Freedoms Bill good for CCTV, not for privacy
Code of practice in surveillance leaves little to protect privacy
The Protection of Freedoms Bill promotes efficient CCTV surveillance, but not effective privacy. The hype surrounding the CCTV/ANPR provisions in the Protection of Freedoms Bill is misplaced. In fact, I would argue the bill’s provision for a Statutory Code of Practice in the CCTV area represents little change on the privacy front, but a huge change in the potential for enhanced surveillance.
A statutory code of practice covering CCTV/ANPR is to be produced by the Home Secretary and regulated by a new “Surveillance Camera Commissioner”. The code’s application is limited to policing bodies and local authorities; it does not cover the CCTV systems that are installed by Government Departments, the Security Service, other public bodies, or used in large shops or shopping malls. If the measure was intended to limit CCTV surveillance, then one would expect that some of these missing areas would be covered in its provisions.
Also not covered in the code is the use of CCTV in the domestic circumstance; although I have to admit that this is a very difficult area to get right. However, having said what is not covered, I should point out that the Home Secretary is seeking powers that could extend the bodies that are subject to the code.
There is no penalty if the code is breached, although a breach of the code may be raised in any legal proceedings. There are no new individuals rights created – for instance, for the Surveillance Camera Commissioner to investigate complaints about the operation of the code.
So, if a Surveillance Camera Commissioner regulates the CCTV Statutory Code of Practice and the Information Commissioner presumably maintains his own voluntary CCTV Code of Practice, then local authorities and police have the pleasure of dealing with two codes. If these codes diverge, there will be confusion as to what set of rules take precedent. The bill does not set out a mechanism to resolve any conflict between these codes.
There is also a possibility of at least two regulators with apparently overlapping responsibilities; this does not seem to be a useful proposal if privacy protection is an objective. The Surveillance Commissioner could be a third regulator if CCTV is used in combination with covert directional microphones.
The bill’s current text ensures that conflict between the two codes is a distinct possibility. For example: the installation or positioning of cameras overlaps with the use, collection and relevance of personal data (first and third principles); access to and disclosure of images overlaps with subject access, security, and incompatible disclosure purposes (first, second, sixth and seventh principles); the system use by staff and management overlaps with organisational measures (seventh principle); and the transparency arrangements overlap with the fair processing notice (first principle).
There is no provision in the code with respect of retention of CCTV images, but retention provisions can be included in the code at any time (overlaps with the fifth principle; see the use of the word “include” in section 29(3) of the bill). Individuals could also complain to two commissioners about the same CCTV image; one commissioner has an obligation to do an assessment, the other doesn’t.
Although the consultation about the code’s content is supposed to avoid these areas of conflict, it is the secretary of state who has the last word. A Statutory Instrument brings the code into effect; this means that Parliament’s involvement in the code’s content is minimal.
Which code is likely to be more balanced in relation to "privacy versus surveillance"? The code produced by the home secretary (who has political responsibility for policing and a vested interest in the success of CCTV policy) or the one produced by the Information Commissioner? Let’s be honest, that was a loaded question – but the answer explains why the statutory code is unlikely to protect privacy.
This is because the person who is politically responsible for the interference is also identifying the protection from such interference. This is an impossible conflict of interest that cannot be resolved; it is a structural faultline in the system of privacy protection in the UK.
I have said this before: it is like having a Code of Practice regulated by Count Dracula, who sets standards as to how his brides should use bottles of blood from a transfusion centre.
To break ANY potential for conflict in this area is simple. The legislation could have easily have said something like: “Where a code makes a provision that relates to the processing of personal data, that provision must be approved by the Information Commissioner”. The bill doesn’t include such a simple provision – so what conclusion is one supposed to draw?
Sponsored: The Nuts and Bolts of Ransomware in 2016