contents
- Foreword
- About this code
- What this code covers
- Deciding whether to use CCTV or continue using CCTV
- Ensuring effective administration
- Selecting and siting the cameras
- Using the equipment
- Looking after the recorded material and using the images
- Responsibilities
- Staying in control
- Appendix 1
- Appendix 2
- Appendix 3
CCTV code of practice
10. Staying in control
Once you have followed the guidance in this code and set up the CCTV system you need to ensure that it continues to comply with the Data Protection Act (DPA) and the code’s requirements in practice. If requested you should:
- tell people how they can make a subject access request, who it should be sent to and what information needs to be supplied with their request;
- give them a copy of this code or details of the Information Commissioner's Office (ICO) website; and
- tell them how to complain about either the operation of the system or failure to comply with the requirements of this code.
Staff using the CCTV system or images should be trained to ensure they comply with this code. In particular, do they know:
- what the organisation’s policies are for recording and retaining images?
- how to handle the images securely?
- what to do if they receive a request for images, for example, from the police?
- how to recognise a subject access request and what to do if they receive one?
All images must be protected by sufficient security to ensure they do not fall into the wrong hands. This should include technical, organisational and physical security. For example:
- Are sufficient safeguards in place to protect wireless transmission systems from interception?
- Is the ability to make copies of images restricted to appropriate staff?
- Where copies of images are disclosed, how are they safely delivered to the intended recipient?
- Are control rooms and rooms where images are stored secure?
- Are staff trained in security procedures and are there sanctions against staff who misuse CCTV images?
- Are staff aware that they could be committing a criminal offence if they misuse CCTV images?
Any documented procedures which you produce following on from this code should be reviewed regularly, either by a designated individual within the organisation or by a third party. This is to ensure the standards established during the setup of the system are maintained.
Similarly, there should be a periodic review (at least annually) of the system’s effectiveness to ensure that it is still doing what it was intended to do. If it does not achieve its purpose, it should be stopped or modified.
- Is information available to help deal with queries about the operation of the system and how individuals may make access requests?
- Does the information include your commitment to the recommendations in this code and include details of the ICO if individuals have data protection compliance concerns?
- Is a system of regular compliance reviews in place, including compliance with the provisions of this code, continued operational effectiveness and whether the system continues to meet its purposes and remains justified?
- Are the results of the review recorded, and are its conclusions acted upon?