New CCTV Code of Practice: surveillance and the protection of freedoms

Surveillance of the covert and digital variety has been dominating the news of late. The legal contours of the practices leaked by Edward Snowden (the NSA’s obtaining of internet metadata) and covered by The Guardian (most recently, GCHQ’s monitoring of certain communications of ‘friendly’ foreign allies) may be matters of some debate.

In the meantime, the legal contours of a more overt and physical variety of surveillance – CCTV – have been somewhat clarified.

Panopticon indeed.

As its name suggests, the Protection of Freedoms Act 2012 expressed the incoming Coalition Government’s commitment to keeping in check the state’s surveillance of ordinary citizens. By that Act (sections 29-36), the Home Secretary was to present to Parliament a Code of Practice governing the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR). Following a consultation exercise – the response to which can be read here – the Home Secretary has now done so. The Code was laid before Parliament on 4 June 2013. A draft order (the Protection of Freedoms Act 2012 (Code of Practice for Surveillance Camera Systems and Specification of Relevant Authorities) Order 2013) is currently being considered by Parliament’s Joint Committee on Statutory Instruments.

Pending its coming into force, Panopticon summarises the key features of the new Code.

To whom does the Code apply?

The Code imposes duties on ‘relevant authorities’, which are those listed at section 33(5) of the Protection of Freedoms Act 2012 – in the main, local authorities and policing authorities.

The draft order proposes to add the following to the list of relevant authorities:

(a) The chief constable of the British Transport Police;

(b) The Serious Organised Crime Agency;

(c) The chief constable of the Civil Nuclear Constabulary; and

(d) The chief constable of the Ministry of Defence Police.

The Code recognises that concern about the use of surveillance cameras often extends beyond these sorts of full-blooded ‘public’ authorities. It recognises that the list of relevant authorities may need to be expanded in future to encompass shopping centres, sports grounds, schools, transport centres and the like.

For now, however, only those listed as ‘relevant authorities’ are subject to the duties imposed by the Code. Others who use such surveillance systems are ‘encouraged’ to abide by the Code.

What duty is imposed by the Code?

The Code imposes a ‘have regard to’ duty. In other words, relevant authorities are required to have regard to the Code when exercising any of the functions to which the Code relates. As regards its legal effects:

“A failure on the part of any person to act in accordance with any provision of this code does not of itself make that person liable to criminal or civil proceedings. This code is, however, admissible in evidence in criminal or civil proceedings, and a court or tribunal may take into account a failure by a relevant authority to have regard to the code in determining a question in any such proceedings” (paragraph 1.16).

It may well be that the Code also weighs heavily with the ICO in its consideration of any complaints about the use of surveillance cameras breaching the DPA 1998.

Remember that the Home Office Code sits alongside and does not replace the ICO’s CCTV Code of Practice.

What types of activity are covered by the new Code?

Relevant authorities must have regard to the Code ‘when exercising any of the functions to which the Code relates’. This encompasses the operation and use of and the processing data derived from surveillance camera systems in public places in England and Wales, regardless of whether there is any live viewing or recording of images and associated data.

The Code does not apply to covert surveillance, as defined under the Regulation of Investigatory Powers Act 2000.

What about third party contractors?

Where a relevant authority instructs or authorises a third party to use surveillance cameras, that third party is not under the ‘have regard to’ duty imposed by the Code. That duty does, however, apply to the relevant authority’s arrangements.

By paragraph 1.11:

“The duty to have regard to this code also applies when a relevant authority uses a third party to discharge relevant functions covered by this code and where it enters into partnership arrangements. Contractual provisions agreed after this code comes into effect with such third party service providers or partners must ensure that contractors are obliged by the terms of the contract to have regard to the code when exercising functions to which the code relates.”

The approach

The guiding philosophy of the Code is one of surveillance by consent:

 “The government considers that wherever overt surveillance in public places is in pursuit of a legitimate aim and meets a pressing need, any such surveillance should be characterised as surveillance by consent, and such consent on the part of the community must be informed consent and not assumed by a system operator…. [legitimacy] in the eyes of the public is based upon a general consensus of support that follows from transparency about their powers, demonstrating integrity in exercising those powers and their accountability for doing so” (paragraph 1.5).

In a nutshell, the expectation is this:

“The decision to use any surveillance camera technology must, therefore, be consistent with a legitimate aim and a pressing need. Such a legitimate aim and pressing need must be articulated clearly and documented as the stated purpose for any deployment. The technical design solution for such a deployment should be proportionate to the stated purpose rather than driven by the availability of funding or technological innovation. Decisions over the most appropriate technology should always take into account its potential to meet the stated purpose without unnecessary interference with the right to privacy and family life. Furthermore, any deployment should not continue for longer than necessary” (paragraph 2.4).

