A code of conduct governing the use of CCTV cameras by police and local authorities is set to be scrapped when the government’s new data protection bill is made law. It is feared the changes, which see all use of CCTV cameras fall under the control of data regulator the Information Commissioner’s Office (ICO), will mean there is less scrutiny on the way law enforcement agencies use information collected by cameras.
The code of conduct, known as the Surveillance Camera Code of Practice has been in place since 2013 and was administered by the Biometrics and Surveillance Camera Commissioner (BSCC). It sets out what it calls “guiding principles” for the use of the cameras by police and local authorities.
But as part of its bonfire of regulations, the government is scrapping the role of the BSCC and moving its duties to the ICO. The upcoming Data Protection and Digital Information Bill, the UK’s post-Brexit replacement for the EU’s GDPR, includes this reform, has no mention of the code of practice.
Outgoing BSCC Professor Fraser Sampson told Tech Monitor that, as the legislation is written, all the ICO will be able to judge misuse by police and local authorities against is general data protection laws. He said this was a particular risk when it comes to uses such as automatic number plate recognition (ANPR), as under the bill there would be nothing to stop a police force selling the details to an insurance company, wheel clampers, or for other use-cases.
Data protection bill risks ANPR misuse
Professor Sampson describes ANPR as “an indispensable policing tool” but fears its use could be expanded under the new laws to encompass other areas. “A vehicle noted by an ANPR camera on the school run could have details of how many occupants, the colour of the vehicle, how fast it was moving,” he says. “Who will police share that information with?”
A spokesperson for the Home Office, which is responsible for the use of CCTV by police and local authorities, said: “It’s absolutely not the case that we’re presiding over the deregulation of CCTV – we are just simplifying the oversight framework.
“The ICO already regulates the use of surveillance cameras by all organisations and will continue to do so, whereas the Surveillance Camera Commissioner just promotes compliance by police and local authorities.”
It is true that the ICO is already ultimately responsible for the regulation of CCTV, but Sampson told Tech Monitor dropping the code of practice was a mistake as it includes specific regulations around use by police not covered under general legislation.
An ICO spokesperson said it would “continue to carry out our existing role overseeing the use of personal data in surveillance, including through our guidance on video surveillance”.
The ICO’s general CCTV guidance could be expanded
It isn’t clear whether the ICO’s general guidance, which was introduced to regulate the use of cameras by private companies, will be adapted to include specific police uses of CCTV.
Jo Joyce, senior counsel specialising in data and information rights at law firm Taylor Wessing, has reviewed the new draft bill, and says that the abolition of the Office of the Surveillance Camera Commissioner gives the appearance of reducing regulation of CCTV surveillance.
However, she says the actual situation is more complex. “Since the role was created in 2012 the commissioner has been responsible for encouraging compliance with the Surveillance Code of Practice and has never had any enforcement powers,” she explains. “Without the ability to enforce the Code of Practice, surveillance commissioners have struggled to gain traction and profile over the past decade.
“Enforcement of rights in relation to CCTV sits largely with the Information Commissioner’s Office and the bill does not change or reduce their powers where CCTV use could amount to a breach of the UK privacy law.”
What isn’t known is how CCTV usage by police and local authorities will be enforced, she explained, as “it is not yet known whether the Surveillance Camera Code of Practice will also be abolished or amended but it is likely that oversight and guidance relating to CCTV best practice will be fully absorbed by the ICO”.
This suggests that the ICO guidance on CCTV use will be adapted to reflect aspects of the surveillance code of practice, although attempts by Tech Monitor to clarify that point with both the ICO and Home Office have gone unanswered.
Easy to adopt code of practice
Professor Sampson said it would have been easy for the ICO to adopt the existing code of practice but there is nothing in the bill that suggests it was ever considered.
“There is no indication of where the responsibilities will go, why they are not in the bill or what will happen to the code under the new legislation,” he says.
“While it doesn’t outright scrap the code, it removes the statutory obligation. After this comes into force, the police will have no obligation to follow any code of practice over use of public cameras in public spaces.”
“We are heading towards a national combined ANPR system which will carry out about 100 million reads per day with no statutory underpinning, no governance body, and nobody to write to if you have questions about it.”
He argues that the ICO will only be able to fall back on generic data privacy legislation with nothing specific to certain uses.
It isn’t clear when the Data Protection and Digital Information Bill will become law, as the change in Conservative Party leadership, that saw Liz Truss become prime minister, has led to a delay. It is still waiting for a date for its second reading in the House of Commons and could be subject to amendment by parliament’s committees.