'The time has come to remind the villains that we are there. Use the cameras
to search the street for likely looking individuals...zoom in and out, look
for faces, potential suspects, potential victims, move the camera around
from time to time to let them know you're alert"
- Police Memo to Camera Operators.
Based on 600 hours of research from CCTV monitoring rooms, findings showed 'suspect targets' most likely to be filmed were "disproportionately young, male, black and working class". Black men were twice as likely to be filmed as white men, women were often tracked by camera operators for the 'titillation factor', and if you wear a puffa, designer trainers and drive a flash car - more likely that not - you've been framed.
|
Several instances of CCTV operators turning a blind eye to some of the worst scenes of 'Police, Camera, Actual Bodily Harm' were also recorded. One off duty copper was filmed coming out of a nightclub shouting racist crap at three black men. When a fight broke out, 20 uniformed cops arrived and arrested two of the men, presumably letting their mate head off for his kebab. The footage was deleted and the police officer responsible never prosecuted. Other reported incidents included an operator zooming in and catching a police officer "punching a young man inside a police van". On another, a man and woman were tracked from the moment they left a nightclub, identified as 'suspects' and later picked up and arrested for 'breach of the peace' when the woman stopped for a piss in a doorway. In both cases the camera operators either missed the record button or were busy looking for bra straps through the monitor. |
 |
But it's not just the camera operators and police that are busy fuzzing the picture. The first investigation in '95 by the Home Office, was based on information taken from police, local authorities and private secunty companies. In Birmingham, the report said, crime levels were up three times from when CCTV was first installed. So to avoid embarrassment, when Home Secretary Howard announced a £15 million package for city centre CCTV in November 1995, he censored the Birmingham chapter and released the report in the media 'low' between Xmas and New Year.
New Labour's track record on distorting the digital picture is as equally impressive. A two year study commissioned by the Home Office released on July 15th, 1999 demonstrated that CCTV does not reduce crime. The research showed that, in Glasgow, crime had increased by 9% over the first year, and also risen in Wales.
|
Yet these findings - virtually unreported in the national press - did not stop Home Secretary Jack Straw announcing a £170 million package for installing CCTV systems over the next 3 years - enough for 40,000 cameras. There are over 500,000 CCTV cameras in operation in the UK today, and the surveilance industry is worth £2 billion a year.. When no one is watching the watchers, who can say where CCTV footage goes? At a rape trial in Nottingham earlier this year the suspect was cleared after the defence counsel discovered a tape which proved the man's innocence. The police had not disclosed the footage as evidence (Guardian 15/7/99). |
Local councils are using CCTV to put entire residential neighbourhoods under surveillance, with the footage collected as evidence to prosecute and evict 'anti social elements'. In Hull, private detectives were hired by the local council to install covert cameras inside the home of a suspected drug dealer on the Bransholme Estate. The edited highlights were eventually shown in court and the person evicted. In Newcastle's West End estate there are 15 'vandalproof' spy cameras monitored by a single 'dedicated' police operation room. And in Wolverhampton, education budgets for books have instead been splashed out on a flash 16-strong camera network to watch out for evil crack dealers in the playground.
While the UK is fast moving towards the 'Maximum Surveillance Society' the technology remains vulnerable to human error. Tapes are accidentally erased, networks fail and shit happens. Under the 1998 UK Data Protection everyone has a right to access data and digital images that is held on them - be it bank records or CCTV footage for the cost of a tenner. So if you think you'Ve been recorded on CCTV by some pervy policeman without your permission then it might be worth looking into.
More info:
See sophisticated database of facial images being set up
in Britain "The Maximum Surveillance Society' - Norris & Armstrong, Berg Publishers, 1999.
UK Data Protection Registrar, Wycfiffe House, Water Lane, Wilmslow,
Cheshire,SK9 5AF.
http://www.hmso.gov.uk/acts/acts1998/l9980029.htm
Privacy International P0 Box 3157, Brighton, BN2 2SS.
http://www.pnvacy.org
What if you were told that the world's most sophisticated database of facial images was being set up in Britain...without any legislation, parliamentary oversight or public consultation - not even a polite chat with the Data Protection Registrar. Welcome to the ultimate I.D. card.
| The Home Office has quietly announced that as of October 99, photographs in all new passports will be digitised and stored electronically. The old system of laminating a physical photo into a passport will be replaced by a computer stored image sprayed directly onto the passport with a laser jet. Yes, that picture of you as a goofy fifteen year old with a manky haircut will be reliably stored forever - unless they use the fancy new IBM software that automatically ages your mugshot! 3.5 million photo images together with related data (personal and family details) |  |
will be stored each year on the database, resulting in the creation within 10 years of a searchable archive of 35 to 40 million people - even more than the conservative evidence given by the Telegraph.
