You must let people know that they are in an area where CCTV surveillance is being carried out.
The most effective way of doing this is by using prominently placed signs at the entrance to the CCTV zone and reinforcing this with further signs inside the area. This message can also be backed up with an audio announcement, where public announcements are already used, such as in a station.
Clear and prominent signs are particularly important where the cameras themselves are very discreet, or in locations where people might not expect to be under surveillance. As a general rule, signs should be more prominent and frequent where it would otherwise be less obvious to people that they are on CCTV.
In the exceptional circumstance that audio recording is being used, this should be stated explicitly and prominently.
Signs do not need to say who is operating the system if this is obvious. If CCTV is installed within a shop, for example, it will be obvious that the shop is responsible. All staff should know what to do or who to contact if a member of the public makes an enquiry about the CCTV system. Systems in public spaces and shopping centres should have signs giving the name and contact details of the company, organisation or authority responsible.
Example: “Images are being monitored and recorded for the purposes of crime prevention and public safety. This scheme is controlled by Greentown Borough Council. For more information, call 01234 567890.”
Individuals whose images are recorded have a right to view the images of themselves and, unless they agree otherwise, to be provided with a copy of the images. This must be provided within 40 calendar days of receiving a request. You may charge a fee of up to £10 (this is the current statutory maximum set by Parliament). Those who request access must provide you with details which allow you to identify them as the subject of the images and also to locate the images on your system. You should consider:
A clearly documented process will also help guide individuals through such requests. This should make it clear what an individual needs to supply. You should decide:
If images of third parties are also shown with the images of the person who has made the access request, you must consider whether you need to obscure the images of third parties. If providing these images would involve an unfair intrusion into the privacy of the third party, or cause unwarranted harm or distress, then they should be obscured. In many cases, images can be disclosed as there will not be such intrusion.
Example: A public space CCTV camera records people walking down the street and going about their ordinary business. Where nothing untoward has occurred, this can be released without editing out third party images.
Example: Images show the individual who has made the request with a group of friends, waving at a camera in the town centre. There is little expectation of privacy and the person making the request already knows their friends were there. It is likely to be fair to release the image to the requester without editing out the faces of their friends.
Example: Images show a waiting room in a doctor’s surgery. Individuals have a high expectation of privacy and confidentiality. Images of third parties should be redacted (blurred or removed) before release.
Where you decide that third parties should not be identifiable, then you will need to make arrangements to disguise or blur the images in question. It may be necessary to contract this work out to another organisation. Where this occurs, you will need to have a written contract with the processor which specifies exactly how the information is to be used and provides you with explicit security guarantees.
If you are a public authority then you may receive requests under the Freedom of Information Act 2000 (FOIA) or Freedom of Information (Scotland) Act 2002 (FOISA). Public authorities should have a member of staff who is responsible for responding to freedom of information requests, and understands the authority’s responsibilities. They must respond within 20 working days from receipt of the request.
Section 40 of the FOIA and section 38 of the FOISA contain a two-part exemption relating to information about individuals. If you receive a request for CCTV footage, you should consider:
In practical terms, if individuals are capable of being identified from the relevant CCTV images, then it is personal information about the individual concerned. It is unlikely that this information can be disclosed in response to an FOI request as the requester could potentially use the images for any purpose and the individual concerned is unlikely to expect this. This may therefore be unfair processing in contravention of the Data Protection Act (DPA).
This is not an exhaustive guide to handling FOI requests8.
Note: Even where footage is exempt from FOIA/FOISA it may be lawful to provide it on a case-by-case basis without breaching the DPA, where the reason for the request is taken into account. See section 8 (using the images) for advice on requests for disclosure.
Staff operating the CCTV system also need to be aware of two further rights that individuals have under the DPA. They need to recognise a request from an individual to prevent processing likely to cause substantial and unwarranted damage or distress (s10 DPA) and one to prevent automated decision-taking in relation to the individual (s12 DPA). Experience has shown that the operators of CCTV systems are highly unlikely to receive such requests. If you do, guidance on these rights is available from the Information Commissioner’s Office9. Any use of Automatic Facial Recognition technology should also involve human intervention before decisions are taken, and this would not be decision taking solely on an automated basis within the terms of the DPA.
If the CCTV system covers a public space, the organisation operating the CCTV system should be aware of the possible licensing requirements imposed by the Security Industry Authority.
A public space surveillance (CCTV) licence is required when operatives are supplied under a contract for services. Under the provisions of the Private Security Industry Act 2001, it is a criminal offence for staff to be contracted as public space surveillance CCTV operators in England, Wales and Scotland without an SIA licence10.
8 Further information about the FOIA can be found on ICO’s website: www.ico.gov.uk including specific guidance about section 40 (FOI Awareness Guidance No1).
9 “How can I stop them processing my personal information?” and “Preventing decisions based on automated processing of personal information” can both be found on the ICO website: www.ico.gov.uk. You may also wish to consult our Legal Guidance.
10 This requirement does not apply in Northern Ireland. For more information visit www.the-sia.org.uk