Written by John Kruse, one of the leading experts on Bailiff Law, this consumer friendly guide is essential reading for anyone who comes into contact with a bailiff.
The book is easy to understand and clearly explains the rights
a bailiff has, and also what they cannot do when collecting debts and repossessing goods etc.
a friend on mine was shopping in Marks and Sparks and had her handbag nicked. she spoke to the manager who said there was nothing he could do, no information or advice was given. he would not give her information on how to obtain the footage, he did not supply information on how to contact their data controler or any procedures.
she also spoke to the police who also seemed to be not to bothered and just said they would get back to her if they persue the case.
in the absence of their care I thought it better to gather the evidence ourselfs and then present the information to the police.
all I need is a template for this kind of request, the banking templates don't look very modifiable.
I think it was Panorama who got a copy from a government CCTV system when looking into either Data Protection or the growth CCTV its self. Seem to remember they did as a S.A.R and gave details such as time, place, descriptions of themselves etc. The website might have more info. They got the tapes they wanted aswell.
I would write a S.A.R, word it strongly staing that they have 14 days etc, give as many details as possible including what was being worn by your friend. Also state (you'll find info on this in the bank letters somewhere, its about filing types and the few times they can deny you) that they cant refuse on the grounds of not being in a suitable filing system, the infomation commissioner is also a good source of info too. As you know the tapes will be clearly marked with dates etc and locked away. Some one might refute this but I'm sure they cant deny it under the data protection act on the grounds of the other customers either because thier isn't any personel data available from it and it isn't going to be broadcast. Besides, the government would have been the first to refuse access on those grounds if they could.
Hope this helps and if any body else knows better then I am sure they will be along. Its what actions to take if they refuse that might get a little complicated
I am familiar with this,and have in the past posted on it.
There is extensive info specifically relating to data protection and CCTV.
First of all,I will say that there IS a requirement for stores to post the name and contact details of the person or persons who operate and control the system.Such notices should be clearly visible.
The problem is that so many,including Police officers remain oblivious to the Data Protection Act laws.
Here is some guidance to read over.
Insofar as a templated letter is concerned,I suggest something of the following.
To the Data Controller
Store address
Data Protection Act1998 Subject Access; CCTV Captured images s7.
Date
Dear Sir/Madam,
I wish to make a request under the Data Protection act1998 ,to be given a copy of video/fixed photographic stills and images recorded by your store in....................... ......which have images of myself.
on the ............(Date)at approximately .........am/pm
This is my right under section 7 of the act,principles 1/6/7.
Please forward me a copy of your request form,which shows your process to obtain this,in compliance of the act.
I give you 40 days to comply,and enclose the stat fee of 10.00.
I will be requiring a copy of images that include myself,on VHS Video/VCD/DVD format,since this is the only means I have to view it using my own equipment.
I understand that a data controller,can refuse to provide a request,in the absence proof of the subject being supplied.
To comply with this requirement,I enclose a copy of my driving licence/Passport (delete as app)
and also a copy of a recent utility bill to confirm my address.
Yours Faithfully
XXXXXXX
You should make your request to the Store.
But additionally send a copy to M&S registered office.
Send recorded and keep a copy yourself.
If you are sent a private message directing you for advice or support with your issues to another website,this is your choice.Before you decide,consider the users here who have already offered help and support.Private message facilities are offered for users to communicate issues that are/or could be seen to be inappropriate for posting on the main forum.Site rules explain this in more detail.If you are approached by private message with a view to asking you to visit another website,please inform the site team via the report icon. Advice offered by Martin3030 is not supported by any legal training or qualification.Members are advised to use the services of fully insured legal professionals when needed. Donations help CAG to help YOU Click here
The Data Protection Act 1998 is based on the following Eight Principles:
Section 4(4) of the Data Protection Act 1998 places all Data Controllers under a duty to comply with the Eight Principles of Data Protection.
As a quick reference guide:
First Principle
Personal data shall be processed fairly and lawfully, and, in particular, shall not be processed unless
a.At least one of the conditions of Schedule 2 is met, and
b.In the case of sensitive personal data, at least one of the conditions of Schedule 3 is also met.
Second Principle
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
Third Principle
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
Fourth Principle
Personal data shall be accurate and, where necessary, kept up to date
Fifth Principle
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes
Sixth Principle
Personal data shall be processed in accordance with the rights of data subjects under this Act
Seventh Principle
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
Eighth Principle
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects.
Initial Assessment - Data Protection Principle 1
The purpose and use of the CCTV system should be established before use.
1. Assess the reasons for using equipment and how appropriate it is.
2. Establish the person or organisation that is legally responsible for the scheme
3. Establish the purpose of the scheme
4. Document standards 1-3.
5. Lodge notification with the Office of the Information Commissioner to cover purposes of use
6. Document and identify the person or organisation that will monitor compliance of scheme
7. Establish and document security and disclosure policies.
Location of Cameras - Data Protection Principle 2
To ensure the images are captured in a manner prescribed the location of cameras must be carefully considered.