The Home Office says the new passport will be quicker to process and more resistant to tampering, but Dr James Backhouse, director of the Computer Security Research Centre in the London School of Economics said "The mere existence of such a large and sensitive database invites all manner of threats. Digital images can be transmitted, analysed and matched just like any other data. My own view is that the development of this system should proceed with meticulous care and its planning should be subject to thorough public oversight".
A spokesman for the Home Office said the system would be operated in strict accordance with the Data Protection Act. But John Woulds, assistant Data Protection Registrar said the project was "in a different league" to most other databases, and his office "we've not consulted formally or informally about this."
The Passport agency systems are linked to a number of agencies including the Foreign and Commonwealth Office and various Departments in the Home Office. Police are given access on request.
Simon Davies of Privacy International said "Although the Database will be managed by the Passport Agency it is in effect a Home Office facility. As a law enforcement tool it will be a choice prize not just for police, but also for security services such as MI5." The Home Office would not comment on the potential use of this technology, but it insisted that the new database was a necessary step to combat passport fraud. However, neither the Home Office nor the Passport Agency were able to provide any fraud estimates to justify the system. The Home Office suggested that the Passport Agency "may have done some work on this". However, the Agency is not responsible for such investigations.
The potential to automatically match digitised passport images with photos from existing police databases and CCTV cameras is at the head of a barrage of privacy concerns. Several companies are well on the way to developing such technology. Miros Inc. has developed a system that can compare, in under a second, an image from a standard security camera with stored images.
The TrueFace system developed by Miros has been installed in 80 locations around the world. It claims to have only a 0.1 percent rejection rate, using an ordinary video camera lined to any PC.
|
Already Manchester City use face recognition at their Maine Road football ground and if Heathrow airport gets the green light for Terminal 5, they will use automatic face recognition, technology which has been part-funded by Marks and Spencers, the Police Foundation and British Aerospace. Most automatic face recognition systems use "landmarks" on the face (eyes, mouth etc) or a combination with "eigenfaces" which measure the difference between light and shade. Adding or removing spectacles or facial hair makes only marginal difference to the system's accuracy. |
So should we be getting our knickers in a twist? Simon Davies said, "It's always been the wet dream of authority to link faces with data and this will be a red letter day for them. The fraud argument is a confidence trick as the new passports will be just as easy to forge. The only winners will be the police, security services and anybody else - except of course ordinary people."
In the very near future we could see a triad working together of passport, digitalised driving licences and banks all feeding into the same databases. So why waste time with the political hot potato of ID cards when you can sneak this all past the public behind closed doors.
| And if that hasn't got you hiding all paranoid behind your settee then there's always Europe. The Government is planning to join a massive "state security" system targeting millions of European citizens as part of a new drive to promote 'co-operation' between EU police and intelligence agencies. The Schengen Information System (SIS) keeps information on people regarded as a potential threat to public order. This includes 'aliens, illegal immigrants, drug-traffickers, serious crime suspects, football hooligans - and "meetings attended by large numbers of people from more than one member state." These include demonstrators, anti-roads campaigners, environmental activists, - and of course rock music fans, ravers, travellers etc. |
|
|
|
|
CCTV and the Surveillance Camera Players
The increasing power and use of information technology and its concomitant ability to collate and store increasing amounts of personal data led to the introduction of the Data Protection Act l984. This Act places obligations and responsibilities on people and organisations who hold and use personal data in order to balance the privacy of the individual with the advantages that information technology creates for every member of society. Similar concerns have been raised with the increasing use of closed circuit television (CCTV). This technology has been hailed as an important asset in many areas such as in the fight against crime, but has also led to fear of encroaching surveillance. However, although some developments in the sophistication of the technology brings some elements of CCTV within the provisions of the Data Protection Act, for the most part CCTV is unregulated (see Section 1).
