisation and the following of agreed protocol has been made before permission is given for such surveillance to commence.

An intrusive surveillance must be authorised in writing, by a Chief Constable.

It is the responsibility of the authorising Officer to review the ongoing surveillance activities and cancel when appropriate. Such cancellation must be informed to the CCTV operator. The Police will maintain overall responsibility for the surveillance.

A Police Officer will normally be present in the Control Room throughout the duration of the directed/intrusive surveillance and may operate the camera or direct the CCTV Operator with the agreement of the Director of Regeneration and Neighbourhoods or his/her deputy.

Upon commencement of any Police surveillance, details, including the attending Officer, authorising Officer, location, reasons for the surveillance, dates and times and the unique surveillance number, will be entered onto the CCTV Operators log sheet, prior to the commencement of the surveillance.

The use of CCTV systems are not normally regulated by the Act (RIPA). This is because members of the public are aware that these systems are in existence and are there for their own protection and to assist in preventing and detecting crimes. However where specific targeted operations are undertaken RIPA will apply.

Directed and Intrusive surveillances will also be authorised by designated Officers within Bassetlaw District Council managed operations. Directed surveillance's can be authorised by a Head of Service and above. Intrusive surveillance will only be authorised by a Chief Executive Officer.

Elected Members are not authorised to instruct any surveillance procedures and they must refer their requests through to the designated Officers within the Council.

No surveillance, whether directed or intrusive, Police or Bassetlaw District Council led, will be carried out without first informing the Director of Regeneration and Neighbourhoods in order to allow CCTV to assist them.

When a RIPA is authorised all the CCTV data gathered from the authorised Investigation must be kept by the requester for a minimum of 5 years including non-evidential footage. The requesting authority will therefore need to supply a corresponding number of digital storage hard drives at 1 TB per day of authorised use (whole system) or state the actual cameras to be used on the RIPA authority so that a lesser amount of storage is required.

The Nottinghamshire Police contact point for information and advice on RIPA is the Covert Authority Bureau (CAB) via the Police main switchboard. The CAB will authorise all Police RIPA activity via CCTV and confirm the validity of each by e-mail. 

Redeployable CCTV

Guiding principles

For the purposes of this Code ‘Re-deployable CCTV’ means any CCTV equipment, which is not permanently fixed in position, including Moveable Street mounted cameras and fly-tipping systems.

Introduction

The purpose of this section is to ensure that systems such as mobile CCTV vehicles or deployable static cameras (temporarily fixed in position) operate in a way that is compliant with all legal requirements.  It is essential that evidence obtained using such equipment is acceptable and admissible by the courts. These systems being relatively new may initially provide the opportunity for legal challenge when used to gather evidence towards a possible conviction. The intention of this section is to ensure that wherever possible opportunities to challenge the use of mobile equipment in the courts are minimised.

Deployment

Regardless of whether the cameras are positioned for a very short time (in a stationary vehicle) or whether they are fixed for longer periods, such as those temporarily attached to street furniture, consideration must be given to the restrictions placed by the General Data Protection Regulation/Data Protection Act 2018 and possible infringements of Human Rights, in particular Article 8 - the right to private life.  

Initial sighting assessment procedures

  1. The Data Protection Act 2018 requires that an Initial Assessment be carried out by the organisation legally responsible for the system before CCTV systems are deployed. In this case, the person or organisation legally responsible for the system would be the Local Authority. There will also be joint Data Controllers, with responsibilities as managers devolved to the appropriate Liaison Officer/CCTV manager from each organisation. The decision to deploy the cameras must be based on Crime Patterns and or Criminal Intelligence, both of which should have supporting data.
  2. The appropriateness for the sitting and deployment of mobile/transportable CCTV equipment must be supported by written crime patterns analysis and/or reference to criminal intelligence logs. Reference to this must be made in writing on the CCTV Deployment Log, together with the purpose of the installation / deployment which will be one of the following:
    1. Prevention, investigation and /or detection of crime
    2. Apprehension and /or prosecution of offenders
    3. Public and employee safety
    4. Staff discipline
    5. Traffic flow monitoring (only needed if processing personal data) 2018
  3. Covert operations will however be undertaken for fly tipping in accordance with Human Rights and the General Data Protection Regulation/Data Protection Act 2018.

