CCTV at Work

[poker_mad]

A friend of mine works for a large company whos building has around 9 cctv cameras for security About 5 are inside. The company works 24/7 and only shuts chrismas day and new years day. In the day about 20 people work across offices and a large workshop and at night about 9 people. Instalation has started on instaling about 15 internal cameras which will be linked to a head office and also for anyone in management to log into if they have log in details. Possibly the manager will be watching every move from home.

 

Does anyone know the facts about cctv law and what is classed as spying. Can security cctv be used to punish an employer for taking 4 hours to do a 3 hour job or even having too many tea breaks?

 

Any advice would very much help.

[kennythecelt]

You don't tell us what kind of business it is.

 

Regards, Kenny

[Conniff]

My Employer is a Public Body

If your employer is a public body, they have an obligation to respect your right to privacy (Article 8) under the Human Rights Act 1998 (HRA). However, this right is a qualified right, which means that it may be interfered with when such interference is in accordance with law, for a legitimate purpose (e.g. to prevent crime, for public safety) and the interference is proportionate in trying to achieve the necessary aim. For example, in some situations, CCTV cameras may be necessary for security reasons in certain places. They may also be used to investigate and prevent crimes. An example of disproportionate use may arguably be where cameras were put in toilets or changing rooms.

My Employer is a Private Organisation

If your employer is a private organisation or company, then you cannot directly rely on the HRA. However, in all contracts of employment, there is an implied term that employers will not without reasonable and proper cause conduct themselves in a manner calculated or likely to destroy, or seriously damage, the relationship of confidence and trust between themselves and employees. However, it is unlikely that CCTV cameras in obvious places in the workplace would breach this implied term.

Ultimately, there is very little to stop employers making recordings. The placement and retention of footage must be in accordance with regulations under the Data Protection Act 1998. You can contact the Information Commissioner by telephoning 01625 545 740 for more information.

[kennythecelt]

Thanks Conniff, very useful information.

[poker_mad]

An Interesting Read.

 

The business is a comercial vehicle(Trucks) main dealer workshop

[ozzywizard]

Yeah very interesting topic, I know my manager has mentioned a few times he would like to install a camera in our office, this is also 24/7 and he is concerned that on a night shift people are not working to a full capacity. He wishes to watch us from home and check we are doing what we should be. Also he claims this is for additional security as only 2 people in the building for the 12 hours night shift. It is a private company call centre.

I also am not sure if this is legal.

[djgordyp]

Just look what you've started Poker_Mad :D .

I work in a meat processing plant and I'd nearly swear our cameras are mateing, every few months another one seems to spring up. It started a couple of years ago with a rotating camera in the midde of the boning hall

 

Starting as you go in in the mornign. There is one either end of the changing rooms, one in each de-robing area, one watcing the handwashing area, two watching the boot wash (one as you go in the other as you go out). As you go into the packing area. There are two watching the stacking area, one watching the scales, one watching the three vac-pac machines, one watching the beef coming towards the baggers, one watching the baggers. And finally, one watching the belt carriyng the offcuts of beef. That makes a grand total of sixteen. I wonder how many they have in the big brother house?

Sugestions are welcome as to where they might put other cameras. One place I can think of is my supervisors hat. Maybe then we could find out where she goes to when we get busy and can't find her :-D .

[tiaposy]

Poker-Mad

Very interesting. I too work in a commercial dealer and they are installing cameras in our offices too as we speak!. I cannot see why, other than to spy on us and it really annoys me.

[Conniff]

Are male or female tiaposy?

[tiaposy]

female

[Conniff]

Good.

 

You will have a right to see these recordings.

 

I hope what I am about to say isn't classed as 'not politically correct' or 'sexual harrassment'

 

Summer is coming, I would suggest you wear a low neckline, after a couple of weeks, ask to see the recording and see what they are actually recording.

I think you should get my drift from that.

You could then make a complaint about privacy etc; if there is anything that you dislike.

Of course it could be just a long shot of the office with no staff in the frame and then you will have to put up with it.

[tiaposy]

Thanks for that however they would be very disappointed if I wore a low-cut top! lol

Its good to know we can see the recordings as I would like to know why they are putting the cameras in.

