Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

CCTV and the protection of privacy: a tale of two cultures [2000] PLBIRp 43; (2000) 55 Privacy Laws and Business International Report 17

CCTV and the protection of privacy: a tale of two cultures

A report by Michael Spencer

THE UNITED KINGDOM AND CANADA have very different data protection regimes, but in both countries there is concern about the unregulated spread of CCTV. In the UK, a Code of Practice has now been developed. In Canada, the city authorities in Toronto have applied general privacy/ data protection law to severely restrict the use of cameras.

Rapid advances in technology have meant that continuous surveillance of public spaces by closed-circuit television (CCTV) can now record finer details of a scene, and at lower light levels, than ever before. Remotely controlled cameras can zoom in to track and identify a vehicle or an individual. At the same time, the demand for more and more surveillance seems (at least in some countries) to be insatiable; it is widely believed to contribute to a reduction in crime, though the evidence for this is patchy, and in Britain it has actively been fostered by the Government with grants to local authorities.

IMAGES FALL UNDER THE NEW UK DATA PROTECTION ACT

For more than a decade, privacy advocates have been calling for statutory regulation of CCTV systems to cover detailed operating procedures, safeguards against unwarranted invasions of privacy, and some form of licensing. The UK's 1998 Data Protection Act, unlike its predecessor of 1984, follows the 1995 EU Directive in defining 'personal data' to include any data from which a living individual can be identified. For the Act to apply, it is no longer necessary for the data controller to be able to attribute a name to a particular image. The Act does not, however, include any specific provisions relating to CCTV.

This omission was criticised by the House of Lords Science and Technology Committee in a 1998 report on the use of digital images as evidence. The Government responded that there was no need for statutory regulation because the Data Protection Principles embodied in the Act provide adequate cover. It favoured the development of a Code of Practice which would not have statutory force, but would emphasise the extent to which breaches of the Principles could arise in the use of CCTV. In such a case the Commissioner would have powers of investigation and enforcement.

A CCTV Code of Practice has now been issued, and was summarised for the Privacy Laws & Business Annual Conference in July 2000 by Jonathan Bamford, Assistant Data Protection Commissioner.

In the same conference session, a thought-provoking example of a different approach was offered by Rita Reynolds, Director of Access and Privacy for the City of Toronto (Ontario, Canada). Her post (which appears to have no parallel in the UK) includes responsibility for policy development and addressing privacy issues in a wide range of sectors including welfare and immigration, public health, biometric identification systems, and CCTV in traffic monitoring. For public-sector activities within Toronto, Rita Reynolds has considerable power to regulate privacy protection. There is provision under the relevant Act for appeals and complaints to go to the Privacy and Information Commissioner for Ontario.

THE UK CODE OF PRACTICE HAS NOW BEEN PUBLISHED

Jonathan Bamford recalled that in 1998, when he last addressed the Privacy Laws & Business conference on the subject of CCTV, systems were already widespread, but there was very little effective regulation or protection for the public against misuse. Few concerns were expressed by members of the public, and people appeared to feel reassured by the presence of cameras in public places. Since then, deployment has proceeded apace, but the law and the development of standards are now beginning to catch up. Under the new Data Protection Act, requirements similar to those applying to computer users will be in force.

Section 51 of the Act also empowers the UK Data Protection Commissioner to issue a Code of Practice where she considers it appropriate, and after due consultation this has now been done for CCTV. It applies to surveillance in areas to which the public have largely free and unrestricted access.

Like voluntary Codes approved by the Commissioner under the previous Act, it goes beyond restating the content of the legislation; it 'adds value' by giving guidance to what compliance with the law actually means in a given application.

GROWING CONCERN IN THE UK OVER THE USE OF CAMERAS

CCTV was chosen for the first Commissioner's Code because concern has been growing over the ubiquity of such cameras in the UK. It is mostly impossible to walk down a shopping street, or visit a bank or a shop, without coming under surveillance. Cameras are also common in car parks, railway stations, airports, leisure facilities and even residential areas. Public acceptance rests on the belief that CCTV provides protection against crime (which generally means local crime rather than terrorist attacks). However, there has been nothing in place to ensure that this trust is not misplaced (as occasionally seems to be the case). As the House of Lords remarked in its report (see above), without proper regulation, there is a risk that public confidence will be lost.

