Uk data protection act 1998 pdf

Although the intended purpose of CCTV implementation is invariably cited as crime prevention and detection in schools, the objectives of CCTV in schools are not limited to this. As outlined above, the reasons are manifold and include diverse prerogatives such as to tackle bullying,7 for the invigilation of exams,8 and to monitor the performance of teachers.

It is unlikely that schools list all of the multifarious ways that their CCTV system is used and as such it is unlikely that images are being processed fairly and lawfully. Some instances of schools utilising audio recording equipment have begun to occur.

For example, in Greater Manchester, one council has installed CCTV cameras in the class- rooms that are fitted with microphones. The teachers have been asked to wear earpieces so that live feedback can be provided to them on their teaching delivery and performance Qureshi The move has been criticised for potentially stifling the natural teaching experience, but its legality or ethicality has gone unquestioned. Despite these instances receiving widespread media attention, the new and novel ways that CCTV is used in schools continues unabated and unchallenged by the ICO.

The problems outlined above are further compounded by the second principle. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes This clearly indicates that the use of CCTV should be limited solely for the purposes that are intended, which casts doubt on the legitimacy of its use in situations that have not been specified.

Clarification of this point was sought from the ICO as the evidence suggests that CCTV is utilised in schools for a variety of purposes as illustrated above. The following question was asked: If a school uses CCTV to monitor pupil behaviour, or to assess teaching ability, or to monitor bullying in the school toilets, i.

Taylor fall broadly within another registered purpose. Further to your final point […] the notification form is not the place in which a data controller has to specify exactly how they intend to process the data for these types of purposes. For example, even if a school has included within their register entry that they are using CCTV for crime prevention purposes, this would not prevent them from using that same CCTV system to process personal data for another purpose such as assessing teachers or monitoring pupil behaviour and bullying as long as that additional use was also broadly described within another existing purpose within the register entry.

Rather, all that is required is that the purposes for collecting data can broadly be categorised into one of the existing reasons provided by the ICO. The key to compliance, it would appear, is to remain suitably vague.

The broad categorisations serve to obscure the actual purposes of personal data processing whilst allowing the schools to operate in compliance with the DPA. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed This is clearly open to interpretation. For example, numerous schools have implemented the use of CCTV in school toilets, which has been regarded as excessive by some11 but necessary by others. In these cases, you should make extra effort to ensure that those under surveillance are aware.

Personal data shall be accurate and where necessary, kept up to date This requirement means that system managers will be in breach of the DPA if they fail to keep accurate and up-to-date records of various aspects of the system, such as who has had access to the recordings McCahill and Norris , Journal of Education Policy 9 Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose or those purposes In a similar vein to Principle 3 above, Principle 5 is very much open to interpretation and will vary by context.

The Code illustrates that in the case of a bank using the system to monitor an ATM machine to prevent fraud, it might be considered pertinent to retain images for three months as a fraudulent transaction may not come to light until the victim has received their bank statement.

On the other hand, a pub might need to keep their images for a much shorter period of time as an incident is likely to come to light much quicker ICO , In terms of a school, it is debatable as to what length of retention is strictly necessary to meet its purposes of recording footage. Arguably, some incidents may not come to light until months or even years later. For example, bullying, the tackling of which is a frequently cited motive for CCTV e. BBC News , is notorious for remaining hidden, often until years later.

It is clear that there is scope for schools to arguably keep CCTV footage for prolonged periods of time. This was confirmed in correspondence with the ICO, the Compliance Manager stated: In accordance with their right of subject access contained within section 7 of the DPA any individual can make a subject access request to a school to obtain a copy of any CCTV footage in which they can be identified.

This would present a huge pragmatic issue for schools were this to become a regular occurrence. Furthermore, in some cases the images of third parties identifiable in the footage may need to be redacted blurred or removed before the images are released ICO Collating this footage of indi- vidual pupils as well as adhering to the rights of third parties to be anonymised would become a logistical nightmare, as well as a very costly exercise, for school CCTV operators.

A pupil or teacher could legitimately request every piece of footage on which they appear, day after day, although Section 8 3 of the Act limits the obli- gations of a data controller when responding to subsequent identical or similar requests. Responses must be provided within 20 days of the request , However, research suggests that this is not adhered to by the majority of schools.

So the failure of schools to respond is not surprising. Ozimek These elements of the DPA and the FOIA would clearly present enormous logis- tical and financial problems for schools if any great quantity of requests was made and compliance was fully enforced by the ICO. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data The principle here stipulates that all those involved in the operation of a CCTV system must be fully aware of the rights of data subjects to access material collected of them as outlined in Principle 6 above McCahill and Norris , As outlined above, it is unlikely that the majority of schools are fully conversant with their obligations so as to comply with this principle.

This could have serious implications for the legality of the systems with respect to privacy and data protection. In addition, the ATL survey of teachers found that opinion was divided regarding the adequacy of security measures designed to protect the data generated from its use. This could well mean that a proportion of CCTV systems in schools across the UK are operating with questionable legality.

Although this represents a very small number of respondents, such misconduct could undermine the privacy of staff and pupils and ultimately be in violation of the DPA. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protec- tion for the rights and freedoms of data subjects in relation to the processing of personal data This provision is self-explanatory and has little impact upon schools.