However, this position is likely to change in the very near future for two reasons:-
a) the rapidly advancing sophistication of the technology itself means that it will soon fall within the definitions and provisions of the Data Protection Act l984;
and
b) By October l998 the UK's legislation will have to be amended to take into account the requirements of a European Directive on Data Protection which seeks to regulate the increasing use of recorded sound and image data.
Therefore, the Registrar recommends that people and organisations who wish to set up CCTV systems take into account these requirements now rather than having to amend their practices at a later but inevitable date, thus it is recommended that Codes of Practice on use will help ensure compliance with the Data Protection Act l984. A Code of Practice is particularly significant for a multi-agency project or partnership because it can set out responsibilities and obligations in relation to the system thus assisting in resolution of any future dispute about such matters.
As mentioned above, not all CCTV technology will be covered by the definitions in the Data Protection Act l984. In order to ascertain whether your own system falls within those provisions and therefore needs to be registered, ask yourself the following questions:-
For the purposes of the Data Protection Act l984 (hereinafter DPA), "data" has a specific meaning:-
"'data' means information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose"
It should be noted that this definition is not limited to information processed by computer, but extends to other types of equipment which respond to instructions thus the recording of images on video tape or disc via the medium of a camera and video is no different from conventional methods of recording and storing data on magnetic media in computers. Therefore all CCTV systems, which record images, will be collecting data.
Again "personal data" has a specific definition for the purposes of the Data Protection Act l984:
"means data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user) ..."
Thus only information about individuals who can be identified will be covered by the Act. If the person collecting the information can identify individuals from a combination of the recorded information and information they have elsewhere in their possession, then that too will fall within the definition of "personal data". Thus it may be that the images that are being recorded will come within the term "personal data":-
a) If your CCTV system records images of unknown individuals eg records images of a street scene, then your system may still be collecting "personal data", but it will not need to be registered unless that data is processed by reference to the individual (see later).
b) If you have introduced your CCTV system in order to monitor employees' behaviour and activities, and the images relate to them, then because your staff are known to you, that will constitute "personal data" and your system may need to be registered.
c) If your system records image of unknown people, can you identify those people by cross-referencing the image with other information you have in your possession? For example at football stadia cameras can focus on one individual in one seat - at that point, that person is unidentified. However, their identity may become known when the seat number is matched against a list of season ticket holders. In that case your system does record personal data, and it may need to be registered.
d) If your system records images of unknown people in an area where an incident occurs, can you identify the images of any of those involved in the incident? It may be that you cannot identify the perpetrator(s) of the incident, but you will be able to identify the victim or the witnesses. In that case, your system will be recording personal data even though the focus of attention of the system is, in fact, an unknown individual.
The Act defines processing as:-
"amending, augmenting, deleting or re-arranging or extracting the information constituting the data"
Although this definition does not specifically refer to operations such as transmission, display or printing of the information contained in the data, in order to perform these operations, extraction must have taken place, and therefore the data must have been processed.
The Act requires that the equipment used to record or store the personal data must be capable of responding to instructions which require it to locate and process information about the individual. Thus a CCTV system will only fall within the provisions of the Act if it can automatically locate particular information stored on the video tape. Therefore, whether your system will need to be registered will depend on the level of the sophistication of your equipment:-
a) If you can only locate, on the tape, the image of a known person by pressing the fast-forward or rewind buttons on the play-back facility of your equipment, then this will not constitute automatic processing, because in essence you are relying on the human eye to locate the individual. BUT
b) If your system can be programmed to search for a specific time or frame reference on the tape at which it is known that personal data about a known individual is recorded, then your equipment will be capable of automatically processing.
IF YOU HAVE ANSWERED "YES" TO QUESTIONS I, II AND III, THEN YOUR USE OF A CCTV SYSTEM SHOULD BE REGISTERED WITH THE OFFICE OF THE DATA PROTECTION REGISTRAR.
If you have answered "yes" to the three questions above, then you should be registered with the Office of the Data Protection Registrar; failure to do so constitutes a criminal offence. Once you have registered, you will be obliged to comply with legally enforceable data protection principles (please see below). It is these principles that you will need to take into account when designing your CCTV system and developing a Code of Practice for its use, thus ensuring compliance with the Data Protection Act.
When you register your use of a CCTV system you will be required to state the purpose(s) for which you are using it. The Registrar recommends that you are specific about your uses of CCTV and personal data because this will enable you to ensure that the principles are also complied with (see later).