Sighting cameras

The sighting of cameras, especially where cameras could potentially intrude into domestic areas such as gardens will normally require consultation with those affected.  If this is not possible, for instance, when doing so would prevent the purpose of the deployment becoming ineffectual, then this should be recorded.  Where cameras invade private space, electronic restrictions should be applied if possible, and in any case, operators must be made aware of their responsibilities under the General Data Protection Regulation/Data Protection Act 2018 and Human Rights Act (see also training requirements).

Signage

The requirement for signage of CCTV schemes is covered under the Surveillance Cameras Code of Practice. Clearly providing appropriate signs with such portable systems will have its difficulties. Vehicles must be sign written with the appropriate information as defined in the Surveillance Cameras Code of Practice. In the case of transportable systems, temporary signs (worded appropriately) should be positioned/erected on the approach to the areas where the cameras have been temporarily installed. These must be removed at the same time as the cameras are removed. Signs erected for periods any length of time may require planning permission. Signage would not apply for covert operations.

Staffing

The staffing of mobile units varies in differing parts of the Country. In the main these systems are operated either by Local Authority staff (contract or otherwise) or Police staff. 

Training

In all cases, selection of the staff used to operate such equipment should follow the same requirements for the selection, recruitment and training of CCTV Operators. They must also receive specific training in respect of Human Rights, Data Protection, Regulation of Investigatory Powers Act, Freedom of Information Act and Police & Criminal Evidence Act in the context of the use of CCTV equipment. 

Appendix A

Key personnel and responsibilities

Bassetlaw District Council

Tel: 01909 533 533

Responsibilities

Bassetlaw District council is the ‘owner’ of the system.  The nominee will be the single point of reference on behalf of the owners.  Their role will include a responsibility to.

  1. Ensure the provision and maintenance of all equipment forming part of the Bassetlaw CCTV System in accordance with contractual arrangements that the owners may from time to time enter into.
  2. Maintain close liaison with the system manager.
  3. Ensure the interests of Bassetlaw District Council and other organisations are upheld in accordance with the terms of this Code of Practice.
  4. In partnership with the system manager, agree to any proposed alterations and additions to the system, this Code of Practice and/or the Procedural Manual.

Director of Regeneration and Neighbourhoods, Bassetlaw District Council

Tel: 01909 533 533

Responsibilities

Bassetlaw District Council is the ‘manager and the data controller’ of the system. The nominee, The Director of Regeneration and Neighbourhoods will be the single point of reference on behalf of the managers.  In relation to day-to-day operational issues, or in the absence of the Director of Regeneration and Neighbourhoods, the Council’s Commercial Manager will act as the alternative point of contact His/her role will include a responsibility to:

  1. Maintain day to day management of the system and staff;
  2. Accept overall responsibility for the system and for ensuring that this Code of Practice is complied with;
  3. Maintain direct liaison with the owners of the system.

Appendix B

Extracts from the General Data Protection Regulation and Data Protection Act 2018

General Data Protection Regulation - Article 15

Right of Access by the data subject

  1. The data subject shall have the right to obtain from the controller confirmation whether personal data concerning him or her is being processed, and where this is the case, access to the personal data and the following information:
    1. The purpose of processing.
    2. The categories of personal data concerned.
    3. The recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations.
    4. The envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
    5. The existence of the right to request from the controller the rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing.
    6. The right to lodge a complaint with a supervisory authority.
    7. Where the personal data is not collected from the data subject, any available information as to their source.
    8. The existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4).
  2. Where personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be information of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
  4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Data Protection Act 2018 – Part 3, Chapter 3

