Guidance

Introducing a single point of contact

Updated 17 May 2019

This document is primarily aimed at local authorities but can be utilised by any organisation operating video surveillance systems. It provides guidance to local authorities in establishing a Single Point of Contact (SPOC) to support the management of video surveillance systems across its area of responsibility. A complex framework of legislation and regulation exists for such technology and that technology is becoming increasingly sophisticated. Accordingly local authorities need to reassure themselves that the vast array of such equipment, its siting, deployment and management is lawful.

This document supports a range of National Workshops held in 2017/2018 by the Surveillance Camera Commissioner. The concept of utilising a SPOC was unanimously recognised as essential to support this endeavour.

Complying with the surveillance camera code of practice

The Protection of Freedoms Act 2012 (PoFA) places local authorities in England and Wales on a list of relevant authorities who must pay due regard to the Surveillance Camera Code of Practice (SC Code) when operating surveillance camera systems, overtly, in public places.

‘Surveillance camera systems’ has the meaning given by Section 29(6) of PoFA and is taken to include:

  1. closed circuit television (CCTV) or automatic number plate recognition (ANPR) systems
  2. any other systems for recording or viewing visual images for surveillance purposes
  3. any systems for storing, receiving, transmitting, processing or checking the images or information obtained by 1 or 2
  4. any other systems associated with, or otherwise connected with 1, 2 or 3

This excludes any camera system with relevant type approval of a prescribed device under Section 20 of the Road Traffic Offenders Act 1988 used exclusively for enforcement purposes, which captures and retains an image only when the relevant offence is detected and with no capability to be used for any surveillance purpose. For example, for the enforcement of speeding offences.

‘Public place’ has the meaning given by Section 16(b) of the Public Order Act 1986 and is taken to include “any highway and any place to which at the material time the public or any section of the public has access, on payment or otherwise, as of right or by virtue of express or implied permission.”

In addition to the commonly known strategic/main town centre schemes, most local authorities operate smaller schemes which are defined as public space schemes. These schemes may include:

  • community libraries
  • car parks (which may include ANPR)
  • environmental enforcement cameras (including body worn video)
  • CCTV in taxis
  • traffic enforcement cameras
  • reception areas, main entrances, corridors, offices
  • care homes
  • sheltered housing
  • flats
  • community centres
  • transport fleets
  • leisure centres and swimming pools
  • parks and recreation
  • depots

Local authorities operating surveillance camera systems, including CCTV, body worn video (BWV), automatic number plate recognition (ANPR), unmanned aerial vehicles (UAVs) and dash cams, should ensure they all comply with the SC code and other relevant legislation such as the Regulation of Investigatory Powers Act 2000 (RIPA), the General Data Protection Regulation (GDPR) (PDF, 959 KB), the Data Protection Act 2018 (DPA) and Human Rights considerations. If local authorities don’t have a good understanding of the surveillance camera systems they operate they can face financial, legal and reputational risk.

Local authorities should take note of Section 1.11 of the SC Code which stipulates that “The duty to have regard to this code also applies when a relevant authority uses a third party to discharge relevant functions covered by this code and where it enters into partnership arrangements. Contractual provisions agreed after this code comes into effect with such third party service providers or partners must ensure that contractors are obliged by the terms of the contract to have regard to the code when exercising functions to which the code relates.”

Local authorities should also take note of Section 1.16 of the SC Code which stipulates that “A failure on the part of any person to act in accordance with any provision of this code does not of itself make that person liable to criminal or civil proceedings. This code is, however, admissible in evidence in criminal or civil proceedings, and a court or tribunal may take into account a failure by a relevant authority to have regard to the code in determining a question in any such proceedings.”

The Crown Prosecution Service (CPS) has updated their disclosure manual to reflect this and are reminding their prosecutors to seek clarity from police officers on this point wherever images are presented to them as part of a prosecution file.

Introducing a single point of contact

Each local authority will be supported by a Data Protection Officer (DPO). It is a matter for senior officials within that local authority to determine the provision of a SPOC in support of the DPO. That is a recommendation made by the Surveillance Camera Commissioner to ensure symmetry and understanding on the management of video surveillance systems.