It may be that you are already registered to hold and use personal data for the purposes for which you are proposing to use your CCTV system eg you may already be registered for Personnel/Employee Administration or Crime Prevention, thus it may be that your existing register entry need only be amended to take account of this new category of data that you intend holding. Further guidance on registration is provided in Appendix l.
I) THE FIRST PRINCIPLE
This requires that:-
"information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully"
This has been interpreted to mean that people should be made aware that they are providing personal data about themselves, and that they should be notified of any non-obvious uses or disclosures of that information. Thus appropriately sized signs should be placed in and around the area where CCTV cameras are to be located, notifying people of the existence of the cameras. These signs should also identify the owner/operator of the system so that people can exercise their rights under the Act (see Seventh Principle - the right to subject access). If you are going to publish any material in relation to the CCTV scheme, it should include a description of the purposes for which the information will be obtained and used, and should accurately reflect the uses and disclosures that you are registered for.
In limited and exceptional cases, covert use of cameras (ie use without the appropriate signs) may be justified where the cameras are being used to in an attempt to put a stop to a specific criminal activity involving specific individuals. Section 28 (4) of the Data Protection Act provides an exception to the First Principle, provided it can be shown that to notify the individuals concerned of the existence of the cameras would result in the substantial risk of prejudice to the prevention or detection of crime, or the apprehension or prosecution of offenders. However, this is not a blanket exception which can be used to justify non-compliance with the principle's requirements, unless in the specific circumstances of the exception.
With regards to fair processing, a balance must be struck between the uses of the system and the concerns of the individual. If information is processed or used in a way which is outside the use for which it was intended, and which is detrimental to the individual, then it is likely that that activity will be deemed unfair, for example where CCTV footage, obtained for the purposes of crime prevention and detection, is sold to a commercial film company who use the material in a salacious video.
The First Principle also requires that information be obtained and processed lawfully. This is not limited to a requirement that criminal provisions should not be broken in the obtaining and processing of the data, but has been interpreted to extend to civil law principles such as the law of confidence. For example, cameras in a doctor's surgery would be deemed to be processing data unlawfully if the information was being recorded and made more widely available because this would breach the law of confidence that exists between doctor and patient.
II) THE FOURTH PRINCIPLE
This requires that the personal data stored must be adequate for and relevant to the purpose for which it is to be used. Thus consideration must be given to the situation of the cameras so that they do not record more information than is necessary for the purpose for which they were installed, for example cameras installed for the purpose of recording acts of vandalism in a car park should not overlook private residences. Furthermore, if the recorded images on the tapes are blurred or indistinct, it may well be that this will constitute inadequate data. For example, if the purpose of the system is to collect evidence of criminal activity, blurred or indistinct images from degraded tapes or poorly maintained equipment will not provide legally sound evidence, and may therefore be inadequate for its purpose.
III) THE FIFTH PRINCIPLE
This principle requires that the personal information that is recorded and stored must be accurate. This is particularly important if the personal information taken from the system is to be used as evidence in cases of criminal conduct or in disciplinary disputes with employees. The Registrar recommends that efforts are made to ensure the clarity of the images, such as using only good quality tapes in recording the information, cleaning the tapes prior to re-use and not simply recording over existing images, and replacing tapes on a regular basis to avoid degradation from over-use.
Care should be exercised when using digital-enhancement and compression technologies to produce stills for evidence from tapes because these technologies often contain pre-programmed presumptions as to the likely nature of sections of the image. Thus the user cannot be certain that the images taken from the tape are an accurate representation of the actual scene. This may create evidential difficulties if they are to be relied on either in court or an internal employee disciplinary hearing.
IV) THE SIXTH PRINCIPLE
This principle requires that the information shall not be held for longer than is necessary for the purpose for which it is to be used. In general CCTV systems merely record events; they do not take shots or stills. It is recommended that stills are only taken from the tape when evidence is or may be required of a specific activity and to be used in cases such as the detection and prosecution of offenders or in internal disciplinary proceedings against employees. The tapes that have recorded the relevant activities should be retained until such time as the proceedings are completed and the possibility of any appeal has been exhausted. After that time, the tapes should be erased. Apart from those circumstances, stored or recorded images should not be kept for any undue length of time. A policy on periods for retention of the images should be developed which takes into account the nature of the information and the purpose for which it is being collected. For example where images are being recorded for the purposes of crime prevention in a shopping area, it may be that the only images that need to be retained are those relating to specific incidents of criminal activity; the rest could be erased after a very short period.