[g7rta]

Hi, what a great forum ! I could really do with some advice please.

 

I work for a small tool company & we have a trade counter area/shop front downstairs. I have a desk near to the counter as do 2 of my colleagues.

My boss recently installed 4 cctv cameras. These are the domed type "spy cameras" & one is installed in our downstairs area.

We all received a memo just before the installation saying that for security reasons cctv would be installed.

 

After reading the "2008 CCTV Code of Practice" I understood it that employers must avoid cameras aimed directly at staff, & can only monitor staff this way if they suspect a crime is being commited.

see..

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/ico_cctvfinal_2301.pdf

 

& yet today my colleague was in the bosses office & the monitor screen showed that the camera was only on us ! Not only that but it was zoomed right in & you couldn't even see the counter area or any of the other cameras, just our faces & desks. Apparently the boss was a little flustered as he didn't expect my colleage to walk in at that moment.

What's more when he bought the cameras, he also bought an 'audio board' - a small circuit board with a microphone. The CCTV guide also says you should avoid camera wiuth audio monitoring capabilities, & as far as I know these camera didn't actually have audio... so the boss bought the additional audio card. My boss told me one weekend that it is possible to hear audio but I don't know whether or not he has ever used it. (I suspect he has) As far as I know this is certainly illegal, am I correct ?

If the CCTV code of practice is the law, then half of what my boss is doing is illegal.

Can anyone confirm this please ?

 

Thank you.

[Gogivit]

I think that only persons who have a CCTV license are the only ones who can actually act on what they see!

 

In addition its worth mentioning that if a person watching them often is not a security officer then that person obviously is not being busy themselves which begs the question are they needed and are they performing their own tasks efficiently!

 

I am used to having cameras on me all the time- you get used to it.

[g7rta]

Hi, thanks for your reply. The company I work for is small & we've always had a relaxed atmosphere, although this has obviously now changed a bit. The person doing the watching is the boss. Although something else that we weren't told about is that the video (& audio ?) is being streamed over the internet & the electrician who installed it all can view the cameras (& even control them) from his home ! The boss has never mentioned this & probably doesn't know that we know.

 

Regards

Steve G7RTA

[MrShed]

I apologise in advance for what is going to seem like a "troll" post.

 

However, this seems like complaining for the sake of complaining.

 

If you are working wholly appropriately and performing your job as required, then why are you bothered about the cameras?

[MARTIN3030]

I have been installing for some years and CCTV was incorporated into the Data protection act very soon after its birth.There has been subsequent ammendments and additions which are in place to protect individuals.The last of which was this year.

There are differing rules according to the systems and number of cameras and the type of control gear.But there are some basic rules that apply.

1.Notices informing of cameras must be placed strategically and clearly visible near each camera.

2.A notice must be posted displaying the names of the operator of the system along with their contact details.

3.Cameras and auxilliary equipment such as mounting brackets and monitors must be maintained to good standard and faulty or damaged equipment should be replaced speedily.

4.There are strict rules in place on the storage of recorded data which should be stored securely in locked compartments.There is also a requirement to maintain activity logs and each tape or disc has to be clearly labelled or marked.

There are guidelines on specific recording areas both for private and commercial applications.

Where more complex systems are being operated (such as motorised cameras) there is a requirement to register with the ICO as data processor and or controller.

 

Subjects who have had their images recorded are entitled to ask for a copy of that image or images under the data protection act.The operator must comply with a copy which should be in the format requested-ie VHS tape or DVD.

If anyone wants specific guidance I will be happy to let you have details of codes of practice.

[MARTIN3030]

Heres a more exhaustive list.

 

 

The Data Protection Act & CCTV

 

The Data Protection Act 1998 is based on the following Eight Principles:

 

Section 4(4) of the Data Protection Act 1998 places all Data Controllers under a duty to comply with the Eight Principles of Data Protection.

 

As a quick reference guide:

 

First Principle

 

Personal data shall be processed fairly and lawfully, and, in particular, shall not be processed unless

 

a.At least one of the conditions of Schedule 2 is met, and

 

b.In the case of sensitive personal data, at least one of the conditions of Schedule 3 is also met.

