Privacy & Information Security Law Blog

On October 15, 2014, the UK Information Commissioner’s Office (“ICO”) published a code of practice regarding the use of surveillance cameras (“Code of Practice”). The Code of Practice explains how the legal requirements of the Data Protection Act 1998 apply to operators of surveillance cameras. Practical and technological advancements have led to a wide variety of surveillance camera technologies that differ from traditional CCTV (e.g., Automatic Number Plate Recognition cameras and body-worn cameras). The Code of Practice addresses (1) changes in technology and (2) inconsistent standards that have arisen in various sectors since the ICO last updated its guidance on CCTV systems, which occurred in 2008. In particular, due to technological advancements, surveillance cameras are no longer merely passive recording devices, but rather can be used to identify specific items or individuals, keep detailed records of events, and are increasingly portable and discrete.

The Code of Practice covers the use of traditional CCTV systems as well as more sophisticated surveillance systems, including:

• Automatic Number Plate Recognition;
• Body-worn video;
• Unmanned aerial systems (e.g., drones); and
• Other systems that capture information of identifiable individuals.

The Code of Practice provides guidance and good practice tips on key areas for data protection compliance, including (1) the circumstances in which surveillance systems should be used, (2) camera positioning, (3) data subject access requests, (4) data retention and disposal, (5) disclosure of footage to third parties and (6) notifying relevant individuals. In addition, Section 7 of the Code of Practice focuses on more sophisticated surveillance systems such as those that use profiling technology or automatic recognition technology.

The Code of Practice also reflects the wider regulatory environment for surveillance systems, including the Surveillance Camera Code of Practice (“POFA Code”) issued under the Protection of Freedoms Act 2012. Data controllers are encouraged, but not required (except for certain public authorities) to comply with the POFA Code. The ICO Code of Practice is consistent with the POFA Code and cross-references the 12 guiding principles outlined in the POFA Code.