The guiding principles

The Code then sets out 12 guiding principles which systems operators should follow:

(1) Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.

(2) The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.

(3) There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.

(4) There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.

(5) Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.

(6) No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.

(7) Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.

(8) Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.

(9) Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.

(10) There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.

(11) When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.

(12) Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

Points to note

The Code then fleshes out those guiding principles in more detail. Here are some notable points:

Such systems “should not be used for other purposes that would not have justified its establishment in the first place” (paragraph 3.1.3).

“People do, however, have varying and subjective expectations of privacy with one of the variables being situational. Deploying surveillance camera systems in public places where there is a particularly high expectation of privacy, such as toilets or changing rooms, should only be done to address a particularly serious problem that cannot be addressed by less intrusive means” (paragraph 3.2.1).

“Any proposed deployment that includes audio recording in a public place is likely to require a strong justification of necessity to establish its proportionality. There is a strong presumption that a surveillance camera system must not be used to record conversations as this is highly intrusive and unlikely to be justified” (paragraph 3.2.2).

“Any use of facial recognition or other biometric characteristic recognition systems needs to be clearly justified and proportionate in meeting the stated purpose, and be suitably validated. It should always involve human intervention before decisions are taken that affect an individual adversely” (paragraph 3.3.3).

“This [the requirement to publicise as much as possible about the use of a system] is not to imply that the exact location of surveillance cameras should always be disclosed if to do so would be contrary to the interests of law enforcement or national security” (paragraph 3.3.6).

“It is important that there are effective safeguards in place to ensure the forensic integrity of recorded images and information and its usefulness for the purpose for which it is intended to be used. Recorded material should be stored in a way that maintains the integrity of the image and information, with particular importance attached to ensuring that meta data (e.g. time, date and location) is recorded reliably, and compression of data does not reduce its quality” (paragraph 4.12.2).

Enforcement

The Surveillance Camera Commissioner is a statutory appointment made by the Home Secretary under section 34 of the Protection of Freedoms Act 2012. The Commissioner has no enforcement or inspection powers. However, in encouraging compliance with the Code, he “should consider how best to ensure that relevant authorities are aware of their duty to have regard for the Code and how best to encourage its voluntary adoption by other operators of surveillance camera systems” (paragraph 5.3). The Commissioner is/is to be assisted by a non-statutory Advisory Council with its own specialist subgroups.

Given the limited remit of the Surveillance Camera Commissioner, it may be that the Code shows its teeth more effectively in complaints to the ICO and/or the courts.

Robin Hopkins

Important developments in surveillance law: RIPA and CCTV

Important changes to the Regulation of Investigatory Powers Act 2000 come into force from 1 November 2012, thanks to the Protection of Freedoms Act 2012 (Commencement No. 2) Order 2012, passed last week. This is an extremely important development for local authorities.

Local authorities are empowered under RIPA to use three surveillance techniques: directed surveillance, the deployment of a Covert Human Intelligence Source (CHIS) and accessing communications data. Early in its term, the Coalition government indicated that it would impose additional safeguards on local authorities’ use of such powers, responding in part to concerns aired by Big Brother Watch and others (see our post here and the recent ‘Grim RIPA’ report here). Chapter 2 of Part 2 of the Protection of Freedoms Act 2012 Act amended RIPA so as to require local authorities to obtain the approval of a magistrate for any authorisation for the use of a covert investigatory technique.

The procedure for obtaining judicial approval may be much like that involved in obtaining search warrants. It remains to be seen how magistrates scrutinise the reasoning and evidence supporting an authorisation so as to ensure that the conditions laid down by RIPA – in particular, necessity and proportionality – are satisfied. Ibrahim Hasan has discussed the changes in his Local Government Lawyer piece here.

Last week also saw a second important announcement on surveillance. The government has announced that it is busy with preparatory work on a new CCTV code of practice, with the aim of consulting on the draft code over the autumn and bringing the new one into force in April 2013. Authorities specified in s. 33(5) of the Protection of Freedoms Act 2012 have a duty to have regard to the code, and other system operators will be encouraged to adopt it on a voluntary basis.

The Home Office Minister, Jeremy Browne MP, told the House of Commons last week that the government is “committed to ensuring that any deployment in public places of surveillance cameras, including close circuit television (CCTV) and automatic number plate recognition (ANPR), is appropriate, proportionate, transparent and effective in meeting its stated purpose”.