V) THE SEVENTH PRINCIPLE
The Data Protection Act l984 gives individuals the right to have access to personal information that is being held about them, and this will include CCTV images. Access must be granted provided that the individual has given sufficient information to identify themselves, and to locate the information or images that they are seeking. For example, it may not be sufficient for an individual to ask for all images recorded on a CCTV system owned by a local authority over for a period of a month. Section 2l (4) (a) of the Data Protection Act l984 enables the data user to request as much information as "he may reasonably require" to locate the information which the individual seeks. Therefore, it may be more appropriate for the individual to specify a place, date and time so that the owner/operator can find the images requested. A copy must be supplied on videotape.
If you cannot supply that information without providing personal information relating to a third party or parties, then that third party information need not be disclosed (although you may choose to disclose it if you want). However, you are entitled to suppress the features of any third parties and this can be done by using the technology to blur their features. The Registrar suggests that it is good practice to suppress the identity of third parties in order to protect their privacy.
VI) THE EIGHTH PRINCIPLE
This requires that
"appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data, and against accidental loss of destruction of personal data".
In order to assess what "appropriate security measures" are, consideration must be given to the nature of the information and the harm that might result from a breach of this principle. As a rule of thumb, the more sensitive the data, the more stringent the security measures required. This means that consideration will have to be given to, amongst others, :-
a) the placement of the technology in the streets.
b) security of the central control room.
c) monitoring of access to the central control room.
d) selection and recruitment of staff.
e) ongoing training in data protection and privacy issues.
f) monitoring of access to recorded material.
g) security of storage of recorded material.
Even where your CCTV system does not fall within the provisions of the Data Protection Act l984, consideration of all the above issues will
a) help form a Code of Practice which will encourage the efficient and effective use of the technology.
b) ensure that your use of the system will put you in a good position for compliance with current and future data protection legislation.
c) instil and maintain public confidence in the use of such systems.
For further information, please contact our office, see back cover for contact details.
A Model Code of Practice for CCTV Use is available from:-
The Local Government Information Unit
l-5 Bath Street
London
EClV 9QC
Telephone number: 0l7l-608-l05l
APPENDIX 1
If you decide that your use of a CCTV system should be registered, this may be done in one of the following ways:-
In some cases, it may be that you are already registered to hold and use the personal data for the purposes for which you are proposing to use your CCTV system. It might be that you are installing CCTV in order to manage staff or employee activity either on the shop or factory floor. If you are already registered to hold personal data for this purpose ie P001 - personnel/employee administration, it may only be necessary to simply amend that existing register entry to indicate an additional data class. Thus in the free text box after the coded section, you might add "sound and/or visual images". Similarly, if you are already registered to use personal data to monitor staff access to and from a building, and you propose to use your CCTV system for the same purpose, an addition to the data class for the relevant register entry would be appropriate. In that case your register entry for P012 should be amended to reflect the new data class of "sound and/or visual images". Furthermore, if you are already registered to hold personal data for the purposes of crime prevention and detection (P058), then the addition to the data class categories may be sufficient.
In cases, where it is proposed that the CCTV system will be used to monitor city centre or open spaces, the registration of this use of personal data may become more complex.
The Data Protection Act 1984 requires that the data user registers with the Registrar. The Act defines a data user as a "person" who holds data (see definition from factsheet). This reference to "person" is a reference to a legal person for example a public or private limited company. Thus the person who registers must be a legal person. This can pose problems for CCTV schemes which have been developed by partnerships between local authorities, the police and other organisations. Such partnerships do not necessarily have the legal status required for the purposes of registration. However, this does not mean that they do not have to register., The Act defines a person as "holding" data if that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection. Thus if a partnership does not have legal status it may be that the individual organisations or bodies involved in that partnership will have to register as a data user if they exercise control jointly or in common with the others:-
The second issue which needs to be clarified is the use of that personal data. Most schemes have been designed for the purposes of:-
Thus it may be more appropriate for this use of a CCTV system to be registered independently as a purpose rather than using a standard or coded purpose. Thus this purpose may be registered as:-
Recording and retention of sound and/or visual images for the purposes of monitoring for potential criminal activity, investigating criminal activity and for providing evidence of such activity in legal proceedings.