1. The equipment should be used only to monitor the intended spaces.
2. Owners and residents of domestic premises must be consulted if domestic premises border the intended area to be viewed. (Not mandatory but good practice)
3. Those operating the system must be aware of its purpose and only use it for its specified purpose.
4. The cameras must be restricted where practicable so that those operating the system cannot overlook spaces that are not intended to be viewed.
5. Signs, which are clearly visible and legible, should be displayed so that the public are aware they are entering an area covered by CCTV.
6. Specific information should be included on the sign
Identity of who is responsible for the scheme
The purpose of the scheme
Identity of who is responsible for the scheme *
Details of who to contact regarding the scheme *
(* only applies if the location does not make this obvious)
7. If signs are not appropriate and monitoring is for a specific CRIMINAL activity:
Fully document the following steps
Identify the specific criminal activity
Identify there is a need to use surveillance to obtain evidence of that activity and whether the use of signs would prejudice success in obtaining such evidence
To ensure it is not carried out for longer than necessary, assess how long covert monitoring should take place
Access by Data Subjects
This right is provided by section 7 of the Data Protection Act 1998 - Data Protection Principles 1, 6 & 7.
1. When data subjects make a request for accessing their information, those operating the system must be able to recognise such a request.
A standard Subject access request form should exist for this purpose and should indicate:
What information is required to locate the requested images
What information is required in order to identify the person making the request
What fee is charged for carrying out the requested search (max £10.00)
Whether merely viewing the images recorded would satisfy the individual
That within 40 days of receiving the required fee and information the response will be provided
An explanation of the Rights provided by the 1998 Act
2. Written information should be given to individuals of the types of images retained, their purpose and the policy concerning disclosure in relation to those images
3. Standard 2 above should also be provided with the Subject access request form
4. The designated person should deal with all subject access
5. The images requested should be located by a designated person
6. A designated person should make the decision whether disclosure also entails disclosure to a third party
7. A designated person should determine the decision as to whether the images of third parties are held under a duty of confidence
8. A designated person must ensure that third party images are disguised if third party images are not to be disclosed
9. An editing company may be used if the system does not have the capability to comply with standard 8 above
10. If a third party or an editing company is used the following procedures apply:
There is a contractual relationship between the data controller and the editing company
The editing company must give appropriate guarantees regarding the security measures taken in relation to the images
It is the responsibility of the designated person to check and ensure that the guarantees are met
That the editing company can only use the images in accordance with the instructions of the designated person should be explicit and in the form of a written contract
The security guarantees provided by the editing company should be explicit and in the form of a written contract
11. If it is decided by a designated person that an access is not to be complied with, the following should be documented:
The date of the request
The identity of the person making the request
Why the request to supply the images was refused
The name and signature of the designated person making the decision
12. All staff should be aware of individuals' rights
13. If disclosure is made, it should be in private with only authorised staff present
14. The Data Subject is entitled to a copy of his data in intelligible format (Standard VHS tape)
Under Sections 10, 12 And 13 Of The Data Protection Act 1998 Other Rights May Also Apply
1. When there is a request from an individual to prevent processing likely to cause unwarranted and substantial damage or automated decision taking in relation to that individual. All operators must be able to recognise such a request
2. When such requests are made all staff must be aware of the designated person who should respond to them
3. The response from the designated person must indicate whether they will comply with such requests
4. There must be a response in writing within 21 days of the designated person receiving the request
5. The designated person must give written reasons if the request cannot be complied with
6. A copy of the request and response must be kept
7. The designated person must notify the individual if an automated decision is made
8. If the individual makes a request in writing within 21 days the designated person must reconsider an automated decision
9. The designated person will respond within 21 days setting out the steps they will take if they receive a receipt of the written request in standard 8 above
10. The designated person will document the original decision, the request from the individual and their response to the request
11. Data Subjects can take court action to prevent unlawful processing
12. Data Subjects can claim compensation for "damage" suffered as a result of breaches of this Act
Action Surrounding Subject Access Requests, Complaints And Audit
1. The contact point indicated on the sign should be available to members of the public during office hours Employees staffing the contact point should be aware of the appropriate policies and procedures
2. Specific documentation should be provided to each enquiry
Enquirers should be provided, on request, with one or more of the following:
* The leaflet which individuals receive when they make a subject access request as general information
* A copy of this code of practice
* A subject access request form if required or requested
* The complaints procedure to be followed if they have concerns about the use of the system
* The complaints procedure to be followed if they have concerns about the non-compliance with the provisions of this code of practice
3. A complaints procedure should be clearly documented
4. A record of the number and nature of complaints or enquiries received should be kept together with an outline of the action taken
5. A designated person should use the report in standard 4 to assess public reaction to and opinion of the use of the system
6. A designated person should undertake regular reviews of the documented procedures to ensure compliance with the code
7. A report of the reviews in standard 6 should be provided to the data controller so the legal obligations and provisions of this code can be monitored
8. An internal annual assessment should be undertaken
9. The results of the report in standard 7 should be compared with the purpose of the scheme. If the scheme is not achieving its purpose, it should be discontinued or modified
10. The results of the report in standard 7 should be made publicly available
Images should not be retained for longer than is necessary
Images should not be retained for longer than is necessary. While retained, the integrity of the images must be maintained to ensure their evidential value and/or to protect the rights of the people whose images have been recorded. Access to, and the security of, the images should be controlled. - Data Protection Principle 3, 5 & 7
1. Images should not be retained for longer than necessary to achieve the purposes of the CCTV system
2. Once a retention period has expired, images must be erased
3. If images are to be held for evidential purposes, they should be kept in a secure place with controlled access away from other routine data
4. There are procedures for removing the medium on which the images have been recorded for use in legal proceedings. The following should be documented:
* The date on which the images were removed from the general system
* The reason why they were removed
* Any crime incident number to which the images are relevant
* The location of the images
* The signature of the collecting officer; see below
If the medium on which images are recorded is removed the following should be documented:
The date and time of removal
The names of the person removing the images
The name(s) of the person(s) viewing the images and the organisation(s) they represent
The reason for the viewing
The outcome if any of the viewing
The date and time that images were returned to the system (or secure place if they have been retained for evidential purposes)
5. Monitors in areas where individuals would have an expectation of privacy should not be viewed by unauthorised operators and/or employees of the operators
