To guide the conduct of information handlers, the Information Commissioner’s Office keeps the industry informed of what’s expected of it. Enter: In the picture: A data protection code of practice for surveillance cameras and personal information. The report, published in May 2015, is necessary reading for any organisation that handles data. Five recommendations from the ICO’s report stood out to us.
Accountability. Organisations that process information need to have clear structures of accountability in place. To ensure good practices are followed, an individual with an organisation should be responsible for the use of data, how it its retained and disclosed and which third-parties have access it. Needless to say that all employees within an organisation need to know the basics of the Data Protection Act, Protection of Freedoms Act and Freedom of Information Act. But, as the ICO states: “it is important that you establish who has responsibility for the control of information”.
Use of information. The purpose and proper use of surveillance equipment needs to be understood by individuals who operate it. The ICO advises organisations to “clearly define the purposes for the use of information”, alongside “documented procedures for how information should be handled”. An organisation must regularly assess – using “privacy impact assessments” – whether or not the use of surveillance equipment is proportionate to its purpose. Dereck MacDonald of D-Four Technical Services told us that such assessments are needed in the industry: “‘Shifting boxes’ is what makes a company successful. It isn’t surprising that the use of surveillance technology is often disproportionate to its purpose. CCTV manufacturers will sell more than they need to. A climate of unease justifies excessive use of equipment.”
Third-party involvement. Access to retained data should only be given to individuals who explicitly need it. In addition, the ICO advises data-handling organisations to make provisions so that law enforcement agencies can easily access data. And organisations must heed a “subject access request” by disclosing a copy of data held on an individual if it is requested within 40 days of its capture. Individuals must be informed when their data is being captured, if not before.
Data retention. Measures must be taken to ensure that retained data is “secure and where necessary, encrypted”. Sarah Moss from ThruLink says the industry is snoozing on this recommendation. “ThruLink’s equipment always encrypts. Not all manufacturers produce equipment with encryption capabilities, nor do all clients feel the need to encrypt their data. But sensitive information needs to be protected. Big data companies should not allow weak spots to emerge. It puts their stakeholders at risk”. The ICO recommends that organiastions should take extra precautions if data are being stored or transmitted on wireless devices.
Maintaining good practices. Members of staff within an organisation must be kept up to date with the best industry practices – how to store, handle and disclose information actions in accordance with legislation. Alongside internal assessments to ensure company practices are legitimate, such as “periodic reviews”, the Security Institute told us about another method to keep up to date with statutory obligations: “Employees can be kept up to date with information relevant to the industry by enrolling on ‘CPD’ points schemes. Every time an employee attends a conference, an external training event or participates in a webinar, they receive CPD points, enabling organisations monitor the level of training that its’ members of staff receive”.
icomply’s V-TAS Pro control room software helps data handlers to follow the ICO’s recommendations. With regards to ensuring that surveillance equipment is proportionate to its purpose, V-TAS Pro Back Office allows users to see which cameras are most frequently used and which ones are not. Infrequently used cameras can be relocated, aiding cost efficiency and the proportional use of technology. Further, our custom-built software is designed to ensure that data is only disclosed to legitimate third parties, as ‘access hierarchies‘ ensure that only those who need access to information are granted it. And, for police forces and subjects of recorded information, retained data can be readily disclosed when needed without disruption to the recording process.