It should be borne in mind when completing this section, that you should consider the relationship between you as the data user and the individuals about whom you are holding information. Thus this use of a CCTV system may collect images of complainants (S019), witnesses (S020), and offenders and suspected offenders (S021). It may be that these people are also tax payers (S023) or students (S030), but that is not relevant to the purpose for which you are holding personal data on them, and thus these categories do not need to be registered.
In the data class section, the only entry would be in the free text box:-
Sound and/or visual images
Finally, with regard to categories of sources and disclosures, these should be kept as restricted as possible to reflect the limited use of this information. Thus only the following categories may be relevant:-
D101 The Data Subject themselves (source and disclosure)
D105 Employees, agents (source and disclosure)
D107 Legal representatives (disclosure only)
D206 Suppliers, providers of goods and services (source and disclosure)
D341 Police (source and disclosure)
D371 Private detectives, security organisations (disclosure only)
It should be noted that these are only suggested categories for registration. It may be that your use of a CCTV system does not fit easily within any of these categories or within these suggested methods of registration. You may wish to develop your own register entry which you believe more accurately reflects your use of a CCTV system. Further assistance can be obtained from contacting our registration department, see back cover for contact details.
The Data Protection Act 1984 grew out of public concern about personal privacy in the face of rapidly developing computer technology. It provides rights for individuals and demands good information handling practice.
The Act covers 'personal data' which are 'automatically processed'. It works in two ways, giving individuals certain rights whilst requiring those who record and use personal information on computer to be open about that use and to follow proper practices.
The Data Protection Act 1998 was passed in order to implement a European Data Protection Directive. This Directive sets a standard for data protection throughout all the countries in the European Union. The new Act will be brought into force in 1999. Some manual records will fall within the scope of the Act. There will also be extended rights for data subjects".
- information about living, identifiable individuals. Personal data do not have to be particularly sensitive information, and can be as little as a name and address.
processed by computer or other technology such as document image processing systems. The Act doesn't currently cover information which is held on manual records, e.g. in ordinary paper files.
- those who control the contents and use of a collection of personal data. They can be any type of company or organisation, large or small, within the public or private sector. A data user can also be
a sole trader, partnership, or an individual. A data user need not necessarily own a computer.
- the individuals to whom the personal data relate.
We are all 'data subjects'. All types of companies and organisations ('data users') have details about us on their computers. This growth of computerised information has many benefits but also potential dangers. If the information is entered wrongly, is out of date or is confused with someone else's, it can cause problems. You could be unfairly refused jobs, housing, benefits, credit or a place at college. You could be overcharged for goods or services. You could even find yourself arrested in error, just because there is a mistake in the computerised information.
Nowadays, personal information is becoming increasingly valuable. Think before you supply it. Always ask "why?" if an organisation is requesting information such as: your income, lifestyle or family circumstances. You will find that you don't always need to provide the information and there is usually an opt-out facility if you don't wish this information to be used for marketing purposes. However, there will be circumstances when you will be legally required to supply personal information.
You can also contact the Mailing Preference Service (Dept. AM, Freepost 22, London W1E 7EZ) and the Telephone Preference Service (0800 398893 BT, 0500 398893 Mercury) if you wish to be excluded/included on most mailing/telesales lists in this country.
The Data Protection Act allows you to have access to information held about yourself on computer. This is known as the 'right of subject access'. You also have the right to have this information corrected or deleted, where appropriate.
Firstly you should write a "Subject Access" letter. In the letter you should ask for a copy of all the information held about you to which the Data Protection Act applies. If you are in any doubt as to who to contact within an organisation, address it to either the Company Secretary or Chief Executive.
It is best to send it by recorded delivery, and it is important to keep a copy of the letter and any subsequent correspondence. In many cases you will be asked to fill in an application form, or to provide more details to help identify yourself and help find information about you. The data user may have divided up the information and covered it by separate entries in the Data Protection Register. If this is the case then a separate payment may be required to see each set of information. It will help if you provide the computer user with any necessary details as quickly as you can. You are entitled to receive a reply within 40 days of providing these. You may be asked to pay a fee not exceeding £10 per register entry ( see data user section for more details.)
A copy of information held about you should be sent to you. The information may be sent as a computer print-out, in a letter or on a form. However, it must be made understandable, with any codes explained.