 

Second Principle

 

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

 

Third Principle

 

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

 

Fourth Principle

 

Personal data shall be accurate and, where necessary, kept up to date

 

Fifth Principle

 

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes

 

Sixth Principle

 

Personal data shall be processed in accordance with the rights of data subjects under this Act

 

Seventh Principle

 

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

 

Eighth Principle

 

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects.

 

Initial Assessment - Data Protection Principle 1

 

The purpose and use of the CCTV system should be established before use.

 

1. Assess the reasons for using equipment and how appropriate it is.

2. Establish the person or organisation that is legally responsible for the scheme

3. Establish the purpose of the scheme

4. Document standards 1-3.

5. Lodge notification with the Office of the Information Commissioner to cover purposes of use

6. Document and identify the person or organisation that will monitor compliance of scheme

7. Establish and document security and disclosure policies.

 

 

Location of Cameras - Data Protection Principle 2

 

To ensure the images are captured in a manner prescribed the location of cameras must be carefully considered.

 

1. The equipment should be used only to monitor the intended spaces.

2. Owners and residents of domestic premises must be consulted if domestic premises border the intended area to be viewed. (Not mandatory but good practice)

3. Those operating the system must be aware of its purpose and only use it for its specified purpose.

4. The cameras must be restricted where practicable so that those operating the system cannot overlook spaces that are not intended to be viewed.

5. Signs, which are clearly visible and legible, should be displayed so that the public are aware they are entering an area covered by CCTV.

6. Specific information should be included on the sign

Identity of who is responsible for the scheme

The purpose of the scheme

Identity of who is responsible for the scheme *

Details of who to contact regarding the scheme *

(* only applies if the location does not make this obvious)

 

7. If signs are not appropriate and monitoring is for a specific CRIMINAL activity:

Fully document the following steps

Identify the specific criminal activity

Identify there is a need to use surveillance to obtain evidence of that activity and whether the use of signs would prejudice success in obtaining such evidence

To ensure it is not carried out for longer than necessary, assess how long covert monitoring should take place

 

 

Access by Data Subjects

 

This right is provided by section 7 of the Data Protection Act 1998 - Data Protection Principles 1, 6 & 7.

 

1. When data subjects make a request for accessing their information, those operating the system must be able to recognise such a request.

 

A standard subject access request form should exist for this purpose and should indicate:

What information is required to locate the requested images

What information is required in order to identify the person making the request

What fee is charged for carrying out the requested search (max £10.00)

Whether merely viewing the images recorded would satisfy the individual

That within 40 days of receiving the required fee and information the response will be provided

An explanation of the Rights provided by the 1998 Act

 

2. Written information should be given to individuals of the types of images retained, their purpose and the policy concerning disclosure in relation to those images

3. Standard 2 above should also be provided with the subject access request form

4. The designated person should deal with all subject access

5. The images requested should be located by a designated person

6. A designated person should make the decision whether disclosure also entails disclosure to a third party

7. A designated person should determine the decision as to whether the images of third parties are held under a duty of confidence

8. A designated person must ensure that third party images are disguised if third party images are not to be disclosed

9. An editing company may be used if the system does not have the capability to comply with standard 8 above

10. If a third party or an editing company is used the following procedures apply:

There is a contractual relationship between the data controller and the editing company

The editing company must give appropriate guarantees regarding the security measures taken in relation to the images

It is the responsibility of the designated person to check and ensure that the guarantees are met

That the editing company can only use the images in accordance with the instructions of the designated person should be explicit and in the form of a written contract

The security guarantees provided by the editing company should be explicit and in the form of a written contract

 

11. If it is decided by a designated person that an access is not to be complied with, the following should be documented:

The date of the request

The identity of the person making the request

Why the request to supply the images was refused

The name and signature of the designated person making the decision

 

12. All staff should be aware of individuals' rights

13. If disclosure is made, it should be in private with only authorised staff present

14. The Data Subject is entitled to a copy of his data in intelligible format (Standard VHS tape)

 

Under Sections 10, 12 And 13 Of The Data Protection Act 1998 Other Rights May Also Apply

