CCTV & GDPR one year on

In a recent investigation we revealed alarming levels of non-compliance with the new General Data Protection Regulation (GDPR) which came into force on 25 May 2018, specifically where the use of CCTV is concerned.

The reasons for this worrying discovery were multiple, but appeared mainly to be because the management responsible hadn’t bothered to read all the Regulations in enough detail, don’t think they apply to them, are too lazy to comply with it all or simply don’t understand them.

CCTV cameras are now a fact of life and surround our daily lives. In 2013, the British Security Industry Association (BSIA) estimated there were nearly 6m CCTV cameras in the country, including 750,000 in “sensitive locations” such as schools, hospitals and care homes, and there are some 15,600 on the London Underground network alone. Other estimates put the national tally far lower at 1.85m but it’s virtually impossible to clarify the figures with any degree of accuracy without checking every single property and street from Scotland to Cornwall as cameras are literally everywhere.

Whichever figure is nearer the truth, that’s still a lot of cameras, which may persuade some people we live in a ‘surveillance society’, anathema to those who champion our right in the UK to privacy, freedom of speech, expression and movement.

Like it or not, however, CCTV has become part of the modern British landscape and camera images protect businesses, homes and public property while providing police forces and security organisations with a vital tool for both deterring and solving crime. Given the increasing paranoia now about terrorism, especially in high profile buildings and travel hubs, and the development of more refined technology, one wonders just how many cameras there are watching us anywhere and everywhere.

No doubt this prevalence contributes to the debate about balancing the use of surveillance with individuals’ right to privacy, but across the UK and EU there are now stringent GDP Regulations which cover of the use of CCTV… but just how good are organisations at complying with them?

Since our streets and buildings bristle with CCTV cameras everywhere, inside and outside, recording details and images of our comings and goings (it is estimated that the average Briton is captured on CCTV around 70 times per day) most people believe this is a small compromise to privacy necessary for improved protection from crime. However, facilities, building and security managers or property owners really need to check that their compliance to Regulations is up to scratch before someone complains and they potentially face a hefty fine.

These days, like it or not, the public tend to accept the fact that wherever they go, inevitably they’re captured on someone’s camera, somewhere; it’s a fact of life and reassuring in most cases where their personal security is concerned. However, when you think about it when you are out and about yourself, do you really see advisory or warning signs about CCTV as much as you should (which is what the Regulations demand)? And have you any idea where all the captured images are stored, or if they’re deleted after a certain time, or perhaps shared with other parties? Do we know who really knows where we’re going or what we’re are doing?

The answer is probably not, according to Clearway’s UK CCTV Manager, Andrew Crowne-Spencer.

Andrew says “The whole point of CCTV is security, and its deterrent factor in part, as well as recording the criminal activity to assist law enforcement bodies in detecting the perpetrators. Therefore, if trespassers or criminals don’t even realise they’re on camera, as is what we suspect in a lot of cases, what sort of useless deterrent is that? And, just how good are the images the cameras are supplying? If they’re grainy or blurred due to old equipment, or not set up correctly, that doesn’t help anyone except the trespassers or criminals.

Ten years ago it was reported that 95% of murder cases investigated by Scotland Yard used CCTV footage as evidence, yet latest data suggests 80% of footage now available is of such poor quality it’s almost worthless. That apart, don’t these companies or organisations, even public sector ones, realise that if they’re not properly complying with the GDP Regulation they can be penalised because of it? Sometimes to the tune of many thousands of pounds?”

One year on from the introduction of the new GDPR, Andrew cites some of the key failures that came to light in Clearway’s investigation of its own extensive nationwide client and contact list:

In no particular order:

• Failure to fit signage or keep the information on it accurate.
• Failure to carry out a GDPR risk assessment prior to site CCTV deployment.
• Leaving DVRs (digital video recorders) unlocked or unsecured so anyone, not just designated security personnel, have access to footage.
• Failure to ensure the lenses of CCTV cameras are appropriately directed or are masked so that inappropriate footage is not recorded, and, if the data is shared with other parties, for example to monitor specific individuals, then innocent people are blurred out, a simple matter to deal with using the right software.
• Having CCTV monitors which are viewable by the public.
• Failure to have trained staff to monitor the CCTV.
• Leaving usernames and passwords as default settings or noted next to the equipment.
• If the images are to be shared with other organisations, e.g. the police, TfL, or other security service providers, failure to manage this appropriately to conform to Regulations.

The example below is what was found on one site during the investigation. It’s a great example of common compliance failings:

• DVR on reception desk with monitor on top – no one at reception – someone leaned over the desktop to look at the monitor to see if their taxi was at the front door!
• Username and password on a sticker attached to the monitor.
• We walked outside to find all of the CCTV signage was so worn and old that the contact details had faded away and were illegible.

In a second example, there was a case of the settings on the equipment not being right, specifically the date and time were incorrect and two systems on the same site had times set 17 seconds apart.

That might sound petty, but there was a break-in and, when the intruder was arrested and police showed the CCTV footage in court, the defence barrister asked for all camera footage from both systems to be played concurrently.

As the intruder was seen on two different camera systems at the same time (due to the timers not being synced) the barrister claimed the evidence was inadmissible as it was clearly inaccurate since how could the intruder be in two places at once?

Case dismissed due to lack of evidence! True story.

The message from all this is simple. Check your CCTV systems are doing what they should and you are complying with the Regulations. Because someone, somewhere will be watching what you’re doing sooner or later.

Andrew Crowne-Spencer MIET
UK CCTV & Technical Manager
Clearway Services