The client
Our client is the borough council of a thriving town with millions of visitors a year and a population of over 150,000 people. Since the early 1970s, our client has managed multiple sites to provide services to their residents and visitors. These services include waste and recycling management, housing services, parking, street care and cleaning, burials and cremations, and more. However, over the years, our client has outsourced the management of several of its sites to external service providers, which added to their need to understand who was liable for each site’s surveillance system to comply with Principle 4 of the Surveillance Camera Commissioner (SCC) Code of Practice.
To assist in the management of these sites, surveillance camera systems were installed. Initially, only Closed-Circuit Television (CCTV) cameras were in operation. However, our client has now expanded their repertoire to include other types of surveillance camera systems such as body-worn video (BWV), and Automatic Number Plate Recognition (ANPR) cameras. These cameras are processing high volumes of data subjects’ personal data including special category data. Therefore, being compliant with the relevant legislation is a key priority for our client. As a local authority, they are held to a high standard of compliance as they conduct public space surveillance.
What did they need?
Concerned about the compliance of their surveillance systems, our client sought external support from Data Privacy Advisory Service to assess current practices regarding surveillance and remediate any risks highlighted throughout the project. The outcome of the project was to identify which sites had surveillance systems in place, who was responsible (the data controller) for each system, and provide an assessment of each site’s compliance.
How did we help?
In addition to supporting the overall organisation with their compliance requirements, DPAS developed the relevant accountability documentation which would ensure they complied with the legislation.
DPAS emphasised that compliance with data protection legislation and the Surveillance Camera Code of Practice goes beyond the initial installation of a surveillance camera system, which drove our approach.
Our approach considers the four steps to a compliant surveillance camera system.
- Step 1: Installation.
- Step 2: Management, including training.
- Step 3: Operation.
- Step 4: Public awareness and signage.
DPAS conducted a gap analysis which developed our understanding of the gaps in compliance our client had, as well as identifying the correct stakeholders for each site. This gap analysis was conducted via a short survey sent to key stakeholders.
Once the correct stakeholders were identified, to minimise disruption to the organisation, DPAS organised off-site video meetings to gather the information required to inform our assessment of the compliance of surveillance camera systems used. These meetings informed the completion of Data Protection Impact Assessments (DPIAs) specifically for surveillance camera systems and identified suppliers that needed further assessment per our project’s scope.
In addition to offsite meetings, DPAS conducted an offsite high-level review of current documented policies and procedures, and a list of systems in place, to identify any areas of improvement.
RECOMMENDATIONS
Our independent experts brought in industry best practices and standards as part of our recommendations to our client.
DPAS identified that several improvements were required to improve the compliance of our client’s accountability documentation. For example, our client’s CCTV policy, published on their Publication Scheme, was outdated and did not reflect recent legislative changes. The overall recommendations were made in response to risks identified within the following areas of scope:
- Data controller/data processor
- Retention
- Security of personal data
- Training
- Third-party due diligence
- Sharing and disclosure of personal data
- Data subject rights
In addition, DPAS also identified the use of covert surveillance by one of the departments, which highlighted the need for compliance with the Regulation of Investigatory Powers Act 2000 (RIPA 2000), which regulates the powers of public bodies to carry out covert surveillance and investigations. To demonstrate our clients’ compliance with this legislation, DPAS developed accountability documentation reflecting the appropriate use of covert surveillance.
IMPLEMENTATION
During each stakeholder meeting, DPAS were able to make recommendations that would help to further compliance through ‘quick wins’, such as ensuring that the retention period for information captured by each surveillance camera system is set to 30 days, to achieve a consistent retention period across the entire organisation (unless exemptions apply).
In addition, to help our client further compliance, DPAS provided our client with the following accountability documentation to mitigate the risks identified throughout the project:
- A complete, tailored, CCTV policy incorporating GDPR, Data Protection Act 2018, Protection of Freedoms Act 2012, and the updated Surveillance Code of Practice (that came into effect on 12th January 2022) requirements.
- Completed DPIAs for each site that operated surveillance camera system(s), which identified the risks associated and provided an assessment of each site’s compliance providing them with an individual score.
- Created a Surveillance Camera Privacy Notice that covered all the different types of surveillance camera systems used by our client (including Closed Circuit Television (CCTV), Automatic Number Plate Recognition (ANPR), and Body Worn Video (BWV)).
- Templates for Data Sharing Agreements (DSAs), Data Processing Agreements (DPAs), CCTV Annual Review Form, and a CCTV SAR Form.
- A personalised SCC DPIA template with specific prompts to support our client’s compliance journey.
- A Surveillance Cameras System Tracker to allow our client to have oversight of the surveillance camera systems in use across the sites whether they are the landlord, or responsible for operations.
- A completed SCC Self-Assessment Tool to demonstrate compliance with the SCC Code of Practice and support our client’s application to achieve the Biometrics and Surveillance Camera Commissioner’s third-party certification mark.
- An ‘End of Project’ report highlighting the risks identified with a RAG rating and the suggested remedial actions for each risk.
RESULTS
Our client was able to use the accountability documentation and end-of-project report within board meetings to demonstrate their organisation’s commitment to the importance of data protection and individuals’ rights.
DPAS provided designated experts, that the client did not have in-house, to offer personalised advice and guidance. This tailored advice allowed our client to incorporate best practices, the risk analysis, and remedial advice, shared by DPAS, into their compliance strategy for continual improvement of their surveillance camera systems. The client has been given the tools to ensure that their accountability documentation remains up to date and support their staff’s use of surveillance cameras, ensuring that they read and understand the contents of the accountability documentation. Alongside ensuring that the identified risks are appropriately mitigated and reviewed on an ongoing basis.
CONCLUSION
Through the successful delivery of this project, we improved the client’s current compliance with the relevant legislation associated with surveillance camera systems. Our client was provided with the tools needed to successfully maintain their surveillance camera systems and continue to effectively manage compliance. This was achieved through the provision of personalised templates that have specific prompts for our client, and training, to improve the overall awareness of requirements of surveillance camera systems and how to achieve compliance.
Working with independent experts our client was able to independently assess their compliance with legislation beyond what was previously understood. As an independent auditor, DPAS was able to deliver an impartial assessment of any compliance gaps and how to resolve them.
DPAS also delivered a tailored road map to support our client’s ongoing journey with compliance. If you need help with your surveillance camera system and achieving compliance with the relevant legislation, contact the DPAS team at 0203 301 3384 or info@dataprivacyadvisory.com for a no-obligation quote.