CODE PROVIDES USER-FRIENDLY GUIDANCE

The Code is in two parts. The first is a user-friendly guide that lists a series of practical standards, with indications of which of the standards is a legal requirement, and which is simply a recommendation for good practice. It includes cross-references to the second part, which sets out in detail what the Data Protection Act contains: definitions, a discussion of purposes that do and do not come under the Act, an explanation of the eight Data Protection Principles that must be complied with, the right of subject access to recorded data, exemptions to this right, and other individual rights. The first part of the Code is arranged as follows:

1. Initial assessment. Why is a scheme necessary, and what level of criminality is involved? Is its purpose clearly defined for notification to the Commissioner? Who is legally responsible, and who will ensure day-to-day compliance? Have security and disclosure policies been established?

2. Siting the cameras. Equipment should monitor only those spaces which are intended to be covered. If this cannot be achieved, the owners of the properties concerned (or residents of property overlooked) should be consulted if images might be recorded. Operators should be aware that they can use the equipment only to satisfy the established purpose of the scheme. They should also be aware of the privacy implications of covering spaces outside the intended area.

Clearly visible and legible signs should be placed to make the public aware that surveillance is being carried out, and to notify them of the purpose and the controllers of the scheme. Restricted crime-prevention exceptions to this rule are listed, and if sound recording is included, it should not be used to record conversations between members of the public. The Code does not apply to covert police surveillance as defined by the recent Regulation of Investigatory Powers Act.

3. Quality of the images. Equipment and recording media should be checked to ensure high-quality images that are relevant to the purpose of the scheme, for example, if the purpose is monitoring traffic flow, the cameras should not be sited so as to capture images of vehicles or drivers. If the system records features such as camera locations and date/time data, there should be a procedure for checking their accuracy. If automatic facial recognition is used to match images against a database, any match should be assessed by a human operator who will decide what action (if any) to take. Users should assess whether constant real-time recording is necessary, rather than limiting it to specific times. Cameras should be protected against vandalism, repairs carried out within a specific time period, and a maintenance log kept.

4. Processing the images. Images should not be retained for longer than is necessary for the purpose of the scheme, for example, records covering town centres may not need to be retained for longer than 31 days, unless they are required for evidential purposes in legal proceedings, while those obtained by monitoring ATMs (cash machines) might need three months in order to resolve customer disputes about withdrawals. Images retained for evidential purposes should be stored securely and fully documented by the operator.

Viewing of recorded images should normally be done in a restricted area by authorised staff only, particularly where the images are of areas in which individuals would have an expectation of privacy. Viewing by third parties should be authorised only in accordance with documented disclosure policies. All operators should be trained in security and disclosure policies, and in the rights of individuals over their recorded images.

5. Disclosure of images to third parties. Access to images should normally be restricted to those staff who need access to achieve the purpose of the scheme. All access to the medium on which images are recorded should be documented. Disclosure to third parties should be made only in limited and prescribed circumstances. Where the purpose of the scheme is crime prevention, disclosure should be limited to law enforcement and prosecution agencies, legal representatives, the media (if this would assist in identifying a victim, witness or perpetrator of crime), and anyone whose images have been recorded and retained (unless disclosure would prejudice enquiries or proceedings). Recorded images should not routinely be made available to the media or placed on the Internet. If disclosures are made to the media in circumstances other than those described above, the images of individuals will need to be disguised or blurred so that they are not readily identifiable. Any such processing by an editing company should be subject to a written contract which includes guarantees regarding security measures.

6. Individual rights. Data subjects requesting access should be provided with a standard access form which includes an indication of the fee charged (no more than £10 per search), the time needed to respond (no more than 40 days from receipt of fee and information required to locate the images), and an explanation of rights under the 1998 Act. They should also be given a leaflet describing the type and purpose of the scheme, and information about disclosure policy. Designated staff who locate the images will need to determine whether disclosure would reveal images of third parties which are held under a duty of confidence (as in a doctor's surgery). In such cases, thirdparty images must be disguised or blurred (see also above).

If a subject access request is refused, the reasons and other details should be documented. Staff should also be able to recognise and respond to a request from an individual to prevent unwarranted processing 'likely to cause substantial damage or substantial distress' (section 10 of the Act), or to prevent automated decision- taking in relation to that individual (section 12).

