Guidance issued 24 February 2022 – available here
Who does the guidance apply to?
The guidance is aimed at organisations in the public and private sectors who use surveillance systems. It does not apply to:
- domestic surveillance systems or individuals recording footage in a purely personal or household context;
- the use of conventional cameras by the news media or for artistic purposes;
- “competent authorities” using surveillance systems for criminal law enforcement purposes;
- convert surveillance activities by public authorities governed by the Regulation of Investigatory Powers Act 200; and / or
- processing by intelligence services under Part 4 of the DPA 2018.
When does the Surveillance Camera Code of Practice apply?
The Protection of Freedoms Act 2012 (PoFA) led to the introduction of the Surveillance Camera Code of Practice (SC Code) and the appointment of a Surveillance Camera Commissioner to encourage compliance with the SC Code.
Under the PoFA “relevant authorities” are required to take the 12 guiding principles of the SC Code into account. “Relevant authorities” include the police, crime commissioners, local authorities and the national crime agency. All other controllers and operators are encouraged to follow the SC Code and related templates and toolkits as a matter of good practice.
What is a surveillance system?
s29(6) of PoFA states that “surveillance camera systems” means:
- closed circuit television or automatic number plate recognition systems;
- any other systems for recording or viewing visual images for surveillance purposes;
- any systems for storing, receiving, transmitting, processing or checking images or information obtained by systems falling within the above; or
- any other systems associated with, or otherwise connected with, systems falling within the above.
What are an organisation’s responsibilities when it comes to the use of surveillance systems?
Under Article 24(1) of the UK GDPR, organisations must implement appropriate technical and organisational measures to ensure, and demonstrate, compliance with the UK GDPR, which measures must be risk-based and proportionate, and reviewed and updated as necessary. In practice, this means that organisations must:
- identify an appropriate basis for processing and justify that processing as necessary and proportionate;
- maintain a record of the processing activities taking place; and
- undertake a DPIA for any processing likely to result in a high risk to individuals (which includes processing special category data, monitoring publicly accessible places on a large scale or monitoring individuals at a workplace).
Adopting a “data protection by design and default” approach will assist with the above. This concept has a broad application, and is particularly important for new or novel use of more intrusive surveillance systems such as automated number plate recognition, body worn video cameras and facial recognition technology. Prior to purchasing any surveillance system, organisations should make decisions based on their ability to provide a data protection compliant solution. For example, organisations should establish criteria for procuring systems and the decisions for their deployment and configuration. The Biometrics and Surveillance Camera Commissioner’s Buyers’ Toolkit will be useful in this regard.
It is important that organisations establish who exercises overall control of the personal data being processed (eg what is being recorded, how it will be used and who it may be disclosed to).
How should organisations approach DPIAs in this context?
The DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess the necessity, proportionality and compliance measures in place;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
To do this, organisations should:
- examine the problem the surveillance system is supposed to address and assess whether or not the system will address this problem;
- consider the privacy issues involved with using a new surveillance system, such as lawfulness and transparency, and assess whether the use is necessary and proportionate; and
- consider whether there are any less privacy intrusive methods of achieving the same aim, and explain why these alternatives are not suitable or sustainable.
Here is a link to the ICO’s DPIA template and associated guidance note for surveillance systems.
What other documents do organisations need in place?
The UK GDPR and DPA 2018 outline the legal requirement for an appropriate policy document to be in place when processing special category and criminal offence data.
What is the lawful basis for processing?
Article 6. In practice, it is often difficult to obtain genuine consent from individuals for processing their personal data in public spaces. Therefore it is likely the appropriate lawful basis will be legitimate interests. A legitimate interests assessment can help demonstrate the lawfulness of the processing and will feed naturally into the DPIA.
Article 9. If the systems will collect special category data (eg biometric data through the use of facial recognition systems) then organisations will also need an Article 9 UK GDPR condition for the processing.
How long should organisations store surveillance footage?
The UK GDPR and DPA 2018 do not prescribe any specific minimum or maximum retention periods which apply to surveillance systems or the information processed as a result of the use of such systems. However, retention periods shouldn’t be determined simply by the storage capacity of any surveillance system.
Can organisation use surveillance systems to record audio?
The ICO has advised that organisations should not normally use surveillance systems to directly record conversations between members of the public. The use of audio recording will require a much greater justification.
Audio recording should be switched off by default – only to be used in exceptional circumstances. Organisations should only use audio recordings when they have:
- identified a particular need or issue and can evidence that this must be addressed by audio recording;
- considered other less privacy intrusive methods of achieving this; and
- concluded that these other methods will not appropriately address the identified issue and the only way to do so is through the use of audio recording.
If audio recording is being used, additional steps must be taken to make it clear to individuals that they are being recorded.
What about using surveillance systems in the workplace?
- consult with their work force (eg staff and / or trade unions) especially during the DPIA process;
- ensure that there are adequate notices, or other means, to clearly inform employees about the nature and extent of surveillance and its purpose(s);
- ensure that others (eg visitors or customers) who may inadvertently be caught by monitoring, are aware of the operation of surveillance systems and why they are being used;
- target any video or audio monitoring at areas of particular risk and confine to areas where expectations of privacy are low;
- be aware that continuous video or audio monitoring of particular individuals is only likely to be justified in the rarest of circumstances, and may involve other legal requirements outside data protection law for targeted monitoring; and
- respect the individual rights of staff and provide a mechanism for staff to raise complaints or concerns.
Does the UK GDPR and DPA 2018 apply to live streaming surveillance footage?
The definition of processing is broad and isn’t limited to simply holding the data. Collecting or viewing data in real time on screen also qualifies as processing. This means that even if the images aren’t stored, but are simply viewed “live”, it still constitutes processing.
How should data collected from surveillance systems be stored?
To maintain the confidentiality and integrity of the data, organisations should:
- ensure access is restricted only to authorised individuals;
- ensure the data is secure and, where necessary, encrypted;
- view recorded surveillance footage in restricted areas, such as a designated secure office; and
- train staff in security procedures.
Where should cameras be fixed?
Fixed and mobile cameras should be focussed on a relevant space, and where wider surveillance is possible but unnecessary this should be restricted. This will ensure that surveillance does not occur in areas which are not of interest and individuals are not unintentionally made the subject of surveillance.
There are places where individuals have a heightened expectation of privacy, such as private property, toilets and changing rooms. Surveillance systems in these environments should only be used in “the most exceptional circumstances”, where it is necessary to deal with “very serious concerns”.
Are organisations required to tell individuals that surveillance systems are being used?
Those under surveillance must be aware that they are being recorded. Individuals should be provided with the following information:
- details of the organisation operating the system (if not obvious, eg if the cameras are being used within a shop then it may be obvious that the shop is responsible for the cameras);
- purposes for using the system (ie for the purposes of safety and security); and
- who to contact in the event of a query or to exercise their rights under data protection law.
- Organisations are advised to put up appropriate signage which people can read within and prior to entering premises where surveillance systems are in place. It is not considered fair for an individual to read a sign that warns them about particularly intrusive surveillance technology in the area, if the system has already captured them.
- The ICO has suggested the sign might read: “Images are being monitored and recorded for the purposes of crime prevention and public safety. This system is controlled by [insert name]”.
If you require further information about anything covered in this briefing, please contact Genna Morgan-McDermott, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2022