The hype surrounding the CCTV/ANPR provisions in the Protection of Freedoms Bill is misplaced. In fact, I would argue the Bill’s provision for a Statutory Code of Practice in the CCTV area represents little change on the privacy front, but a huge change in the potential for enhanced surveillance.
A statutory code of practice covering CCTV/ANPR is to be produced by the Home Secretary and regulated by a new “Surveillance Camera Commissioner”. The Code’s application is limited to policing bodies and local authorities; it does not cover the CCTV systems that are installed by Government Departments, the Security Service, other public bodies, or used in large shops or shopping malls. If the measure was intended to limit CCTV surveillance, then one would expect that some of these missing areas would be covered in its provisions.
Also not covered in the Code is the use of CCTV in the domestic circumstance; although I have to admit that this is a very difficult area to get right. However, having said what is not covered, I should point out that the Home Secretary is seeking powers that could extend the bodies that are subject to the Code.
There is no penalty if the Code is breached, although a breach of the Code may be raised in any legal proceedings. There are no new individuals rights created – for instance, for the Surveillance Camera Commissioner to investigate complaints about the operation of the Code.
So, if a Surveillance Camera Commissioner regulates the CCTV Statutory Code of Practice and the Information Commissioner presumably maintains his own voluntary CCTV Code of Practice, then Local Authorities and Police have the pleasure of dealing with two Codes. If these Codes diverge, there will be confusion as to what set of rules take precedent. The Bill does not set out a mechanism to resolve any conflict between these Codes.
There is also a possibility of at least two regulators with apparently overlapping responsibilities; this does not seem to be a useful proposal if privacy protection is an objective. The Surveillance Commissioner could be a third regulator if CCTV is used in combination with covert directional microphones.
The Bill’s current text ensures that conflict between the two Codes is a distinct possibility. For example: the installation or positioning of cameras overlaps with the use, collection and relevance of personal data (First and Third Principles); access to and disclosure of images overlaps with subject access, security, and incompatible disclosure purposes (First, Second, Sixth and Seventh Principles); the system use by staff and management overlaps with organisational measures (Seventh Principle); and the transparency arrangements overlap with the fair processing notice (First Principle).
There is no provision in the Code with respect of retention of CCTV images, but retention provisions can be included in the Code at anytime (overlaps with the Fifth Principle; see the use of the word “include” in S.29(3) of the Bill). Individuals could also complain to two Commissioners about the same CCTV image; one Commissioner has an obligation to do an assessment, the other doesn’t.
Although the consultation about the Code’s content is supposed to avoid these areas of conflict, it is the Secretary of State who has the last word. A Statutory Instrument brings the Code into effect; this means that Parliament’s involvement in the Code’s content is minimal.
Which Code is likely to be more balanced in relation to "privacy versus surveillance"? The Code produced by the Home Secretary (who has political responsibility for policing and a vested interest in the success of CCTV policy) or the one produced by the Information Commissioner? Let’s be honest; that was a loaded question:- but the answer explains why the statutory Code is unlikely to protect privacy.
This is because the person who is politically responsible for the interference is also identifying the protection from such interference. This is an impossible conflict of interest that cannot be resolved; it is a structural fault-line in the system of privacy protection in the UK.
I have said this before: it is like having a Code of Practice, regulated by Count Dracula, who sets standards as to how his Brides should use bottles of blood from a transfusion centre.
To break ANY potential for conflict in this area is simple. The legislation could have easily have said something like: “Where a Code makes a provision that relates to the processing of personal data, that provision must be approved by the Information Commissioner”. The Bill doesn’t include such a simple provision - so what conclusion is one supposed to draw?
Also missed from all the press coverage is the role of Automated Number Plate Recognition (ANPR) camera systems. ANPR is important because of the Police have a policy of “denying criminals the use of the roads” (see references). All vehicles passing an ANPR system (e.g. on a motorway) are regularly checked in real time with data from the Police National Computer vehicle information (see blog of 23/08/2010 for an explanation – also references). This provides valuable intelligence that the Home Office is keen to legitimise.
That is why a great deal of the Statutory Code will be devoted to making ensure that various CCTV/ANPR systems follow communication standards and can work efficiently and effectively (i.e. ensure the surveillance functionality is fit for purpose). This is also why much of the Code is reserved for commentary on: “technical standards”, “locations” and “types of system”. (Readers who are interested in the background to the Code should look at the Home Office’s “National CCTV Strategy” and the NPIA’s document about ANPR; see references).
As soon as one gets good facial recognition (as is likely someday), one can presume that this will be linked to the digital photographs of drivers or on passports. The Code will thus apply to the policy of “denying criminals the use of the pavements” perhaps. These changes may not be subject to detailed Parliamentary scrutiny – all a future Home Secretary could do is issue a new Code of Practice.
Finally, as well as fragmenting the regulatory regime, the Code only applies in England and Wales – so what happens in Scotland and Northern Ireland?
Now I am not saying that the police or Local Authorities should not have better CCTV or the police should not have more effective ANPR or better intelligence. What I am saying is that where there is enhanced surveillance there should also be enhance protection. You can’t have one without the other.
I also object to a Deputy Prime Minister, saying that this Bill curtails surveillance and excessive state interference, when this part of the Bill does no such thing. There was the kind of privacy “doublespeak” that used to be the preserve of Labour Home Secretaries. Not any longer.
At its most fundamental, the Protection of Freedoms Bill is a Home Office Bill like the Data Protection Act and the Freedom of Information Act beforehand (which probably explains the generous exemptions that cover Home Office responsibilities in these Acts).
So when you read this Bill, read it carefully. Remember where it comes from, and have that garlic and crucifix to hand.
References
National CCTV Strategy http://www.bhphousing.co.uk/streetcare2.nsf/Files/LBBA-24/$FILE/Home%20Office%20National%20CCTV%20Strategy.pdf
ANPR: http://www.npia.police.uk/en/docs/Policing_of_Roads_2007_PA.pdf
Also relevant is “CCTV – and data protection – 2007” which focuses on ACPO CCTV strategy and OIC Code of Practice: accessible from http://www.amberhawk.com/policydoc.asp
Blog of 23/08/2010 about ANPR: http://amberhawk.typepad.com/amberhawk/2010/08/data-protection-and-surveillance-swopping-the-speed-camera-for-anpr.html
The Protection of Freedoms Bill: http://services.parliament.uk/bills/2010-11/protectionoffreedoms.html
Adverts re Data Protection courses
Our Spring UPDATE session is on 11th April in London: follow the link for details of speakers and content on our web-site (at £195+VAT for the day it is a real double dip recession busting snip). We will include commentary on the Freedom Bill.
We are also running a Privacy Impact Assessment Course, a RIPA course and a Data Protection Audit on consecutive dates (In London, on 21st to 23rd March). We are starting a 5-day intensive data protection course in Leeds (beginning 3rd March) and London (10th May), and a 7-day course starting in Manchester in (12th may) . These courses cover the DP ISEB syllabus and prepare delegates for the examination in April 2011, although you do not need to be seeking the qualification to attend.
Details from the Amberhawk website (www.amberhawk.com)
Comments
You can follow this conversation by subscribing to the comment feed for this post.