Right of Access by the data subject 

  1. A data subject is entitled to obtain from the controller:
    1. Confirmation whether personal data concerning him or her is being processed, and
    2. Where that is the case, access to the personal data and the information set out in subsection (2).
  2. That information is:
    1. The purposes of and legal basis for the processing;
    2. The categories of personal data concerned;
    3. The recipients or categories of recipients to whom the personal data has been disclosed (including recipients or categories of recipients in third countries or international organisations);
    4. The period for which it is envisaged that the personal data will be stored or, where that is not possible, the criteria used to determine that period;
    5. The existence of the data subject’s rights to request from the controller:
    6. Rectification of personal data (see section 46), and
    7. Erasure of personal data or the restriction of its processing (see section 47);
    8. The existence of the data subject’s right to lodge a complaint with the Commissioner and the contact details of the Commissioner;
    9. Communication of the personal data undergoing processing and of any available information as to its origin.
  3. Where a data subject makes a request under subsection (1), the information to which the data subject is entitled must be provided in writing:
    1. Without undue delay, and
    2. In any event, before the end of the applicable time period (as to which see section 54).
  4. The controller may restrict, wholly or partly, the rights conferred by subsection (1) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to:
    1. Avoid obstructing an official or legal enquiry, investigation or procedure;
    2. Avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
    3. Protect public security;
    4. Protect national security;
    5. Protect the rights and freedoms of others.
  5. Where the rights of a data subject under subsection (1) are restricted, wholly or partly, the controller must inform the data subject in writing without undue delay:
    1. That the rights of the data subject have been restricted,
    2. Of the reasons for the restriction,
    3. Of the data subject’s right to make a request to the Commissioner under section 51,
    4. Of the data subject’s right to lodge a complaint with the Commissioner, and
    5. Of the data subject’s right to apply to a court under section 167.
  6. Subsection (5) (a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.
  7. The controller must:
    1. Record the reasons for a decision to restrict (whether wholly or partly) the rights of a data subject under subsection (1), and
    2. If requested to do so by the Commissioner, make the record available to the Commissioner.

Appendix C

National Standard for the release of data to third parties

General Policy

  1. It is strongly recommended that local procedures should be put in place to ensure a standard approach to all requests for the release of data. It is recommended that every request be channelled through the Data Protection Manager.

Primary request to view data 

  1. Primary requests to view data generated by a CCTV System are likely to be made by third parties for anyone or more of the following purposes:
    1. Providing evidence in criminal proceedings (e.g. Police and Criminal Evidence Act 1984, Criminal Procedures & Investigations Act 1996 etc)
    2. Providing evidence in civil proceedings or tribunals
    3. The prevention of crime
    4. The investigation and detection of crime (may include identification of offenders)
    5. Identification of witnesses
  2. Third parties, which should be required to show adequate grounds for disclosure of data within the above criteria, may include, but are not limited to:
    1. Police (1)
    2. Statutory authorities with powers to prosecute, (e.g. Customs and Excise; Trading Standards, etc.)
    3. Solicitors (2)
    4. Plaintiffs in civil proceedings(3)
    5. Accused persons or defendants in criminal proceedings (3)
    6. Other agencies, (which should be specified in the Code of Practice) according to purpose and legal status (4).
  3. Upon receipt from a third party of a bona fide request for the release of data, the scheme owner (or representative) should:
    1. Not unduly, obstruct a third party investigation to verify the existence of relevant data.
    2. Ensure the retention of data which may be relevant to a request, but which may be pending application for, or the issue of, a court order or subpoena, (it may be appropriate to impose a time limit on such retention, which should be notified at the time of the request).
  4. In circumstances outlined at note (3) below, (requests by plaintiffs, accused persons or defendants) the owner, (or nominated representative) should:
    1. Be satisfied that there is no connection with any existing data held by the police in connection with the same investigation.
    2. Treat all such enquiries with strict confidentiality.

