Data Protection Act
General Information on the Data
Protection Act (1998)
The Data Protection Act, (1998) came into effect on March 1st 2000.
It has implications for the Owners and operators of CCTV systems
that monitor areas to which the public have access. Any organisation
whose use of CCTV falls within the remit of the Act and is found
to be in breach of the legislation may be held liable in court of
law. Evidence gathered on a non-compliant CCTV system may be deemed
inadmissible in a criminal prosecution, thus negating the use of
the system. The Data Protection Commissioner has issued a Draft
Code of practice for Users of CCTV that is accessible on www.dataprotection.gov.uk.
1. A 'Data Controller' must be appointed in every organisation
to monitor files and deal with applications from employees and third
parties to access records. They then determine the purpose for processing
personal information. This is normally for the prevention and detection
of crime and public safety within areas the public have access.
2. Notify the Office of the Data Protection Commissioner that you
are processing personal data. There must be a legitimate basis for
installing CCTV Cameras.
3. Use appropriate signage to notify individuals that CCTV is in
operation. This must notify individuals that CCTV is being used,
the purpose of the system, who the owner is and contact details.
4. Authorised disclosees and compatibility of disclosure. You must
state recipients of information. If you wish to disclose information
it must be for a compatible purpose.
5. Unauthorised Disclosure. Be aware of who can see the monitors
and who has access to tapes to reduce risk of unauthorised disclosure.
6. An individuals access rights. An individual on payment of the
appropriate fee who are the subject of stored data images must be
allowed access to them, given satisfactory reasons for doing so
and suitable identification.
7. Protect Third Parties . You must not disclose third party details
without their consent. This may mean pixilating (obscuring or masking)
out third parties from footage in access requests.
8. Train your staff. You must train your staff in Data Protection
Principles and Legislation. They must be made aware of their responsibilities
i.e. information must be relevant, accurate, kept up to date, kept
secure and obtained fairly.
9. Breach of legislation. A breach of the legislation may be a
criminal offence and it carries an unlimited fine in Solemn proceedings
and is down to personal liability. If an individual suffers damage
and distress due to a breach of the Act they may be entitled to
10. Information. Information must be processed fairly and lawfully,
documented and retained no longer than is necessary. The tape retention
period should be 31 days.
11. Security. Tapes must be kept secure with only authorised and
trained staff having access. Appropriate physical security measures
must be taken.
12. Covert cameras. The use of Covert cameras is only lawful if
the criminal activity under surveillance can be specifically identified:
routine and general covert surveillance is not authorised.
If the Principles of the Act are not complied with then, apart
from being a breach of the Act itself, any evidence gathered for
court proceedings may become inadmissible.
If you require more information on Data Protection contact-
The Office of the Data Protection Commissioner Tel (01625-545700)