How To Pick The Right Commercial Video Surveillance System In 2023
Find out how to pick the right commercial CCTV system for your business. Learn everything you need to know about security cameras, from assessing risk to displaying warning signage.
- Your Legal Obligations
- Assessing Risk
- Governance of DPIAs
- Selecting the Correct Camera
- Selecting the Correct Recorder and Monitor
- Warning Signage
Your Legal Obligations
Principle 2 of the Surveillance Camera Code of Practice states:
“that the use of a surveillance camera system must take into account its effect on individuals and their privacy.”
Processing of personal data using a surveillance camera system will be considered ‘likely to result in high risk to rights and freedoms’ under data protection law.
For instance, where it can systematically monitor public spaces on a large scale, or can involve innovative technology or the processing of biometric data.
As processing using a surveillance camera system is likely to be high risk you must conduct a Data Protection Impact Assessment (DPIA) before the system is installed and review it regularly.
Carrying out a DPIA means that you can determine whether deployment is lawful, and will also be a record of how you have considered and addressed any risks or wider concerns about your project.
This addresses Principle 2 of the Surveillance Camera Code of Practice as well as requirements of data protection law.
What a DPIA must cover and when they are required by law is set out in Article 35 of the GDPR (general processing) and Section 64 DPA 2018 (law enforcement processing).
The ICO has also identified further types of general processing where a DPIA is mandatory, because the processing is likely to result in high risk to individuals’ rights and freedoms.
This can also indicate to controllers who are processing for law enforcement purposes where there may be high risk.
Surveillance camera systems are very likely to sit within the scope of this high risk requirement.
There are situations when you must consider a DPIA, for example:
- When you are introducing a new surveillance camera system.
- Before you process any special categories of personal data on a large scale.
- If you are considering introducing new or additional technology that may affect individuals’ rights and freedoms (e.g. facial recognition technology, automatic number plate recognition (ANPR), audio recording, body worn cameras, unmanned aerial vehicles (drones), megapixel or multi sensor very high-resolution cameras).
- If your system involves any form of data matching.
- When you are changing the location or field of view of a camera or other such change that may raise privacy concerns.
- When you are reviewing your system to ensure that it is still justified. Both the SCC and the ICO recommend that you review your systems regularly, for example as part of annual procedures.
- When you change the way you record images and handle, use or disclose information.
- When you increase the geographical area captured by your surveillance camera system.
- When you change or add an end user or recipient for the recorded information or information derived from it.
1. Likelihood of high risk means that the type of processing has a higher chance of harming individuals.
This could be as a result of decisions taken using this data, or because of an individual’s lack of control over how their information is used.
‘Likely’ does not mean that your project will harm individuals, however it does mean that you are required to assess your project before it starts, to ensure you reduce any risks you identify
2. The GDPR identifies certain types of processing where the likelihood of high risk is engaged, for example stating specifically that a DPIA “shall in particular be required in the case of…systematic monitoring of publicly accessible places on a large scale” (Article 35).
3. To assess the level of risk, you must consider both the likelihood and the severity of any impact on individuals.
High risk could result from either a high probability of some harm, or a lower possibility of serious harm.
It is important to embed DPIAs into your organisational processes such as project planning and other management and review activities, and ensure the outcome can influence your plans prior to implementation.
4. A further benefit of carrying out a DPIA is that it will help to address statutory requirements under the Human Rights Act 1998 (HRA).
Section 6(1) HRA provides that it is unlawful for a public authority to act in a way which is contrary to the rights guaranteed by the European Convention on Human Rights (ECHR).
Therefore, in addition to the above, as a public body or any other body that performs public functions you must make sure that your system complies with HRA requirements.
5. When conducting a DPIA you should consider the nature, scope, context and purposes of the
surveillance camera activities and their potential to interfere with the rights and freedoms of individuals, as set out in Human Rights law.
- the right to freedom of assembly;
- freedom of thought, belief and religion;
- freedom of expression;
- freedom of association; and
- the protection from discrimination in respect of those rights and freedoms.
Data controllers should consider how the processing is lawful and fair, in order to be compliant with the first principle of data protection law.
If your DPIA identifies a residual high risk that you cannot mitigate adequately, data protection law requires that you must consult the ICO before starting to process personal data. This should be when you are planning your surveillance camera system or making changes to it that will impact on individuals’ rights and freedoms.