7. Monitoring compliance. Through the contact point indicated on signs posted to give warning of a scheme, staff should be able to provide enquirers with information leaflets, copies of the Code of Practice and subject access forms, and advise on the complaints procedure to be followed if they have concerns about the use of the system or any non-compliance with the Code.

Records of complaints and the action taken should be documented, and used to assess public reaction to and opinion of the scheme. Regular reviews of procedures should be undertaken, and reports provided to the legally responsible data controllers. Annual internal assessments of the effectiveness of the scheme should be undertaken, and if the scheme is not achieving its stated purpose, it should be modified or discontinued. The results of such reports should be made publicly available.

Jonathan Bamford concluded by describing the consultation procedure that preceded the final draft of the Code. It occupied several months and involved a wide range of organisations and groups representing both data users and data subjects. A copy of the consultation draft was also posted on the Commissioner's web site. The Code will be reviewed and updated regularly, particularly in the light of the Human Rights Act coming into force on 2 October 2000 (see p.21).

THE TORONTO EXPERIENCE

Rita Reynolds explained that in Ontario, provincial and municipal privacy (ie data protection) laws make it clear that CCTV records fall within their scope.

Her approach to the regulation of systems under city control rests on the premise that there has to be a sufficient threat to personal safety in order to justify the setting up of CCTV in public places, since the normal requirement of consent cannot be satisfied. This is regarded as a fundamental principle of democratic government. Although there is no specific constitutional protection of privacy, the courts have drawn on the Canadian Charter of Rights and Freedoms to infer such a right from Article 7 (right to life, liberty and security of person) and Article 8 (right to be secure against unreasonable search or seizure). Law-enforcement authorities require judicial authority for covert surveillance, though no penalty is laid down for failing to obtain a warrant.

TRAFFIC MONITORING BECAME A THREAT TO PRIVACY

The Toronto traffic monitoring system was set up primarily to check traffic flows, modify traffic signal cycles, detect accidents and guide the response of emergency services. Cameras were mounted on high poles and their output was made available to TV stations so that motorists could avoid congested areas. However, when it became apparent that the cameras were also capable of following individual vehicles and recording numberplates and facial images, law enforcement authorities expressed an interest in using the system for other purposes - a classic example of the ability of technology to exceed the purpose for which it was acquired, and the natural inclination to use it to its full potential.

Rita Reynolds took the view that, since local government staff controlled the cameras, they would be contravening privacy law if they allowed the system to be used in more invasive ways: the original authorisation by the City Council did not allow it, and covert surveillance would in any case require a judicial warrant. She therefore developed a protocol under which cameras would normally remain in the high-level (wide-field) viewing mode unless a life-threatening event was observed. If a traffic accident occurred and it was necessary to zoom in to determine the appropriate emergency response, the feed to the TV stations would be cut. Tapes containing personal data were to be sealed and securely stored for at least one year. If the police wished to make use of such tapes they would have to obtain a warrant to do so.

The protocol made it clear that the City Council does not have a law-enforcement mandate. It does, like all public authorities, have a duty of care. It is therefore appropriate to use its CCTV cameras to respond to life-threatening events, but not for the routine observation of all individuals passing a given point on the presumption that they might commit a crime. This is regarded as an unjustified invasion of privacy. In five years of operation, the 37 cameras in the system have not in fact detected any instances of a crime in progress.

POLICE USE OF CCTV NOT ALWAYS JUSTIFIABLE

A crucial test of the protocol (and of the City Council's support for it) arose in the 1990s when, at a period of political controversy over welfare cuts by the government of Ontario, there were plans for a 10,000-strong protest march to the legislature in Toronto. The police, concerned about possible violence, asked to take over the system of traffic cameras to conduct surveillance of the march. They intended to obtain as many individual images as possible in order to identify known criminals, likely offenders, protest organisers, and potential witnesses to incidents. Rita Reynolds asked the police to obtain a judicial warrant, citing a Canadian Supreme Court decision in which this had been held necessary.

The police were unable to produce a warrant, but insisted that they had sufficient authority. Rita Reynolds pointed out that the City Council could not legally comply. After further exchanges and some media publicity, the police reluctantly accepted an agreement under which Council staff would remain in control of the cameras; these would normally stay in their high-level viewing positions, and would be used to direct emergency services if required. The police could view the output of the system to facilitate crowd control. If an incident occurred, Council staff would cut the external video link and zoom cameras to determine the service required. If a law-enforcement matter was involved, the police would be free to view the tape on production of a sub poena.

