The Information Commissioner's (ICO) new code of practice for surveillance cameras and personal information updates the previous 2008 CCTV code. It takes account of developments such as digital recording technology, portable technology, "drone" cameras and automatic number plate recognition systems, as well as "body worn" cameras used by organisations like the police. The code sets out the ICO's guidance on how organisations should comply with data protection law when considering or using such technologies.
The code explains that:
"Surveillance cameras are no longer a passive technology that only records and retains images, but is now a proactive one that can be used to identify people of interest and keep detailed records of people’s activities, such as with [automatic number plate recognition cameras]. The use of surveillance cameras in this way has aroused public concern due to the technology no longer being used solely to keep people and their property safe, but increasingly being used to collect evidence to inform other decisions, such as the eligibility of a child to attend a school in a particular area."
The code reminds organisations that aside from data protection obligations, they also need to take account of other legal frameworks, such as the Freedom of Information Act, Protection of Freedoms Act and the Human Rights Act.
A separate Surveillance Camera Code applies to police forces, local authorities and police and crime commissioners in England and Wales, although the ICO code also encourages other organisations to follow the Surveillance Camera Code and advice from the Surveillance Camera Commissioner as a matter of good practice.
The code addresses the need to keep stored data secure. Encryption may be required, and where a large amount of data is stored using a cloud service, users will need to be confident that their provider can also ensure security. The ICO's Guidance on the use of cloud computing gives more detail on the rules in this area.
Smaller users of CCTV will be relieved to learn that they can turn to the checklist in Appendix 2. If they are able to bring their activities within the checklist they need not follow the detailed provisions of the full code.