Notes:

  1. There may be occasions when an enquiry by a plaintiff, an accused person, a defendant or a defence solicitor falls outside the terms of disclosure or subject access legislation. An example could be the investigation of an alibi. Such an enquiry may not form part of a prosecution investigation. Defence enquiries could also arise in a case where there appeared to be no recorded evidence in a prosecution investigation.
  2. The release of data to the police may not be restricted to the civil police but could include, (for example) British Transport Police, Ministry of Defence Police, Military Police, etc. (It may be appropriate to put in place special arrangements in response to local requirements).
  3. Aside from criminal investigations, data may be of evidential value in respect of civil proceedings or tribunals. In such cases a solicitor, or authorised representative of the tribunal, should be required to give relevant information in writing prior to a search being granted. In the event of a search resulting in a requirement being made for the release of data, such release will only be facilitated on the instructions of a court order or subpoena. (It may be considered appropriate to make a charge for this service. In all circumstances, data will only be released for lawful and proper purposes).
  4. The scheme owner should decide which (if any) "other agencies" might be permitted access to data. Having identified those ‘other agencies’, such access to data will only be permitted in compliance with this Standard.

Secondary request to view data

  1. A ‘secondary’ request for access to data may be defined as any request being made which does not fall into the category of a primary request. Before complying with a secondary request, the scheme owner should ensure that:
    1. The request does not contravene, and that compliance with the request would not breach, current relevant legislation, (e.g. Data Protection, Human Rights Act, section 163 Criminal Justice and Public Order Act 1994, etc.);
    2. Any legislative requirements have been complied with, (e.g. the requirements of the Data Protection Act);
    3. Due regard has been taken of any known case law (current or past) which may be relevant, (e.g. R v Brentwood BC ex p. Peck see page 28) and
    4. The request would pass a test of ‘disclosure in the public interest’ (1).
  2. If, in compliance with a secondary request to view data, a decision is taken to release material to a third party, the following safeguards should be put in place before surrendering the material:
    1. In respect of material to be released under the auspices of ‘crime prevention’, written agreement to the release of the material should be obtained from a police officer, not below the rank of Inspector. The officer should have personal knowledge of the circumstances of the crime/s to be prevented and an understanding of the CCTV System Code of Practice (2).
    2. If the material is to be released under the auspices of ‘public well-being, health or safety’, written agreement to the release of material should be obtained from a senior officer within the Local Authority. The officer should have personal knowledge of the potential benefit to be derived from releasing the material and an understanding of the CCTV System Code of Practice.
  3. Recorded material may be used for bona fide training purposes such as police or staff training. Under no circumstances will recorded material be released for commercial sale of material for training or entertainment purposes.

Notes:

  1. ‘Disclosure in the public interest’ could include the disclosure of personal data that: 
    1. Provides specific information which would be of value or of interest to the public well being
    2. Identifies a public health or safety issue
    3. Leads to the prevention of crime
  2. The disclosure of personal data that is the subject of a ‘live’ criminal investigation would always come under the terms of a primary request, (see III above).

Individual Subject Access under Data Protection legislation 

  1. Under the terms of Data Protection legislation, individual access to personal data, of which that individual is the data subject, must be permitted providing:
    1. The request is made either in writing or verbally;
    2. The Data Controller is supplied with sufficient information to satisfy themselves as to the identity of the person making the request;
    3. The person making the request provides sufficient and accurate information about the time, date and place to enable the data controller to locate the information, which that person seeks, (it is recognised that a person making a request is unlikely to know the precise time. Under those circumstances it is suggested that within one hour of accuracy would be a reasonable requirement);
    4. The person making the request is only shown information relevant to that particular search and which contains personal data of themselves only, unless all other individuals who may be identified from the same information have consented to the disclosure;
  2. In the event of the scheme owner complying with a request to supply a copy of the data to the subject, only data pertaining to the individual should be copied, (all other personal data that may facilitate the identification of any other person should be concealed or erased). Under these circumstances an additional fee may be payable.
  3. The owner is entitled to refuse an individual request to view data under these provisions if insufficient or inaccurate information is provided, (however every effort should be made to comply with subject access procedures and each request should be treated on its own merit).
  4. In addition to the principles contained within the Data Protection legislation, the data controller should be satisfied that the data is:
    1. Not currently and, as far as can be reasonably ascertained, not likely to become, part of a ‘live’ criminal investigation;
    2. Not currently and, as far as can be reasonably ascertained, not likely to become, relevant to civil proceedings;
    3. Not the subject of a complaint or dispute which has not been actioned;
    4. The original data and that the audit trail has been maintained;
    5. Not removed or copied without proper authority;
    6. For individual disclosure only (i.e. to be disclosed to a named subject)