 

1. When there is a request from an individual to prevent processing likely to cause unwarranted and substantial damage or automated decision taking in relation to that individual. All operators must be able to recognise such a request

2. When such requests are made all staff must be aware of the designated person who should respond to them

3. The response from the designated person must indicate whether they will comply with such requests

4. There must be a response in writing within 21 days of the designated person receiving the request

5. The designated person must give written reasons if the request cannot be complied with

6. A copy of the request and response must be kept

7. The designated person must notify the individual if an automated decision is made

8. If the individual makes a request in writing within 21 days the designated person must reconsider an automated decision

9. The designated person will respond within 21 days setting out the steps they will take if they receive a receipt of the written request in standard 8 above

10. The designated person will document the original decision, the request from the individual and their response to the request

11. Data Subjects can take court action to prevent unlawful processing

12. Data Subjects can claim compensation for "damage" suffered as a result of breaches of this Act

 

 

Action Surrounding Subject Access Requests, Complaints And Audit

 

1. The contact point indicated on the sign should be available to members of the public during office hours Employees staffing the contact point should be aware of the appropriate policies and procedures

2. Specific documentation should be provided to each enquiry

 

Enquirers should be provided, on request, with one or more of the following:

The leaflet which individuals receive when they make a subject access request as general information

A copy of this code of practice

A subject access request form if required or requested

The complaints procedure to be followed if they have concerns about the use of the system

The complaints procedure to be followed if they have concerns about the non-compliance with the provisions of this code of practice

 

3. A complaints procedure should be clearly documented

4. A record of the number and nature of complaints or enquiries received should be kept together with an outline of the action taken

5. A designated person should use the report in standard 4 to assess public reaction to and opinion of the use of the system

6. A designated person should undertake regular reviews of the documented procedures to ensure compliance with the code

7. A report of the reviews in standard 6 should be provided to the data controller so the legal obligations and provisions of this code can be monitored

8. An internal annual assessment should be undertaken

9. The results of the report in standard 7 should be compared with the purpose of the scheme. If the scheme is not achieving its purpose, it should be discontinued or modified

10. The results of the report in standard 7 should be made publicly available

 

 

Images should not be retained for longer than is necessary

 

Images should not be retained for longer than is necessary. While retained, the integrity of the images must be maintained to ensure their evidential value and/or to protect the rights of the people whose images have been recorded. Access to, and the security of, the images should be controlled. - Data Protection Principle 3, 5 & 7

 

1. Images should not be retained for longer than necessary to achieve the purposes of the CCTV system

2. Once a retention period has expired, images must be erased

3. If images are to be held for evidential purposes, they should be kept in a secure place with controlled access away from other routine data

4. There are procedures for removing the medium on which the images have been recorded for use in legal proceedings. The following should be documented:

The date on which the images were removed from the general system

The reason why they were removed

Any crime incident number to which the images are relevant

The location of the images

The signature of the collecting officer; see below

 

 

If the medium on which images are recorded is removed the following should be documented:

The date and time of removal

The names of the person removing the images

The name(s) of the person(s) viewing the images and the organisation(s) they represent

The reason for the viewing

The outcome if any of the viewing

The date and time that images were returned to the system (or secure place if they have been retained for evidential purposes)

 

5. Monitors in areas where individuals would have an expectation of privacy should not be viewed by unauthorised operators and/or employees of the operators

6. Access to images should be restricted to designated staff

7. All CCTV data must be stored securely with access limited to authorised personnel only

8. Viewing of recorded images should only take place in a restricted area

9. There are procedures for the removal of the medium on which images are recorded see 4 above.

10. All operators and employees to be informed of the procedures for accessing the recorded images

11. All operators to be trained in their responsibilities so they are aware of the user's security and disclosure policies and the rights of individuals.