6. Access to images should be restricted to designated staff
7. All CCTV data must be stored securely with access limited to authorised personnel only
8. Viewing of recorded images should only take place in a restricted area
9. There are procedures for the removal of the medium on which images are recorded see 4 above.
10. All operators and employees to be informed of the procedures for accessing the recorded images
11. All operators to be trained in their responsibilities so they are aware of the user's security and disclosure policies and the rights of individuals.
Access to and the disclosure of CCTV images
Access to, and the disclosure of, CCTV images and the disclosure of images to third parties should be restricted and carefully controlled to ensure the rights of individuals are protected. The chain of evidence must remain intact if the images are required for evidential purposes. Reasons for the disclosure of the images must be compatible with the purpose for which the images were originally recorded. - Data Protection Principles 2, 7 & 8
1. Access to the images should be restricted only to those who need access to fulfil the purpose of the system
2. All access should be documented
3. Disclosure should be made in limited and prescribed purposes
4. All requests for access should be recorded and reasons for any denials
5. There are procedures for allowing access or disclosure
When access to or disclosure of the images is allowed then the following should be documented:
The date and time of access or disclosure
Identification of third party to whom access or disclosure is allowed
The reason for allowing access or disclosure
The extent of information to which access or disclosure is allowed
6. Recorded images should not be made widely available e.g. on an intranet site
7. If the images are made widely available, the decision should be made by a designated person and the reasons documented
8. If the images are disclosed to the media, the images of individuals will need to be disguised to avoid identification
9. If the system does not have the capability to comply with standard 8 above, an editing company may be used
There are procedures if an editing company is used
There is a contractual relationship between the data controller and the editing company
The editing company has given the appropriate guarantees regarding the security measures they take in relation to the images
The designated person checks to ensure the guarantees are met
The written contract makes it explicit that the editing company can only use the images in accordance with the instructions of the designated person
The written contract makes the security guarantees provided by the editing company explicit
10. There are procedures if the media organisation receiving the images undertakes the editing (See notes under point 9 above.)
Quality of the Data
Quality of the Data - Images produced by the system must be as clear as possible to ensure that they are effective for the purposes for which they are intended. - Data Protection Principle 3.4 & 5
1. When installed, the equipment should be checked to ensure it performs correctly
2. Tapes (if used) should be of good quality
3. The maximum number of passes is 13 times
4. The medium on which the images are recorded should be cleaned to prevent recording on top of previous images
5. The medium on which the images are recorded should no longer be used if there is a deterioration in the quality of the images
6. If the system records location of camera, date, time etc. these should be accurate
7. There should be a documented procedure for 5 above
8. Cameras should be sited only where they will capture relevant images
9. If automatic facial recognition systems are utilised, the database of images should be clear
10. A human operator should assess and determine the action to be taken to verify matches made by automatic facial recognition systems
11. The assessment in 9 above should be documented regardless of a match on the data base
12. Consideration must be given to the physical conditions in which the cameras are located
13. Operators should assess whether real time or specific timed recordings are required
14. Cameras should be properly maintained and serviced
15. Cameras should be protected from vandalism (if it is a likely problem)
16. A maintenance log should be kept
17. If a camera is damaged, there are clear procedures for:
* Defining the person responsible for making arrangements for ensuring the camera is fixed
* Ensuring the camera is fixed within a specific time period
* Monitoring the quality of the maintenance work
If you are sent a private message directing you for advice or support with your issues to another website,this is your choice.Before you decide,consider the users here who have already offered help and support.Private message facilities are offered for users to communicate issues that are/or could be seen to be inappropriate for posting on the main forum.Site rules explain this in more detail.If you are approached by private message with a view to asking you to visit another website,please inform the site team via the report icon. Advice offered by Martin3030 is not supported by any legal training or qualification.Members are advised to use the services of fully insured legal professionals when needed. Donations help CAG to help YOU Click here
CCTV SAR, need evidence of theft from M&S
template for CCTV access.
Reply With Quote
