The UK has the largest CCTV network in Europe, which has significantly helped prevent crime over the years. This network also forms a central pillar of the country’s crime prevention strategy.
Context
Surveillance technology continues to grow and evolve. For example, cameras have become more cost-effective, so consumers increasingly use them to protect their property and vehicles. In addition, new identification technologies, such as facial recognition, offer broader applications.
Consequently, the Information Commissioner’s Office (ICO) recently published updated guidance on video surveillance. The guidance explains how organisations should operate cameras and handle the data they collect.
What the ICO Guidance Covers
The guidance focuses on key data protection principles and illustrates best practices with case studies.
1. Accountability
Organisations must:
- Control camera operation and data processing
- Comply with data protection rules, keeping written records of:
- Purpose of surveillance
- Potential risks
- Measures to mitigate those risks
2. Lawfulness
Organisations need to determine whether processing image data is lawful. Common lawful bases include:
- Legitimate interests – typically for private businesses, requiring a balancing test between benefits and risks
- Public task – mainly for public authorities
3. Fairness
Organisations should consider:
- What people reasonably expect when recorded
- Camera positioning
- How data is processed
4. Transparency
People should be aware that cameras monitor their movements. Moreover, signage or notifications should clearly indicate surveillance.
5. Governance
Organisations should manage data responsibly:
- Decide who can access and share data
- Implement clear processes for sharing data, such as responding to Freedom of Information requests
- Apply safeguards, for example, using software to redact images before sharing
Automatic Number Plate Recognition (ANPR)
The ICO also provides guidance for other surveillance technologies, such as ANPR. Public authorities and enforcement agencies primarily use this system.
- ANPR helps combat vehicle crime. For example, when a vehicle is reported stolen, the Police National Computer (PNC) records it. ANPR cameras detect the vehicle by its registration mark (VRM) and alert police forces.
- The PNC data also integrates with vehicle check services like Total Car Check, which can flag stolen vehicles.
Data rules for ANPR:
- Organisations must follow strict GDPR and security regulations to protect system integrity.
- VRMs count as personal data because they can identify individuals when combined with other information.
Why the Guidance Matters
The ICO issued this guidance because it observed issues in the market and may monitor compliance more closely in the future.
For automotive firms—especially in retail, auctions, and storage—following the guidance is essential. Key points include:
- Balancing security needs with privacy concerns
- Implementing measures proportional to the risks
- Maintaining written policies and procedures that staff can follow and regulators can review
In conclusion, effective governance ensures that organisations meet data protection principles while protecting privacy.