 

 

Access to and the disclosure of CCTV images

 

Access to, and the disclosure of, CCTV images and the disclosure of images to third parties should be restricted and carefully controlled to ensure the rights of individuals are protected. The chain of evidence must remain intact if the images are required for evidential purposes. Reasons for the disclosure of the images must be compatible with the purpose for which the images were originally recorded. - Data Protection Principles 2, 7 & 8

 

1. Access to the images should be restricted only to those who need access to fulfil the purpose of the system

2. All access should be documented

3. Disclosure should be made in limited and prescribed purposes

4. All requests for access should be recorded and reasons for any denials

5. There are procedures for allowing access or disclosure

 

When access to or disclosure of the images is allowed then the following should be documented:

The date and time of access or disclosure

Identification of third party to whom access or disclosure is allowed

The reason for allowing access or disclosure

The extent of information to which access or disclosure is allowed

 

6. Recorded images should not be made widely available e.g. on an intranet site

7. If the images are made widely available, the decision should be made by a designated person and the reasons documented

8. If the images are disclosed to the media, the images of individuals will need to be disguised to avoid identification

9. If the system does not have the capability to comply with standard 8 above, an editing company may be used

 

There are procedures if an editing company is used

There is a contractual relationship between the data controller and the editing company

The editing company has given the appropriate guarantees regarding the security measures they take in relation to the images

The designated person checks to ensure the guarantees are met

The written contract makes it explicit that the editing company can only use the images in accordance with the instructions of the designated person

The written contract makes the security guarantees provided by the editing company explicit

 

10. There are procedures if the media organisation receiving the images undertakes the editing (See notes under point 9 above.)

 

 

Quality of the Data

 

Quality of the Data - Images produced by the system must be as clear as possible to ensure that they are effective for the purposes for which they are intended. - Data Protection Principle 3.4 & 5

 

1. When installed, the equipment should be checked to ensure it performs correctly

2. Tapes (if used) should be of good quality

3. The maximum number of passes is 13 times

4. The medium on which the images are recorded should be cleaned to prevent recording on top of previous images

5. The medium on which the images are recorded should no longer be used if there is a deterioration in the quality of the images

6. If the system records location of camera, date, time etc. these should be accurate

7. There should be a documented procedure for 5 above

8. Cameras should be sited only where they will capture relevant images

9. If automatic facial recognition systems are utilised, the database of images should be clear

10. A human operator should assess and determine the action to be taken to verify matches made by automatic facial recognition systems

11. The assessment in 9 above should be documented regardless of a match on the data base

12. Consideration must be given to the physical conditions in which the cameras are located

13. Operators should assess whether real time or specific timed recordings are required

14. Cameras should be properly maintained and serviced

15. Cameras should be protected from vandalism (if it is a likely problem)

16. A maintenance log should be kept

17. If a camera is damaged, there are clear procedures for:

* Defining the person responsible for making arrangements for ensuring the camera is fixed

* Ensuring the camera is fixed within a specific time period

* Monitoring the quality of the maintenance work

[imoandc12]

hi there.

 

I work in a bar where recently several dome shaped cameras were installed. I overheard my manager commenting on how she can log in at home a watch us work etc. "our wee eye is pretty good" to quote.

 

Am i right in say that it is against the code to use this method of monotoring for giving staff into bother for say, not doing certain jobs that are supposed to be done on that night etc. that is not a criminal offence?

 

myself and the rest of that staff are pretty annoyed and feel spyd on.

 

any information would be great thanks.

 

private owned bar.

 

Thank you.

[MARTIN3030]

No its perfectly legal.

Are there notices displayed advising of recording ?

The notices should also give the name of those operating / maintaining the system along with contact details.

 

Networking CCTV is very popular these days and prices have come down considerably.

 

There are more stringent rules for motorised cameras,but I suspect the ones you talk about are probably standard ones.

 

If you are concerned dont forget you are protected under the DPA and your employer is expected to comply too.

[Sidewinder]

As Martin said - perfectly in order as long as employees know about it and the purpose is made clear, whether 'spying' or otherwise.

 

We used to use IP cameras in my last place, and TBH they were very useful for genuine business related reasons of security and H&S compliance. Some of the staff did get a bit funny about being phoned at 3am because they weren't wearing a hi-vis vest, but that was precisely why there was a need to have the system!

