This guidance provides advice for when you operate video surveillance systems that view or record individuals. It also covers information that relates to individuals, for example vehicle registrations captured by Automatic Number Plate Recognition (ANPR) equipment. It explores emerging capabilities that can assist human decision making, such as the use of Facial Recognition Technology (FRT) and machine learning algorithms.
Information held by organisations that is classed as personal data relating to identifiable living individuals is covered by the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). This guidance will help you comply with these legal frameworks. When processing personal data, it is important you comply with key data protection requirements, such as data protection by design and default, fairness, accountability, transparency, and respect for the rights that individuals have.
The recommendations in this guidance are all based on the principles of UK data protection law, and are set out to follow the lifecycle and practical operation of surveillance systems.
Sections of this guidance also provide checklists that you should address to help you achieve the good practice recommendations.
Following the recommendations in this guidance will:
- help you to process personal data lawfully and comply with the UK GDPR, the DPA 2018 and other relevant statutory obligations;
- contribute to the efficient deployment and operation of a surveillance system;
- mean that the personal data you process is usable and the processing can meet your intended objectives;
- re-assure those whose personal data you are processing;
- help inspire wider public trust and confidence in the use of surveillance systems; and
- reduce reputational risks by staying within the law and avoiding regulatory action and penalties.
This guidance also acknowledges the wider regulatory environment. For example, where public authorities intend to use video surveillance you must comply with data protection law but also a broader framework of legal, procedural and risk based obligations such as:
- obligations under the Freedom of Information Act 2000 (FOIA); Freedom of Information (Scotland) Act 2002 (FOISA);
- the Human Rights Act 1998 (HRA); and
- the Surveillance Camera Code of Practice issued under the Protection of Freedoms Act 2012 (PoFA).
The Surveillance Camera Code of Practice (PoFA 2012)
The Protection of Freedoms Act 2012 (PoFA) led to the introduction of the Surveillance Camera code of practice (SC code) in 2013 and the appointment of a Surveillance Camera Commissioner to encourage compliance with the SC code and review its operation and impact. In England and Wales, relevant authorities deploying overt surveillance systems should pay due regard to the SC code, regardless of whether or not there is any live viewing, or recording of images or information or associated data.
Separate to this guidance, the SC code provides supporting advice and guidance for organisations using surveillance systems on issues such as operational requirements, technical standards and governance arrangements.
The PoFA requires relevant authorities to take the 12 guiding principles in the SC code into account. In general terms, the Police, Police and Crime Commissioners and local authorities in England and Wales are designated as relevant authorities, along with the National Crime Agency. All other controllers and operators are encouraged to follow the SC code, templates and toolkits as good practice on a voluntary basis.
Read further details on the Biometrics and Surveillance Camera Commissioner’s website.
The UK GDPR and DPA 2018 apply to all organisations that process personal data across the UK and has the same effect across all sectors. The SC code only applies to relevant authorities across England and Wales. Further, the Scottish government has produced its own separate CCTV Strategy for Scotland (2011). This strategy provides a common set of principles that operators of public space CCTV systems in Scotland should follow. The principles aim to ensure that these systems are operated fairly and lawfully.