Oversight of – and independent recommendations about – the new code will fall to Andrew Rennison, who will remain in post as both surveillance camera commissioner and forensic science regulator until February 2014.

If one adds the Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012, also passed last week (see my post here), this is clearly a time of great flux in terms of the information law landscape for local authorities in particular.

Robin Hopkins

Local authorities and NHS Trusts (2): unusual appeals ahead

I blogged earlier (see below) about the sorts of information law issues that arise routinely for local authorities and NHS Trusts. On a more unusual note, it is worth noting that the First-Tier Tribunal is due to hear appeals against notices other than the usual decision notices issued by the Information Commissioner under s. 50 of FOIA.

The first ever appeal against a monetary penalty notice issued for breaches of the Data Protection Act 1998 will be heard on 3-5 December of this year: Central London Community Healthcare NHS Trust v IC (EA/2012/0111). The Trust was fined £90,000 for faxing patient lists containing sensitive personal data to the wrong number. The Commissioner’s press release is available here.

Secondly, Southampton City Council is appealing against a decision by the Commissioner that a licensing policy under which all licensed taxis must use surveillance equipment consisting of CCTV and audio-recording facilities, both of which must operate whenever the vehicle is in motion, breached the first data protection principle. The Commissioner issued an enforcement notice against the Council (his press release is here).

The appeals will feature my fellow Panopticonners Anya Proops (for the Commissioner in both cases) and Tim Pitt-Payne QC (for the appellants in both cases).

Robin Hopkins

WATCH THIS SPACE

The Coalition’s Programme for Government contains a great deal that is of interest to information lawyers: see here.  But when and how will any of this be given legislative effect?

The Queen’s Speech was delivered on 25th May 2010. The website of the Prime Minister’s office gives a list of the proposed Bills , with further information about each one. Three of the proposed Bills have potential implications for information law.

(i) The Public Bodies (Reform) Bill will enhance the transparency and accountability of quangos: though it is not clear as yet whether enhanced information access rights will play a role in this.

(ii) The Decentralisation and Localism Bill will (among other matters) require public bodies to publish online the job titles of every member of staff and the salaries and expenses of senior officials.

(iii) The Freedom (Great Repeal) Bill is intended to cover a wide range of subjects, to be announced in due course: it may include an extension to the scope of FOIA, and also various provisions in relation privacy (e.g. relating to CCTV cameras, and the DNA database).

Of these Bills, it is the third that is likely to be much the most significant. 

FROM BIG BROTHER SOCIETY TO BRAVE NEW WORLD?

The Conservative/Lib Dem coalition agreements are available here.  Under the heading “Civil Liberties” there are a number of points that should interest readers of this blog.  These include:

* the scrapping of the ID cards scheme, the National Identity Register, the next generation of biometric passports and the Contact Point database;

* outlawing the fingerprinting of children at school without parental permission;

*  extending FOIA to provide greater transparency;

* adopting the Scottish model for the DNA database;

*  further regulation of CCTV; and

* ending the storage of internet and email records without good reason.

Taken together these suggest that information law issues will continue to be centre stage in political terms.

CCTV In the Dock

A Home Office funded review on the effectiveness of CCTV cameras in the fight against crime has found that it has only a ‘modest impact on crime’. The review, undertaken by the Campbell Collaboration found that the use of CCTV was not effective in cutting vehicle crime in car parks, especially when used alongside improved lighting and the introduction of security guards. The review’s conclusions are likely to prompt further debate not only on the cost effectiveness of using CCTV as a weapon to cut crime (CCTV is now the single most heavily funded crime prevention measure operating outside the criminal justice system) but also on whether the pervasive use of CCTV within our society can be justified, particularly given its potential to interfere with the right to privacy.  Notably, The Home Office cited the review in the context of its response to the House of Lords Comittee on the Constitution Inquiry into ‘Surveillance: Citizens and the State’ (and see my earlier post on the Committee’s report). In its response, the Home Office stated that: In reviewing existing policies and processes, the Government will seek to ensure that due consideration is given to the following key principles: Are robust safeguards in place to protect the information and indiviudal liberties? Are our plans and actions proportionate to the damage and the threat they are seeking to prevent? Are we being as transparent as possible? Are citizens being given the right amount of choice?The Home Office’s response should be read in conjunction with the Information Commissioner’s response to the Committee’s report which was published in 15 April 2009.