The establishment of the role of a SPOC within a local authority is the first step in demonstrating to the public that the local authority is committed to operating all surveillance camera equipment in compliance with the SC Code and key legislation such as RIPA, the GDPR and DPA, and Human Rights considerations, thereby building transparency, trust and confidence in its use.

In most local authorities, there will be an officer with responsibility for a strategic/large main town centre public space scheme. This officer is usually the most appropriate person to be nominated as the SPOC, as they will have a wide breadth of experience of operating public space schemes and knowledge of the regulatory framework governing its use. Given that at least 93% of local authority main town centre schemes have completed the Self Assessment Tool (SAT), it is reasonable to assume that these same managers have experience of the SAT process and would therefore be most equipped to support the roll out of this assessment across their local authority.

The Responsibilities of a Responsible Officer (RO)

All CCTV sites should have an appointed Responsible Officer (RO). They are responsible for the day-to-day management of the CCTV system and completing an annual questionnaire which is sent to them by the scheme manager. The RO should identify through the questionnaire any changes to the system, whether the system remains fit for purpose and whether a maintenance contract is still in place for the system.

The responsibilities of a SPOC

A SPOC’S role is operational for all matters relating to surveillance cameras. They should support the local authority Senior Responsible Officer (SRO) regarding compliance with PoFA.

A SPOC should carry out an audit of the local authority schemes to find out exactly what type of systems are being used by the local authority across all schemes (e.g. CCTV, BWV, ANPR, UAVs and dash cams), where all its cameras are located and who has responsibility for them. They may need support from someone at a senior level in your organisation to do this.

A SPOC acts as the main contact point for anything related to surveillance camera systems, and can introduce consistent surveillance camera policies and procedures that can be applied to all systems at an operational level. They can also ensure that any staff across the organisation operating surveillance cameras are properly trained, keep them up to date on changes to legislation and help them to develop.

A SPOC can standardise signage, set out clear roles and responsibilities, improve competence across the organisation and set up a governance board to scrutinise the use of CCTV across the breadth of the local authority. They can also advise on changes to schemes including adding or removing cameras, and where they are best located

Establishing a Corporate Strategy / Code of Practice

In order that the processes and procedures adopted by the strategic/large main town centre scheme can be mirrored across the local authority, the SPOC should establish a Code of Practice which sets out the governance arrangements that all schemes must comply with. This local authority Code of Practice (LA Code) must set out the regulatory framework that each scheme must comply with, the internal assessment programme that each scheme must undertake and the processes required to establish a new surveillance camera scheme or upgrade an existing scheme.

The SPOC will be responsible for maintaining the LA Code, and providing regular guidance and updates to scheme managers to ensure that all surveillance cameras schemes continue to be operated in full compliance with the regulatory framework governing its use.

Maintaining documentation in a Code Assessment Pack (CAP)

Scheme managers are required to maintain documentation in a Code Assessment Pack (CAP) which will demonstrate that each scheme continues to be operated in compliance with the LA Code, and present this evidence to the SPOC at the annual desktop assessment.

The CAP should include:

  • evidence of compliance – The scheme manager should be able to evidence that the scheme is compliant with the principles of the SC Code and other relevant legislation such as RIPA, the GDPR and DPA, and Human Rights considerations. This would include completing the Self Assessment Tool and Data Protection Impact Assessment (see below for more details), and documenting procedures, policies and privacy information
  • document overview – This is a list of all the documents that the scheme manager must maintain. They should record the date that they undertook the annual review of documents, the name of the person who undertook the review, and any relevant comments
  • declaration – each scheme manager must complete a declaration of compliance. They must confirm that the asset list is a complete list of all of the surveillance camera equipment that they operate. There must be a separate declaration for each scheme that they manage. This declaration must be completed annually (and on occasions where the scheme manager changes)
  • asset list – the main contractor should be able to provide a list of the surveillance camera equipment that is used across the scheme. The list should include cameras, monitors that display images and recording equipment. You should give each item of equipment an asset number so that you can audit it annually, and record if it is moved, removed etc. It is important to record whether or not the equipment is internal or external, and the purpose for each camera (e.g. crime reduction or public and staff safety)
  • access – this is an important record of the people that you have authorised to access your scheme and the levels of access that you have approved. In some instances access may be restricted such as only allowing officers to view images on a monitor, or an engineer might have access only under supervision. Ultimately, the scheme manager is responsible for authorising individual’s access levels and ensuring that regular reviews are undertaken to remove persons who no longer require the same or any level of access
  • training – this is a list of all the individuals that the scheme manager has authorised to access the scheme, the training those individuals have undertaken relevant to operating public space CCTV, and any standards required. As a minimum, all individuals should have signed a confidentiality agreement, and all those who view images and/or operate cameras etc. should have undertaken training on handling personal data and information security
  • Data Protection Impact Assessment (DPIA) – the Data Protection Act 2018 sets out the circumstances in which a DPIA is a mandatory requirement and in certain circumstances when it needs to be referred to the ICO. Principle 2 of the SC Code states that the use of a surveillance camera system must take into account the effect on individuals and their privacy, with regular reviews to ensure its use remains justified. The best way to ensure this is for the scheme manager to carry out a DPIA before any surveillance system is installed, whenever a new technology or functionality is being added onto or removed from an existing system, or whenever there are plans to process more sensitive data or capture images from a different location. This will assist in assessing and mitigating any privacy issues linked to the use of a surveillance system. A standard template form DPIA has been co-produced by the SCC and ICO which is tailored to the processing of personal data by surveillance camera systems. This should be reviewed annually. If, for example, there are surveillance video systems covering multiple scheduled housing schemes, it is acceptable to complete one Data Protection Impact Assessment (DPIA) and one Self Assessment Tool (SAT) which covers all sites
  • annual review – an annual review must be completed to demonstrate that there is still a need to operate your scheme and all of the cameras connected to it, and that the scheme continues to be operated in compliance with relevant legislation and codes of practice. A questionnaire should be sent to each site’s RO for completion on an annual basis. If you have undertaken and documented the annual assessments within this pack, then the RO’s answers to this short list of questions will be sufficient to evidence that you have reviewed the continued use of your scheme:

    • what is the specified purpose of the scheme?
    • does the scheme continue to meet the specified purpose for which it was established?
    • has an annual review of every camera been undertaken? (This may not be viable for large town centre schemes and a sampling process may be more appropriate).
    • what maintenance checks are undertaken of the system and cameras?
    • what is the scope of the scheme?
    • has there been any change in the scope of the scheme since the last review?
    • has a DPIA been undertaken for the scheme and reviewed annually?
    • does the scheme operate in compliance with relevant legislation and codes of practice?
  • annual report – within the main CCTV annual report there should be a subheading for the SPOC to set out the number of sites under their remit and to give a brief overview of any inspections, contracts associated with the scheme, number of compliments and complaints in relation to the scheme and details of the scheme’s performance and priorities, etc
  • self-assessment tool (SAT) – the scheme manager must review this assessment annually. They will be required to evidence their responses at the annual inspection. The SAT is designed to help organisations that use surveillance camera systems identify if they are complying with the 12 principles in the SC Code
  • signage – signage should include details of the type of surveillance camera in use (e.g. CCTV, ANPR, etc), the purpose of its use (e.g. to prevent and detect crime), who controls the scheme and contact details for further information. You should paste an image of your scheme’s sign into the CAP. If you are unable to do so, you can provide an image at your assessment
  • cyber considerations – it is important to determine and record what cyber checks are in place to protect data with appropriate security measures (e.g. if networked systems are in place then there should be up to date firmware, strong passwords, and penetration tests should be carried out)

If you would like more information on how to compile a CAP, please contact the Surveillance Camera Commissioner.

Establishing a corporate surveillance camera equipment asset list

The SPOC will be responsible for maintaining a central register of all the public space surveillance cameras equipment that the local authority operates. The register will include details of the location of each piece of equipment, its asset reference and the manager responsible for the equipment. This information will be collated from the individual asset lists provided through each scheme’s CAP.

Next steps

The establishment of the SPOC is a key recommendation for local authorities and one that the Surveillance Camera Commissioner will be reporting to Parliament upon within his Annual Report.

Email the Surveillance Camera Commissioner to let our offices know the contact details of your organisation’s SPOC as this will enable us to add them to our mailing list to receive relevant updates and improve communications. We would also appreciate your comments and feedback on the user experience with this guidance.