Process of Disclosure:

  1. Verify the accuracy of the request;
  2. Replay the data to the requester only, (or responsible person acting on behalf of the person making the request);
  3. The viewing should take place in a separate room and not in the control or monitoring area. Only data that is specific to the search request should be shown.
  4. It must not be possible to identify any other individual from the information being shown, (any such information must be blanked-out, either by means of electronic screening or manual editing on the monitor screen [1]).
  5. If a copy of the material is requested and there is no on-site means of editing out other personal data, then the material should be sent to an editing house for processing prior to being sent to the requester. 

Note:

  1. The scheme owner is likely to breach Data Protection legislation if a person making a subject access request is able to identify any other individual from the information being disclosed. However, a television image is two-dimensional and the majority of CCTV schemes do not have immediate access to the necessary technology to blank out or remove ‘other data’. It is recommended that the advice of the Information Commissioners Office is sought in respect of any method which it is proposed should be adopted.

Media disclosure

  1. In the event of a request from the media for access to recorded material, the procedures outlined under ‘secondary request to view data’ should be followed. If material is to be released the following, procedures should be adopted:
    1. The release of the material must be accompanied by a signed release document that clearly states what the data will be used for and sets out the limits on its use.
    2. The release form should state that the receiver must process the data in a manner prescribed by the data controller, e.g. specify identities/data that must not be revealed.
    3. It may also require that proof of editing must be passed back to the data controller, either for approval or final consent, prior to its intended use by the media (protecting the position of the data controller who would be responsible for any infringement of Data Protection legislation and the System’s Code of Practice);
    4. The release form should be considered a contract and signed by both parties (1).

Notes:

  1. In the well-publicised case of R v Brentwood Borough Council, ex parte Geoffrey Dennis Peck, (QBD November 1997), the judge concluded that by releasing the video footage, the Council had not acted unlawfully. A verbal assurance that the broadcasters would mask the identity of the individual had been obtained. Despite further attempts by the Council to ensure the identity would not be revealed, the television company did in fact broadcast footage during which the identity of Peck was not concealed. The judge concluded that tighter guidelines should be considered to avoid accidental broadcast in the future. 

Principles

In developing this national standard for the release of data to third parties, it is intended, as far as reasonably practicable, to safeguard the individual’s rights to privacy and to give effect to the following principles:

  1. Recorded material should be processed lawfully and fairly and used only for the purposes defined in the Code of Practice for the CCTV scheme:
    1. Access to recorded material should only take place in accordance with this Standard and the Code of Practice;
    2. The release or disclosure of data for commercial or entertainment purposes should be specifically prohibited.

Appendix D

Example of Restricted Access Notice

Warning

Access to this area is restricted

Everyone, regardless of status, entering this area is required to complete an entry in the visitor’s log.

Visitors are advised to note the following confidentiality clause and entry is conditional on acceptance of that clause.

Confidentiality clause:

In signing this document all visitors to the Bassetlaw District Council CCTV Control Room acknowledge that the precise location of this CCTV Centre and personal details of those operating the system, is, and should remain, confidential. Authorised visitors, other than Police Officers, further agree not to divulge any information obtained, overheard or overseen during their visit.

An entry accompanied by your signature in the visitors log is your acceptance of these terms.

Thank you

Updated May 2020


Last Updated on Thursday, February 29, 2024