In general, CCTV is directed at viewing and/or recording the activities of individuals. Therefore, most uses of CCTV by organisations or businesses will be covered by the DPA. The ICO has also issued a code of practice that provides recommendations on the use of CCTV systems to help organisations comply with the DPA.

CCTV systems which make use of wireless communication links (eg, transmitting images between cameras and a receiver) should ensure that these signals are encrypted to prevent interception.

CCTV systems which can transmit images over the internet (eg, to allow viewing from a remote location) should ensure that these signals are encrypted to prevent interception and also require some form of authentication for access (eg, a username and secure password).

The devices used to store CCTV images are also a common target during a break-in (eg, to remove potential evidence of the crime). In the first instance, organisations should consider the physical security of the storage device such as whether it is kept in a locked room. Newer systems may allow for recordings to be stored in an encrypted format which will prevent unauthorised access in the event of loss or theft, and which could be considered in addition to a range of appropriate access controls.

In responding to subject access requests or other disclosures, data controllers should consider an appropriate format of the data to be disclosed, and appropriate security controls. During procurement, the capability of the device or prospective system to export data securely to third parties should also be considered.

Example

A data controller receives a subject access request for CCTV images. The CCTV system can export images to an MP4 file format which can be accessed by the data subject on his personal computer. The data controller uses a file encryption product to encrypt the data before saving onto a CD (with a copy of the encryption software) and posting it to the data subject. Once the data subject confirms the safe receipt of the disc the data controller discloses the password used to generate the encryption key.

A second data subject submits a subject access request for CCTV images to be provided in a DVD Structure format (ie compatible with a standard DVD player). The data controller accepts the request but is unable to encrypt the images because the DVD Structure format is not compatible with encryption and would therefore not be accessible to the data subject because a consumer DVD Player will not understand the data format. The data controller makes the data subject aware of this limitation and offers them the choice of collecting a DVD in person, recorded delivery, or to export in an alternative format.