If you do not receive a response to your request within 40 days, or if the information you receive is wrong, you can contact our Information Line. The Registrar can help ensure you get a reply and, if records about you are incorrect, ensure that any mistakes are corrected. If one of the Principles ( see data user section for more details) has been broken the Registrar can take enforcement action against the organisation. Further guidance can be found in Section 5 (Individual rights) of The Guidelines. http://www.open.gov.uk/dpr/guide.htm
There are a limited number of exemptions to your right to see information held about you. These include information held for the purpose of:
preventing or detecting crime; catching or prosecuting offenders; assessing or collecting tax or duty.
These exemptions only apply if providing the information would be likely to prejudice these purposes. In some cases your right to see certain health and social work details may also be restricted. If you are unsure or feel information is being withheld incorrectly even in these cases, you can contact our Information Line.
Further guidance can be found in Section 6 (Exemptions) of The Guidelines
http://www.open.gov.uk/dpr/guide.htm
Your right to see credit reference details is covered by section 158 (1) of the Consumer Credit Act 1974. A free leaflet outlining how to go about this is available from the Office of Fair Trading, (Tel no: 0181 398 3405).
The Data Protection Registrar contains the names and addresses of all registered data users with broad details of the data they process in terms of: type, purpose, sources, disclosures and whether they are to be transferred overseas. The Register is open to public inspection at the Registrar's office in Wilmslow. Copies of individual register entries are available free of charge by contacting the Information Line. A register entry only shows what a data user is registered to do. It does not name the individuals whom it holds personal data. The Register is available via our Home Page: http://www.open.gov.uk/dpr/dprhome.htm
If you consider there has been a breach of one of the Principles (or any other provisions of the Act), and you are unable to sort the problem out yourself you can complain to the Data Protection Registrar. If the Registrar considers the complaint is justified and cannot be resolved informally, then she may decide to serve an enforcement notice on the data user in question. If a criminal offence has been committed, then the Registrar can prosecute.
You are entitled to seek compensation through the Courts if damage (not just distress) has been caused by the loss, unauthorised destruction or disclosure of your personal data. 'Unauthorised' means without the authority of the data user or computer bureau concerned. If damage is proved, then the Court may also order compensation for any associated distress. You may also seek compensation through the Courts for damage caused by inaccurate data.
With few exceptions, if you hold or control personal data on computer, you must register with the Data Protection Registrar. Registration is normally for three years and one standard fee is payable to cover this period. To register you should call 01625 - 545740. Computer bureaux which process personal data for others or allow data users to process personal data on their computers must also register. Data users and computer bureaux who should register but do not, are committing a criminal offence, as are those operating outside the descriptions contained in their register entries. In these cases the Registrar regularly prosecutes. The penalty for non-registration can be a fine of up to £5,000 in the Magistrates' Court in England and Wales and in the Sheriff Court in Scotland, or an unlimited fine where convicted on indictment in the Crown Court or a Sheriff Court.
In some circumstances it is not necessary to register your use of personal data. These 'exemptions' are very narrow and subject to strict conditions. Many data users will find it is safer to register.
If you intend to rely on one of the exemptions you are strongly advised to read The Guidelines section 6 (Exemptions) http://www.open.gov.uk/dpr/guide.htm or contact this office for advice. The Guidelines can also be requested by telephone.
A register entry is compiled from the information given when registering. The entry gives the data user's name and address together with broad descriptions of:
Computer Bureaux register entries only contain the bureau's names and address.
Once registered, data users must comply with the eight Data Protection principles of good information handling practice contained in the Act. Broadly these state that personal data must be:
If the Registrar considers that breaches of the principles have taken place, enforcement action can be taken against a data user who may appeal in turn, to the independent Data Protection Tribunal. However, if it upholds the Registrar's enforcement action, failure to comply becomes a criminal offence.
Office of the Data Protection Registrar,
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
To Register call 01625 545740
Information Line 01625 545745
Switchboard 01625 545700
Facsimile no 01625 524510
DX 20819 Wilmslow
home page:http://www.open.gov.uk/dpr/dprhome.htm
e-mail: data@wycliffe.demon.co.uk
December 1998
An Appraisal of Technologies
of Political Control
European Parliament
CCTV and the Surveillance Camera Players
Alan Lodge / Tash: ... tash@gn.apc.org