9. Responsibilities

9.1 Letting people know

You must let people know that they are in an area where CCTV surveillance is being carried out.

The most effective way of doing this is by using prominently placed signs at the entrance to the CCTV zone and reinforcing this with further signs inside the area. This message can also be backed up with an audio announcement, where public announcements are already used, such as in a station.

Clear and prominent signs are particularly important where the cameras themselves are very discreet, or in locations where people might not expect to be under surveillance. As a general rule, signs should be more prominent and frequent where it would otherwise be less obvious to people that they are on CCTV.

In the exceptional circumstance that audio recording is being used, this should be stated explicitly and prominently.

Signs should:

• be clearly visible and readable;
• contain details of the organisation operating the system, the purpose for using CCTV and who to contact about the scheme (where these things are not obvious to those being monitored); and
• be an appropriate size depending on context, for example, whether they are viewed by pedestrians or car drivers.

Signs do not need to say who is operating the system if this is obvious. If CCTV is installed within a shop, for example, it will be obvious that the shop is responsible. All staff should know what to do or who to contact if a member of the public makes an enquiry about the CCTV system. Systems in public spaces and shopping centres should have signs giving the name and contact details of the company, organisation or authority responsible.

• Do you have signs in place informing people that CCTV is in operation?
• Do your signs convey the appropriate information?

9.2 Subject access requests

Individuals whose images are recorded have a right to view the images of themselves and, unless they agree otherwise, to be provided with a copy of the images. This must be provided within 40 calendar days of receiving a request. You may charge a fee of up to £10 (this is the current statutory maximum set by Parliament). Those who request access must provide you with details which allow you to identify them as the subject of the images and also to locate the images on your system. You should consider:

• How will the staff involved in operating the CCTV system recognise a subject access request?
• Do you have internal procedures in place for handling subject access requests? This could include keeping a log of the requests received and how they were dealt with, in case you are challenged.

A clearly documented process will also help guide individuals through such requests. This should make it clear what an individual needs to supply. You should decide:

• What details will you need to find the images? Is it made clear whether an individual will need to supply a photograph of themselves or a description of what they were wearing at the time they believe they were caught on the system, to aid identification?
• Is it made clear whether details of the date, time and location are required?
• What fee will you charge for supplying the requested images (up to a maximum of £10) and how should it be paid? Make this clear to people making access requests.
• How will you provide an individual with copies of the images?

If images of third parties are also shown with the images of the person who has made the access request, you must consider whether you need to obscure the images of third parties. If providing these images would involve an unfair intrusion into the privacy of the third party, or cause unwarranted harm or distress, then they should be obscured. In many cases, images can be disclosed as there will not be such intrusion.

Where you decide that third parties should not be identifiable, then you will need to make arrangements to disguise or blur the images in question. It may be necessary to contract this work out to another organisation. Where this occurs, you will need to have a written contract with the processor which specifies exactly how the information is to be used and provides you with explicit security guarantees.

9.3 Freedom of information

If you are a public authority then you may receive requests under the Freedom of Information Act 2000 (FOIA) or Freedom of Information (Scotland) Act 2002 (FOISA). Public authorities should have a member of staff who is responsible for responding to freedom of information requests, and understands the authority’s responsibilities. They must respond within 20 working days from receipt of the request.

Section 40 of the FOIA and section 38 of the FOISA contain a two-part exemption relating to information about individuals. If you receive a request for CCTV footage, you should consider:

• Are the images those of the requester? If so then that information is exempt from the FOIA/FOISA. Instead this request should be treated as a data protection subject access request as explained above.
• Are the images of other people? These can be disclosed only if disclosing the information in question does not breach the data protection principles.

In practical terms, if individuals are capable of being identified from the relevant CCTV images, then it is personal information about the individual concerned. It is unlikely that this information can be disclosed in response to an FOI request as the requester could potentially use the images for any purpose and the individual concerned is unlikely to expect this. This may therefore be unfair processing in contravention of the Data Protection Act (DPA).

This is not an exhaustive guide to handling FOI requests⁸.

Note: Even where footage is exempt from FOIA/FOISA it may be lawful to provide it on a case-by-case basis without breaching the DPA, where the reason for the request is taken into account. See section 8 (using the images) for advice on requests for disclosure.

9.4 Other responsibilities

Staff operating the CCTV system also need to be aware of two further rights that individuals have under the DPA. They need to recognise a request from an individual to prevent processing likely to cause substantial and unwarranted damage or distress (s10 DPA) and one to prevent automated decision-taking in relation to the individual (s12 DPA). Experience has shown that the operators of CCTV systems are highly unlikely to receive such requests. If you do, guidance on these rights is available from the Information Commissioner’s Office⁹. Any use of Automatic Facial Recognition technology should also involve human intervention before decisions are taken, and this would not be decision taking solely on an automated basis within the terms of the DPA.

If the CCTV system covers a public space, the organisation operating the CCTV system should be aware of the possible licensing requirements imposed by the Security Industry Authority.

A public space surveillance (CCTV) licence is required when operatives are supplied under a contract for services. Under the provisions of the Private Security Industry Act 2001, it is a criminal offence for staff to be contracted as public space surveillance CCTV operators in England, Wales and Scotland without an SIA licence¹⁰.

• Do the relevant staff know how to deal with any request to prevent processing or prevent automated decision making and where to seek advice?
• Have you satisfied any relevant licensing requirements?

---

8 Further information about the FOIA can be found on ICO’s website: www.ico.gov.uk including specific guidance about section 40 (FOI Awareness Guidance No1).

9 “How can I stop them processing my personal information?” and “Preventing decisions based on automated processing of personal information” can both be found on the ICO website: www.ico.gov.uk. You may also wish to consult our Legal Guidance.

10 This requirement does not apply in Northern Ireland. For more information visit www.the-sia.org.uk