In the event there were no incidents requiring intervention. The episode served to establish the principle that a public authority should not, under the guise of traffic control, conduct electronic surveillance of citizens exercising their democratic right of peaceful assembly. A basic argument for this principle is that if CCTV is used to collect personal data without stringent justification and controls, it becomes a mechanism for undermining the civil society which it is supposed to serve.

Somewhat different privacy concerns arose over the use of 'red-light cameras' in Toronto, introduced on a trial basis in a move to reduce the number of side-impact collisions at junctions arising from drivers taking a risk when traffic signals changed. The police wished to record facial images so that the driver's face could be matched against a database of driver licence photographs. Under traffic law current at the time, the driver rather than the owner of a car was legally responsible. However, it was pointed out that licence photographs are renewed only every five years, and are likely to be quite unreliable as a means of identification.

There was also a privacy issue in that the cameras would capture images of passengers and passers-by as well. After some controversy and a change in the law to make car owners liable for traffic infractions involving their cars, it was agreed that red-light cameras would record only the licence-plate number of a vehicle. On the grounds that the number constitutes a personal identifier, there would also be restrictions on access to records in the event of an accident.

PUBLIC DEBATE NOW BEGINNING IN CANADA

Rita Reynolds remarked that, in Toronto, the application of CCTV has not yet proliferated as it has in the UK, and that a public debate on the issue is only just beginning. She felt that, despite public pressure for any measure that might reduce crime, the Charter Rights protecting privacy (see above) might well be held to restrict the widespread use of CCTV. She outlined a number of questions that need to be answered before a system is set up. In addition to the need to ensure legal authority, these relate to

o the actual level of crime, how it has varied in recent years, and what type of crime is involved (eg violent offences or property crime);

o whether the system is to be a substitute for police presence, or whether more community-based policing is possible instead;

o whether it is really expected to assist in apprehending suspects or mainly to act as a crime deterrent (and if the latter, whether the crime will merely be displaced elsewhere);

o that independently analysed crime statistics are available to show the effect of such systems on the overall level of crime; and

o how the public is to be involved in the debate and given answers to all the questions raised above.

Rita Reynolds followed this with a discussion of the type of protocol that would need to be drawn up if a system was approved. This covered much the same ground as the Code of Practice described by Jonathan Bamford. However, her presentation revealed strikingly different attitudes in Canada (at least in Toronto) and in the UK towards the use of CCTV for crime prevention. In the UK, many such schemes are set up and controlled by local authorities, both with and without the active involvement of the police. Even under the new Act, there is nothing to stop a traffic monitoring system being used for crime prevention purposes, so long as this is included in the purpose notification to the Commissioner. In Toronto the situation is very different, with a clear distinction between the functions and powers of the police and the City Council.

Rita Reynolds' presentation also differed in putting more emphasis on the need for detailed justification on a variety of grounds before a system is set up in the first place. Although the UK's Code refers to the need for initial assessment, the reality in Britain is that the CCTV horse has bolted long before the stable door was closed. With so many precedents already established (and so much money invested), the Commissioner seems unlikely to be able to do more at first than investigate any blatant examples of privacy invasion by existing systems, and influence the development of those that follow so that initial assessment is given more attention.

UK HUMAN RIGHTS ACT WILL CHANGE THE SITUATION

The Introduction to the UK Code does, however, point out that the Human Rights Act 1998 will, after 2nd October 2000 (its date of coming into force), lead to developments in legal interpretation which will require review of the Code. The right to privacy under Article 8 of the European Convention on Human Rights, as now incorporated into the Act, may well lead to challenges to the legality of some CCTV systems. British citizens will gradually become aware that they have a basic right to privacy, broadly defined, which extends beyond the home.

The references by Rita Reynolds to the influence of the Canadian Charter of Rights and Freedoms, which bears a strong resemblance to the European Convention, show that the Human Rights Act will cause the justification for CCTV to be much more closely examined than has so far been the case.

This report, written by Dr Michael Spencer, is based on presentations at the Privacy Laws & Business Annual International Conference in July 2000, supplemented by the UK Code of Practice which was published shortly afterwards (available from the Commissioner's office or via her website http://www.dataprotection.gov.uk). Michael Spencer is a consultant on data protection and civil liberties. He can be contacted by e-mail: mikespen@gn.apc.org.