Governance of DPIAs
You must carry out a DPIA prior to the processing in the first instance.
If the deployment goes ahead, you should review the DPIA regularly to maintain relevance.
You should be aware that failure to complete a DPIA prior to the deployment of a surveillance camera system could result in the ICO taking enforcement action.
As an organisation that operates a surveillance camera system you will also be the controller of the personal data captured by its cameras.
Under DPA 2018 (Sections 69-71), a data controller is under a legal obligation to designate and resource a data protection officer and to seek their advice when carrying out a DPIA.
Consultation is an important part of the DPIA process. You should obtain the views of people who are likely to come under surveillance or their representatives.
This can often be achieved by existing local consultation mechanisms such as local area committees or safer neighbourhood team meetings.
You can consider other methods, such as face to face interviews, online surveys, and addressing focus groups, crime and disorder partnerships and community forums.
You should also consult internally, for example with your legal department, and staff who will be recorded.
Your DPO may be able to offer advice on how to carry out consultation.
The Surveillance Camera Commissioner’s Passport to Compliance (paragraph 1.5.3) also includes detailed advice on consultation which will be of use.
Principle 2 of the Surveillance Camera Code of Practice also requires that you must carry out regular reviews to ensure your use of surveillance camera systems remains justified.
You should factor a review of your DPIA into your ongoing risk assessment procedures to consider any significant changes to the risks of operating an existing system (for example extended access to footage to additional parties, or changing the location or capabilities of the system).
Selecting the Correct Camera
It is vital that the correct camera is selected based upon the requirement of the system. Use the DORI method for selecting the camera type/s required:
The quality of images captured by a camera allows a user to determine whether a person or vehicle is present.
The captured images are able to provide characteristic details of an individual, such as their clothing.
The clarity of the images enables operators to see with a high level of certainty that an object or incident is the same as the one that an operator has seen before, e.g., it is a person, vehicle or a fire.
The resolution and quality of the images enable an individual to be identified beyond reasonable doubt.
Once the camera type required is identified it is imperative that the images captured are of the required quality for use and thus fit for purpose.
The minimum standards for new camera installations should be as below unless a specialist camera is required (Licence Plate Recognition or Thermal Imaging for example):
1. Cameras are of Internet Protocol (IP) type and not Analogue type
2. Images captured are of 8 megapixels (4k) or higher
3. Images are captured at 20 frames per second (fps) or higher
If the camera is for a specialist use i.e., capturing vehicle registration plates, using thermal imaging to detect an intruder or fire and linking to a service i.e., notifying a monitoring station to call the Police, Fire and Rescue Service or a Key Holder then specialist advice should be sought from the contractors quoting for the system.
Selecting the Correct Recorder and Monitor
The Network Video Recorder (NVR) and monitor are the hub of the Video Surveillance or CCTV System.
The monitor size should be appropriate for the required system use.
For example, if the use is for a large office to be able to monitor the external of the building via 4 cameras, it is likely a 50” wall mounted monitor will be required to enable persons to be able view 4 individual cameras at a reasonable size however if the use is for review of incidents only, a 22” monitor is likely to suffice.
NB requirements of Display screen equipment (DSE) assessment.
The minimum standards for new recorders should be:
1. Recorder is of Internet Protocol (IP) type and not Analogue type (NVR not DVR)
2. Recorder is capable of recording all images from all cameras at 8 megapixels (4k) or higher
3. Recorder is capable of recording all images from all cameras at 20 frames per second (fps) or higher
4. An HDMI output for a monitor
5. A USB output for copying footage to USB hard drive
6. The facility to limit the footage retention length to 31 days (unless DPIA requires more)
7. The recorder has capacity for future expansion both with camera channels and recorder size.
It is common to install a 16-channel recorder instead of an 8-channel recorder because the purchase cost is often under £100.00 more and it will future proof the system.
The larger recorders also have more hard drive capacity and better processing speeds.
As part of the Video Surveillance System or CCTV installation there should be warning signage provided by the supplier.
It should be erected at access and egress points to the surveillance area which at a fenced site would be at all access gates.
If internal cameras are present at the main reception entrance and on unfenced sites, at all access and egress points to the site i.e., driveways and paths and it may be required to place additional signage around the building if persons could enter the surveillance area without using a normal access / egress point.
The signage should state the purpose of the scheme in line with the DPIA and provide the organisation name and contact number (switchboard is advisable).
Example signage is shown below: