contents
- Foreword
- About this code
- What this code covers
- Deciding whether to use CCTV or continue using CCTV
- Ensuring effective administration
- Selecting and siting the cameras
- Using the equipment
- Looking after the recorded material and using the images
- Responsibilities
- Staying in control
- Appendix 1
- Appendix 2
- Appendix 3
CCTV code of practice
5. Ensuring effective administration
Establishing a clear basis for the handling of any personal information is essential and the handling of images relating to individuals is no different. It is important to establish who has responsibility for the control of the images, for example, deciding what is to be recorded, how the images should be used and to whom they may be disclosed. The body which makes these decisions is called the data controller and is legally responsible for compliance with the Data Protection Act (DPA).
Where more than one organisation is involved, each should know its responsibilities and obligations. If both make decisions about the purposes and operation of the scheme, then both are responsible under the DPA. This may be the case, for example, where the police have a ‘live feed’ from a local authority-owned camera.
- Who has responsibility for control of the images and making decisions on how these can be used? If more than one body is involved have responsibilities been agreed and does each know its responsibilities?
- Has the body (or have the bodies) responsible notified the Information Commissioner's Office (ICO) that they are the data controller? Does the notification cover the purposes for which the images are used, the disclosures that are made and other relevant details?3
- If someone outside your organisation provides you with any processing services, for example editing the images, is a written contract in place with clearly defined responsibilities? This should ensure that the images are only processed in accordance with your instructions. The contract should also include guarantees about security, such as storage and the use of properly trained staff.
You will also need clear procedures to determine how you use the system in practice.
- Have you identified clearly defined and specific purposes for the use of images, and have these been communicated to those who operate the system?
- Are there clearly documented procedures, based on this code, for how the images should be handled in practice? This could include guidance on disclosures and how to keep a record of these. Have these been given to appropriate people?
- Has responsibility for ensuring that procedures are followed been allocated to an appropriate named individual? They should ensure that standards are set, procedures are put in place to meet these standards and they should make sure the system complies with this code and with legal obligations such as an individual’s right of access.
- Are proactive checks or audits carried out on a regular basis to ensure that procedures are being complied with? This can be done either by you as the system operator or a third party.
You should review regularly whether the use of CCTV continues to be justified. You will have to renew your notification yearly, so this would be an appropriate time to consider the ongoing use of CCTV.
3 Please be aware that notification to the Commissioner does not in itself ensure that the system is compliant. You will still need to comply with the data protection principles (see appendix 1). Not all organisations need to notify. Current notification requirements can be found at www.ico.gov.uk/what_we_cover/data_protection/notification.aspx