How do you know if you are covered by the Data Protection Act (DPA) when installing CCTV?
If you can answer ‘no' to all the following 3 questions you will not be covered:
- Do you ever operate the cameras remotely in order to zoom in/out or point in different directions to pick up what particular people are doing?
- Do you ever use the images to try to observe someone's behaviour for your own business purposes such as monitoring staff members?
- Do you ever give the recorded images to anyone other than a law enforcement body such as the police?
If your system is more advanced and allows you to zoom in on an individual member of staff whose behaviour is causing you concern, or you use cameras to monitor the movements and activities of your workforce, you'll need to inform the Information Commissioner (ICO). You'll also need to let the ICO know if you give the recorded images to anyone other than the police or a similar law enforcement agency.
The highly sophisticated CCTV systems used in large shops, railway stations, town centres and other places where large numbers of people gather are designed to focus on particular people or identify criminal activity. These types of images are covered by the Act, but if a general scene is recorded without an incident occurring, the pictures are not covered.
In summary, if the image recorded is aimed at learning about a particular person's activities, then it's covered by the act.
If some of your CCTV activities are covered you still need to comply with the DPA by making sure you have notified the Commissioner, having signs, deciding how long you retain images and making sure your equipment works properly. The Information Commissioner has issued a CCTV Code of Practice and this together with a checklist for users of small CCTV systems provides guidance for those using CCTV systems.
Once you have notified the Information Commissioner you will be sent reminders when the renewal of your notification is due.
The process is fairly simple and the checklist and advice provided by the Information Commissioner are easy to follow. You do not need to go on a training course nor to have inspections by authorised assessors to ensure compliance with the Data Protection Act - simply follow the advice given by the Information Commissioner and make sure you have provided notification.