Discussion and conclusion The codes of practice outlined above provide a degree of protection towards the subjects of CCTV monitoring; however, as inferred under some of the principles the ability of schools to comply with them is sometimes doubtful. It appears that it is common for schools to be in contravention of the legislation for a number of reasons, such as not responding to requests for information under the FOIA as reported by ARCH and the failure to adhere to DPA requirements, such as providing adequate signage as reported by CameraWatch Similarly, the information gained from the ICO indicates that it is likely that a large proportion of schools are processing visual data unlawfully.

It is clear that there is still some ambiguity in terms of ensuring compliance to the DPA. Given the ubiquity of CCTV, coupled with the limited resources of the ICO, it is unlikely that compliance with the Act will be enforced in any great measure.

The revised CCTV Guidance is more comprehensive and more attuned to the need to regulate the technology. However, without specific guidelines for schools and stringent regulation it is likely that numerous schools will not be adhering to the law.

The pervasive narrow definition of CCTV as a crime control technology has served to inhibit understanding regarding the impact that it can have on individuals without criminal intent.

The burgeoning of CCTV is arguably based upon its supposed success as a crime control technology and ability to reassure people against the fear of escalating crime. Taylor Welsh ; Groombridge ; Taylor Perhaps more importantly, there has been no research exploring what the longer term effects might be upon individuals and society. In particular, those that experience increased surveillance from a young age and for sustained periods of time, i.

The regulation of CCTV and surveillance has been found desperately wanting. It is highly unlikely that the majority of CCTV systems in UK schools are compliant with the scant, ill-defined and under-enforced rules and regulations that do exist.

Furthermore, it is likely that numerous schools would be unable to respond to the requirements of the DPA if it were to be enforced. Hitherto, there has been very little earnest resistance to CCTV by pupils in schools,15 but clearly there is the poten- tial that this could escalate as surveillance practices in schools continue to flourish unabated. Highlighting the failure of schools to adhere to the law is a potential avenue for resistance to manifest itself.

Schools are contributing to the emergence of a surveillance society and subjecting young people to a heightened level of scrutiny. This makes it a crucial time to begin to shape policy that regulates the use of CCTV in schools.

More broadly, policy- making should be framed within an informed public debate about the desirability of surveillance technologies becoming incorporated into school life. As part of this, there needs to be a reassessment of the legislation that seeks to regulate the use of CCTV.

The current legal provision is not only insufficient but also so lackadaisically enforced that it entirely negates its existence. Without sufficient regulation, CCTV and surveillance practices have free reign to invade our streets, workplaces and classrooms. Notes 1. As a further indication of how the use of CCTV in schools is becoming more common, it has been reported that some local education authorities are seeking to implement CCTV in all schools within their jurisdiction.

The DPA was introduced to protect against the misuse of data in the context of auto- mated processing. For further discussion of its limitations, see Maguire and McCahill and Norris It is questionable as to whether the recording of conversations for teacher training purposes is justifiable by the standards outlined by the ICO. They are mainly internet based and can be found at: www.

Pupils at a school in Waltham Forest Guardian walked out of their school following the introduction of CCTV because they felt it threatened their civil liberties. The pupils refused to return until they had received assurances that it had been turned off.

Furthermore, upon their return to the school, the pupils wore masks to continue their protest Colasanti A growing litigation culture against schools has been identified in the UK and has been reported in the mass media.

For example, David Hart, general secretary of the National Association of Head Teachers, said many of his members had become concerned about the growth of litigation for incidents such as accidents in the classroom, exclusions and exam results BBC News She has written exten- sively on issues pertaining to the growing use of surveillance technologies in UK schools.

Schools and the Freedom of Information Act. Armitage, R. Smyth, and K. Burnley CCTV evaluation. Painter and N. Tilley, — Arnot, C. Clive Norris: Watching brief. The Guardian June BBC News. Schools alarmed by litigation culture. May School CCTV to combat bullying. November CCTV could be used in exam rooms. April Teachers watched on CCTV cameras. March 4. Pupil withdrawn over toilets CCTV. January School head defends toilet CCTV.

Brown, B. London: HMSO. Burrows, J. Closed circuit television on the London Underground. In Designing out crime, ed. Clarke and P. Mayhew, 75— Autumn Newport City Council brings IP surveillance to 27 schools. Suffolk: Hourglass. Colasanti, J. Loughton: Pupils walk out of lessons in protest against Big Brother cameras. Waltham Forest Guardian, May Compliance Director, CameraWatch.

CameraWatch enquiry re school report. Compliance camerawatch. Compliance Manager, ICO. Information request to the ICO [Ref. Davies, S. Law that favours disorder. The Guardian, September Farrington, D. London: Home Office. Fischer, F. Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights of data for subjects in relation to the processing of personal data.

Use to answer question The Data Protection Act, 8 Principles. Processing personal information fairly and lawfully Personal data should be processed fairly and lawfully and, in particular shall not be processed unless certain conditions, set out in the Act, are met. Keeping personal information accurate and up to date Personal data shall be accurate, and where necessary, kept up to date 5.

Keeping personal information Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Information Security Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8.