The Operator: Watching out for CCTV - premises licence conditions and data protection obligations

3 July 2012

EMILY CARTER AND SARAH HARRIS PROVIDE PRACTICAL GUIDANCE AS TO THE LEGAL OBLIGATIONS OF LICENSEES WITH RESPECT TO THE INSTALLATION AND MAINTENANCE OF CCTV ON THEIR PREMISES.

In January of this year, Lincolnshire Police applied under the provisions of Section 51 of the Licensing Act 2003 for a review of the premises licence held in respect of Kai’s Bar in Mablethorpe by the District Council’s Licensing Act 2003 Sub-Committee. The review had been sought after Mr. Kheng refused to supply CCTV footage following an incident which had occurred at a private residence unconnected to the licensed premises, resulting in the Police being forced to obtain a court order to acquire the material in question. Mr. Kheng argued that the request for the footage had been too broad and that the reasons for requesting the data had not been given in full, such that Section 7 Part 9 of the Data Protection Act 1998 was engaged.

The Police requested that a number of additional conditions be added to the
licence, including a stipulation as to what type of CCTV must be provided and
that the minimum period of time that recordings must be kept be increased to
31 days.

The Committee dismissed all the conditions put forward by Lincolnshire
Police. They chose instead to amend the relevant condition from ‘provision of CCTV and recordings made available to police upon request’ to ‘a tamper resistant CCTV system shall be installed, maintained in working order and operated at the premises. Subject to a suitable request and agreement of the
Data Controller images shall be released to Lincolnshire police so long as the Data Controller is happy to do so in accordance with the Data Protection Act 1998’. This case highlights an ongoing dilemma facing licensees that was first raised back in 2009 when a number of Police forces across the country applied for ‘blanket’ conditions imposing obligations to install CCTV leading to the Information Commissioner’s Office issuing specific guidance with respect to the issue.1

The increasing obligations that accompany CCTV conditions should make
licensees more alert to the need to ensure that they are only attached in appropriate circumstances. It is of note that the Committee in this case appeared to be very much alive to the data protection obligations on licensees.
Given the potential costs implications of court proceedings to compel data
controllers to comply with a request, it is crucial that licensees are fully apprised of what their obligations are, including when to agree to disclose the information and when to refuse.

Considerations when considering imposition of CCTV conditions
As Neil Williams of the British Beer and Pubs Association states; ‘While CCTV
can play a useful role in some situations, blanket or standard CCTV conditions cannot be imposed under the Licensing Act, except where there are valid objections to a licence on the grounds of one of the objectives. Pubs with no history of disorder should not be forced to install CCTV cameras.’

The guidance issued by the Secretary of State under Section 182 of the Licensing Act 2003 provides the following important qualifications in relation to conditions:

  • they must be appropriate, proportionate and justifiable in meeting the licensing objectives;
  • they should be prescriptive, readily understood and enforceable;
  • they must be precise and not difficult for a licence holder to observe, given
    that failure to comply with any conditions attached to a licence or certificate is a criminal offence, which on conviction would be punishable by a fine of up to £20,000 or up to six months imprisonment or both;
  • they cannot seek to manage the behaviour of customers once they are beyond the direct management of the licence holder and their staff or
    agents, but can directly impact on the behaviour of customers on, or in the
    immediate vicinity of, the premises as they seek to enter or leave;
  • they must be expressed in unequivocal and unambiguous terms;
  • they should be tailored to the size, style, characteristics and activities taking place in the premises concerned, ruling out standardised conditions;
  • licensing authorities and responsible authorities should be alive to the
    indirect costs that can arise because of conditions attached to licences.

Complying with the Data Protection Act 1996
The Information Commissioner has powers to issue undertakings, serve enforcement notices, undertake compulsory audits and issue monetary penalty notices of up to £500,000 for serious breach of data protection principles. Accordingly, for licensees who have installed CCTV, it is essential to understand and comply with the Data Protection Act 1998 (DPA) – and ensure that you fully document your compliance. The DPA relates to personal information (CCTV images) relating to “data subjects” (your customers) held and processed by “data controllers” (the licensee). As a data controller, you are responsible for ensuring that all CCTV images are used, stored and disclosed in accordance with the data protection principles. In particular, you must ensure that you only process CCTV in accordance with the

purpose for which it was installed and you must bear in mind the rights of
your customers. The data protection principles are sometimes difficult to apply as there are no “one size fits all” rules. However, the Information Commissioner’s CCTV Code of Practice provides clear guidance:

  • You must notify the Information Commissioner that you are a data controller (for an annual fee of £35.00);
  • Customers must be told that their images are being recorded on CCTV – a sign in a prominent place confirming that there are CCTV cameras in operation will be sufficient;
  • You must store the images securely and keep them only for as long as is proportionate and reasonable. The period should ideally be agreed with the police, if this is not already a condition of your licence;
  • You are responsible to ensure that the systems in place at your premises are clearly understood by all those operating the CCTV equipment, responsibilities are clearly allocated and the system is audited on a regular basis;
  • Any customer whose image is on CCTV can request a copy of that image of themselves and there must be a process in place to deal with such requests, however unlikely.

Most importantly, if you are asked to provide CCTV images by the police, the
obligation is upon you to ensure you have sufficient information from the police in order to assess whether handing over the images is justified by the nature of the request. The Information Commissioner has made it plain that any licensing condition which requires a licensee to hand over images to the police “on request” conflicts with the provisions of the DPA. Where the police have established that it is necessary for investigating or preventing a crime or apprehending or prosecuting an offender, this will usually be sufficient
reason to disclose the images.

Changes to data protection in the pipeline
The Protection of Freedom Bill, which has reached the final stages in Parliament, includes preparation of a new code of practice on the use of CCTV and appointment of a Surveillance Camera Commissioner. Breaching the code itself will not lead to civil or criminal proceedings but it will provide guidance as to best practice. 

Meanwhile, earlier this year, the European Commission published a new proposed data protection directive to replace the existing European scheme underpinning our Data Protection Act. Although it is still early in the process of consultation and debate leading to the finalisation of the new European law, once implemented within the UK, the proposed changes are likely to have a significant impact upon businesses of all sizes in the UK. In particular, it is anticipated that organisations will need to notify the Information Commissioner’s Office of data security breaches – and the penalties for breaching the data protection requirements will be increased to up to 1-2% of a company’s turnover.

Accordingly, licensees must be more wary than ever of their data protection
obligations.

Emily Carter & Sarah Harris

Footnote

1 http://www.ico.gov.uk/for_organisations/data_protection/
topic_guides/cctv.aspx

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Close Load more

Let us take it from here.

+44 (0)20 7814 1200

enquiries@kingsleynapley.co.uk

Skip to content Home About Us Insights Services Contact Accessibility