Una Riley talks to Johnathan Bamford, the man at the Office of the Information Commissioner in charge of CCTV and the Data Protection Act.
I met Johnathan Bamford last year as Chairman at IFSEC 2001 for one of the BSIA seminars. Johnathan was a speaker on the Data Protection Act 1998 (DPA). Although the content is serious and was perceived by some to be unwelcome to the industry, nothing could be further from the truth. Johnathan is the Assistant Commissioner heading the Law Enforcement, Justice and Inspections Compliance Group, having previously been employed by the Equal Opportunities Commission dealing with Sex Discrimination and Equal Pay cases. He joined the staff of The Data Protection Registrar when the office was established in early 1985 and has remained through the transition to Information Commissioner with the introduction of the Data Protection Act 1998 and Freedom of Information Act 2000. Johnathan has responsibility for ensuring organisations involved in policing, law enforcement, frontier control and criminal justice system comply with the requirements of legislation. He also has responsibility for the commissioner’s international supervisory and inspection activities in relation to the European Police Office (Europol) and the Customs Information System. His group is also responsible for developing the Commissioner’s data protection compliance auditing expertise.
<br><br>
I asked Johnathan about the impact of the Data Protection Act within the CCTV industry. ‘The more and more that our code of practice has been out there and used by people, the more and more it has become apparent to me that there is a coincidence of interest. I have met very few people who deploy their CCTV surveillance over the primary purpose of preventing or detecting crime, either against their business or against members of the public going about their business. But unless the tapes are handled properly and the equipment functions in a proper way, they don’t actually get to use those sort of images in a way that is most effective in preventing or detecting crime. DPA legislation requires this information is fit for its purpose, that it is up to the job, therefore we underpin in many ways the very aim and objective of the people who deploy CCTV in the first place and who have spent an awful lot of their money doing it. We put in place a legally enforceable regime. We want CCTV images there to make sure that criminals get caught and ensure that our businesses and members of the public are protected from criminality. Standards issued through the Data Protection Act assist that process rather than hinder it.’ We went on to talk about the fact that although BS: 7958 addresses the Data Protection Act to a degree it does not cover it sufficiently and as a consequence a standard might be produced in the future based upon the DPA CCTV Code of Practice’ "I am aware of a number of organisations that have seen that our code of practice is almost a helpful checklist of compliance elements. Now the idea of people undertaking data protection compliance audits is not a new thing. This has gone on for ages, when we were just dealing with things that were held on computer. Large firms of accountants, solicitors or other more specialist bodies provided a data protection audit service to check out whether a data controller was actually complying with the data protection law in a general sense. I think that the Information Commission supports this and the fact that people take care and try to comply with legislation. Now we are finding this is moving into the areas of CCTV and using our code of practice to do it. What we need to stress however, is that these are private organisations that are offering a consultancy service as such. At the end of the day there is no certification process that guarantees compliance with the DPA, all it is is somebody who is making good efforts to ensure that the right sort of matters are addressed. Our code of practice has made life a little bit easier for those sort of bodies because they don’t have to quite work out what the retention periods in the fifth data protection principle might be because we have actually given them an idea of what the relevant period would be. Therefore I am not critical of the idea that people would offer a service to check out on compliance, where I would have concern is whether the people offering that service cause any confusion in the mind of any protection clients of what the end product is. The end product is a helpful guide back to the client of other areas of compliance or potential non-compliance. What it isn’t is the certificate that says that you comply with the DPA and therefore the Information Commissioner would never be able to take enforcement action against you. Anybody who implies that they are somehow officially sanctioned by the Information Commission to undertake audited inspection activities is misleading people because we do not sanction anybody to do that. There is no facility for certification process under the DPA, so it is important for people to understand services for what they are. They are helpful, they aid compliance and it is something that we have no objection to but we would not want anybody to be mislead into thinking that by utilising such a service that they guarantee their compliance with Data Protection laws, that’s not the case.’ I suggested to Johnathan: as the National Security Inspectorate are the industry bods that audit to the other British standards pertaining to CCTV, surely it would be better for them to take up the challenge rather than entrants coming in purporting to have UKAS accreditation when in fact they don’t’ Johnathan explained: ‘The situation basically is that because we don’t operate a certification process, I can’t say that one body that has standing in a particular sector is necessarily better at checking the compliance than somebody else who is a commercial organisation. I’ve never tested them out. I don’t know whether one is better than the other. All I can do is basically make sure that anybody operating in these sort of areas has the right sort of information available to them in order that they can make the right judgements on behalf of their clients. Whether it be someone who has traditionally operated in an area of CCTV or whether it be a newcomer to the field. Where we have a lot more concern are bodies that are pretending to charge an official fee on our behalf. This is where we have had a problem with some organisations who are offering registration services under the DPA which involve them charging a much higher fee that we actually have as a statutory notification fee and that caused a large amount of difficulty. Indeed those bodies have been reported to trading standards departments. I hasten to add that there is a big difference between somebody who is masquerading in an area to do with our statutory fees charging more than somebody who operates a sort of service to check on compliance of commercial activity. The two are distinct in some way; my only concern is to make sure that in that latter area, people understand about the purchasing services of these bodies". I am afraid that our industry has thrown up the odd organisation that is not all that it seems, even recently the BSIA had to send out a disclaimer regarding one such company. I asked Johnathan how he felt our industry had embraced the Data Protection Act on CCTV. "I think there are a number of organisation who have embraced the code of practice. I also think there was a vacuum there before which the code has helped to fill. This is particularly the case with town centre schemes where there is widespread surveillance of the population from a third party. I believe in those areas there is a good level of compliance and people addressing their mind to think of what they need to do in data protection terms. However, I am not quite certain about the penetration of the code in some other areas. Things that are relevant in terms of the subject headings apply to everyone no matter how big an operator you are. So having an idea of how long you are going to retain the tapes is relevant whether you are running a town centre scheme or a corner shop. Making sure that tapes are always secure is a sensible thing, not only for the big operators but also the smaller users. Naturally cost is an issue. If you are a local authority and you have a large number of tapes, the way you manage them must be very very methodical and may require an expensive storage facility to ensure they are kept totally secure. If you a smaller operator however, it may be sufficient that when a tape comes out of a machine it is locked away somwhere. I can’t believe that this is going to cause too much of problem with regards to storage facilities. We feel that business has the right to protect itself against crime but the onus is on people who are involved in surveilling people entering their premises to make sure the reason for doing so is a justifiable.’ I asked Johnathan what he considered was the most important aspect of the CCTV code of practice. "A very important point about the CCTV code of practice is that it serves two purposes. First it enables CCTV operators to makes sure they comply with their legal obligations but I think that just as importantly it means the public can be reassured intrusion into their private lives is done on a proper and sound basis.’ I totally endorse these sentiments. As I mentioned at the beginning of this article, the security industry should embrace the DPA. CCTV is a powerful weapon in the war against crime. By ensuring that data is handled correctly we can maximise its potential to deter and detect criminals whilst protecting the freedom and rights of the public.