[diamondgirl]

You get used to the cameras. We are in a large office, there are dome cameras all over the office, corridors, breakroom and reception. The only places there are no cameras are the kitchen and the loos. They should have installed one in the kitchen then people wouldn't be nicking other peoples lunches. We know the bosses log in from home especially when they ring in and say such a body was doing such a thing etc., but nobody should be worried if your doing your job.

 

DG

[MARTIN3030]

The only thing I would have reservations about is the actual storage and access to the data.

There are very clear guidelines on the storage of images and recordings.

If the monitoring is carried out in a secure area then fair enough.

If on the otherhand its on view by a screen.HD sat in the corner of a living room for all to watch-then that would be a worry.

 

Thing is - this is something most will never get to know about.

[MARTIN3030]

More interesting points here too.

In June 2005, the Information Commissioner's Office launched a new version of the guide on data protection at the workplace. The new Code is more user-friendly, and incorporates and updates all four individually published parts of the previous Code of Practice on the Use of Personal Data in the Employer/Employee Relationships. The Code applies to systematic and occasional monitoring. The key message is that covert monitoring of employees' can rarely, if ever, be justified. Employees should be told if they are being monitored. The Code states that employees have a right to respect for their autonomy and privacy in the workplace and to expect a degree of trust from their employers. Any intrusion on this privacy and autonomy must be in proportion to the benefits of the interception to a reasonable employer. Less intrusive alternatives should be considered where available.

In relation to the recording of telephone conversations, the Code requires employers to make all staff and other parties to telephone conversations aware that interception is taking place and should only monitor the content of calls where an itemised call record is insufficient for the employer's purposes.

The Code also provides specific guidance on the use of video and audio monitoring. CCTV should not be used to monitor the employee's compliance with their employment contract. The Code recommends that the routine monitoring of employees by CCTV is only likely to be justified in circumstances where there are particular safety or security risks that cannot be dealt with by a less intrusive means. In particular, CCTV operations should not involve the random selection of employees for surveillance. Under this guidance employers must ensure that not only employees are made aware of the operation of CCTV but also any other people who are likely to be caught, such as visitors. Covert monitoring by CCTV or other interception of communications may only take place if the following exceptional circumstances apply:

 

 

 

• the monitoring relates to behaviour, not to contract performance;
  
• it is carried out to investigate a suspected criminal activity or malpractice; and
  
• informing staff is likely to prejudice the above purpose and certain standards for covert monitoring are complied with.
  

The standards relating to covert monitoring are satisfied if:

 

• specific criminal activity has been identified;
  
• a need to obtain evidence by covert monitoring is established;
  
• following assessment, it is concluded that informing employees would prejudice the gathering of evidence;
  
• a time period for monitoring has been identified; and
  
• the provisions of RIPA are complied with.
  

The employer should document the decision making process when it decides to monitor its employees to provide evidence that the conditions in the Code are satisfied. This is especially important given the Human Rights Act 1998. If an employee feels that his or her privacy has been infringed, he or she may claim constructive dismissal for breach of the implied duty of trust between employer and employee. In such a case, the employer must prove that it acted proportionately and that the invasion of privacy was justified. Documenting the decision making process and following the guidance in the Code will go far in helping the employer's case. Employers must use the information which is gained through the covert monitoring only for the prevention or detection of the criminal activity at which the monitoring was directed.

Importantly for the privacy of employees, the Code recommends that any other information collected in the course of covert monitoring must be disregarded unless it relates to criminal activity or equivalent malpractice.

Even where the above conditions for covert monitoring are satisfied, employers must not monitor employees in locations where employees have a reasonable expectation of privacy. The Code gives cloakrooms, toilets, vehicles and even private offices as examples of places where employees are entitled to a reasonable expectation of privacy. If an employer feels that monitoring employees in such locations is justified, then it should only do so with the involvement of the police. CCTV is a particularly intrusive method of monitoring employees and the Code draws a clear line between the investigatory powers of the employer and the role of the police. Where the employee has a reasonable expectation of privacy at work it may only be intruded upon by CCTV monitoring where the circumstances are such that a full police investigation is justified.

[MARTIN3030]

Little is known of RIPA by many.

An Employer would be expected to be seen to be upholding this too.

 

 

Regulation of Investigatory Powers Act 2000 - Wikipedia, the free encyclopedia