At Datpro, we've done our best to create a Web site that anticipates and satisfies our customers' Enquiries and needs. A list of frequently asked questions is shown below. If you do not find an answer to your question here, contact us, click HERE

Do all CCTV systems now have to comply with the Data Protection Act?

Many Data Controllers (the organisation or persons responsible for the system) are confused as to whether those CCTV systems for which they are responsible need to comply with the requirements of the Act and, if so, to what degree.

PFM asked Barrie Goehler of Datpro Ltd for his views.

A- Most if not all of your reader’s CCTV systems and the way in which they use them need to comply with at least some of the requirements of the Act. It’s more about whether or not particular CCTV activities are exempt

A – It’s not so much the size of the system but more about how the system is used, the images gathered and how and for what purpose(s) those images, (the data) is used. Data Controllers should start with the basic question, ‘Does, or could, the data gathered affect an individuals privacy and constitute what is regarded as being ‘personal’.’

A – In many instances the answer should be obvious, it’s just that people are inclined to interpret things differently. There are some who believe that all CCTV systems are a personal intrusion and affect our basic rights to privacy, at the other end of the spectrum, there’s the attitude that, if you’re observed on CCTV and you’re not doing anything wrong, what have you got to worry about.

To answer your question specifically, whilst the Durant V Financial services authority case to which you referred earlier was not directly concerned with CCTV the same principles need to be applied. The court identified two notions to assist in determining if information affects an individuals privacy and is personal. They were; a person has to be the focus of the information and the information tells you something significant about them.

Using your earlier example of the two camera system covering a goods entrance and reception, lets assume in the first instance it does not have a recording facility, but the monitor is viewed by, say, a security guard. When an individual calls or is standing at or near the goods entrance, the security guard keeps an eye on that person to see what they want or what they are doing, the individual being watched is then the focus of attention and by observing that individuals movements displayed on the monitor.

A further example would be if a small CCTV system in operation but in this instance using a recording facility but no-one observing the monitor, an individual entering an area covered by a camera would not at that time be the focus of attention, however if at a later time the recording was reviewed, by say the office manager, and that same individuals movements were studied, then that individual becomes the focus of attention and those movements show something significant about that individual.

In short, if a CCTV system is used in a way that allows the Data Controller to learn more about a particular subjects activities, there is no change as to those requirements of the Act.

A –The Information Commissioners office has already done so, details are available on the Commissioner’s website, further information on our links page, HERE. It was always the intention when the CCTV Code of Practice was published in July 2000 to keep it under review to ensure that it remained relevant in the context of changing technology and jurisprudence.

A -Yes, changes are almost certain! The Data Protection Act CCTV Code of Practice issued in 2000 made clear that the subject of CCTV and its use would be kept under review. To take into account, amongst other things, the courts findings in different cases regarding Data Protection. The Durrant case is one example of this. Following which the Information Commissioners Office have I understand, made some changes.


Although, I believe, the European Commission have sent a formal letter to the UK warning that they consider that certain elements of the UK’s Data Protection Act now do not comply with the EU directive on data protection.


It’s not possible to predict the outcome but, the UK is, of course, obliged to ensure that the EU Data Protection Directive is implemented into UK domestic law and if the UK does not carry this out correctly, proceedings in the European Court of Justice against the UK could result.

A – I understand their opinion but the Data Protection Act is there to ensure, amongst other things, that CCTV is used correctly. Without the Act we could find ourselves living in a ‘Big Brother’ society.

Staff and visitors to a building need to know that if CCTV is installed that it won’t be used in any way that infringes their basic rights.

I believe that the majority of businesses, understand that overall the Data Protection Act and its proper implementation is important to their business a recently conducted survey supports this.

Operating and managing CCTV in compliance with the requirements should mean that CCTV footage of criminal activity is fit for its purpose and acceptable for evidential purposes by the courts. Operating outside of the requirements could mean it’s not admissible. Somewhat defeating the object of having CCTV installed in the first place.

As to winding up in court themselves, providing Data Controllers act in a responsible manner, and accept the principles of the Act, it is unlikely that it will happen.

A –I suppose that incorrectly positioned cameras, cameras that can or are able to view areas outside of the area for which the Data Controller is responsible, closely followed by a lack of a proper understanding of how and when to disclose information and there are now some changes to ‘Right of Subject Access Requests’.

Some data controllers believe that if they number the VCR tapes commonly from 1 to 31 and keep the tapes locked up that they are legally compliant. It’s much more involved than that.

A – In my experience, it often complicates matters. It’s almost as if ‘out of sight, out of mind’ takes over.

By far and away the majority of digital systems installed, which Datpro Ltd are asked to appraise are incapable of retaining images recorded for sufficiently long enough, at a reasonable number of ‘Frames per second’.

Aside from giving the Data Controller an extremely poor level of information, if an incident did occur, many of these systems insufficient abilities means that they fall outside of the requirements of the Data Protection Act.

As often as not, installers who incidentally aren’t legally responsible under the act, to ensure that the equipment they fit or the way it is operated is compliant, fail to give the right advice. We very often see digital systems with eight or more cameras that are operating 24 hours a day, 7 days a week, with less than a 200 GB capacity drive. Where in practice somewhere around ten times this capacity is needed

A - I would be really surprised if recent changes as to the requirements of the Data Protection Act affect as many as 5% of your readers.


If they are sure that the way in which they operate CCTV complied with the original Code of Practice, they don’t need to make any changes. If they are not sure, and they should be, seek advice.

Q - Following the Durant –v- Financial Services case and Lord Aud’s findings in the Court of Appeal, are some CCTV systems now exempt as far as the Data Protection Act is concerned?

Q – Would that include a very small system, for example, one camera covering a goods entrance and one other in a reception area?

Q – How does a data controller decide if the CCTV system they use could affect an individuals privacy and that the information gathered is or could be personal?

Q – Is the Office of Information going to issue further guidelines in view of Lord Aud’s findings?

Q – So can Data controllers expect further changes in the way in which they are required to operate and manage CCTV systems?

Q – What do you say to those people who consider that it’s all got too complicated. They fitted CCTV in the first place largely to protect themselves and their property against criminals and if they don’t comply with the legislation they could wind up in court themselves?

Q – What are the most common breaches of the Data Protection Act that you come across?

Q – Many companies have now installed digital recording systems. Does digital recording make it easier for Data Controllers to comply with the Act?

Q – Do you have any final words of advice for Data Controllers reading PFM magazine, who are responsible for CCTV systems?

Site Specific CCTV system appraisal.

If you are unsure if your CCTV system and the way in which you manage the data meets the legal requirements FM magazine in conjunction with Datpro Ltd are offering to each of its readers the opportunity to have an onsite, no obligation CCTV system appraisal carried out by Datpro Ltd. To arrange yours contact us HERE

© copyright 2014. Datpro Ltd