Brian Sims
Editor
Brian Sims
Editor
RECENTLY, PROFESSOR Fraser Sampson – the UK’s Biometrics and Surveillance Camera Commissioner – wrote a thoughtful (and exclusive) article for Security Matters that considered proposed legislation designed to reform public space surveillance by the police service. Here, by way of a follow-up, Laurie Clarke expands on the broader implications of proposed changes to the Office of the Biometrics and Surveillance Camera Commissioner, specifically with regards to the Surveillance Camera Code of Practice itself.
The Surveillance Camera Code of Practice, issued by the Home Office under the Protection of Freedoms Act 2012, was developed to provide a coherent and comprehensive structure against which Best Practice in visual data processing and/or management could be measured and assessed.
The Code of Practice duly sets out 12 guiding principles, which aim to strike a balance between protecting the public and upholding civil liberties, chiefly with regards to data and privacy considerations central to surveillance operation.
Under Section 33 (5) of the aforementioned Protection of Freedoms Act, local authorities, Police and Crime Commissioners and chief constables must pay due regard to the contents of the Code of Practice. Importantly, other organisations can voluntarily adhere to the latter as well.
The remit of the Code of Practice has expanded with evolving surveillance technology and currently includes all of the following: CCTV, body-worn video, unmanned aircraft systems (ie drones), Automatic Number Plate Recognition (ANPR) systems and also automatic facial recognition solutions.
The Protection of Freedoms Act also introduced a requirement for the Home Secretary to appoint a Surveillance Camera Commissioner – the present incumbent of that role being Professor Fraser Sampson – to report on compliance with the Code of Practice. This is achieved through a process of third party auditing, which is provided by a UKAS-accredited organisation, and certification via the Office of the Biometrics and Surveillance Camera Commissioner.
Formal verification
In many regards, certification against the Surveillance Camera Code of Practice is the only formal verification of surveillance data and privacy compliance available to both public and private sector bodies here in the UK. From the police to local authorities and from car parks to drone companies, certification provides confirmation that an organisation’s recording devices are used proportionately, effectively and, importantly, in pursuit of a legitimate aim.
At the time of writing, upwards of 100 organisations have been certificated against the Code of Practice.
In our experience as an auditing body, the greatest area of growth by far has been within the private sector. This is perhaps because achieving third party certification of Code compliance presents additional operational and/or commercial advantages over simply having due regard for its principles.
Take, for example, the private parking sector. The current Private Parking Code of Practice specifically references alignment to the Best Practice requirements of the Surveillance Camera Code of Practice in two of its 16 designated sections. In the drones sector, one of our more recently certificated clients has reported using its certification as evidence of data and privacy compliance in support of various bids and tenders.
Alternatively, increased private sector uptake may well be a reflection of the exponential growth of its usage of surveillance technology.
Continuing with the examples them, if you attempt to count the number of ANPR systems and/or CCTV cameras in any standard car park, you will quickly find that you run out of fingers and toes. Likewise, just this year PwC published its updated assessment of the UK drone economy, duly predicting 900,000-plus commercial drones being in the air by 2030. Each of them presents a unique data and privacy challenge.
Most likely, both of the above factors are at play in varying degree.
What we can say with absolute certainty is that the Office of the Biometrics and Surveillance Camera Commissioner and its Code of Practice exist to guide and highlight Best Practice, no matter the organisation and no matter the surveillance device. In this aim, they do appear to be extremely effective.
Draft Data Protection and Digital Information Bill
Back in September 2021, the Government commenced a process of consultation on data protection reform, seeking views on simplifying the oversight framework for the police service’s use of biometrics and the overt use of surveillance cameras by the police and local authorities.
Having only recently appointed one individual to take on what were previously the part-time roles of Biometrics Commissioner and Surveillance Camera Commissioner, the Government wished to further explore the potential for absorbing these functions into the Information Commissioner’s Office (ICO). Such a move, claimed the Government, would realise benefits for data controllers and the public alike by creating a single route for advice, guidance and redress.
In response to mixed feedback, the Government later revised that approach and said it would simplify the oversight framework for biometrics, but would not transfer the Biometrics Commissioner’s functions to the ICO. It would instead consider transferring these functions to the Investigatory Powers Commissioner.
Fast-forward to 18 July this year. Three days before Parliament’s summer recess. The draft Data Protection and Digital Information Bill was issued.
At the time, the Government claimed the Bill would “seize the benefits of Brexit” to “reduce burdens on organisations, while maintaining high data protection standards.”
It’s difficult to know where to begin with that particular word salad. For the sake of collective sanity, let’s glance across it and focus on the important elements.
Amid the usual rearranging of deck chairs, tucked away on page 115 of the draft Data Protection and Digital Information Bill is the following wording:
104. Removal of provision for regulation of CCTV, etc.
(1) The office of Surveillance Camera Commissioner is abolished.
(2) In the Protection of Freedoms Act 2012, omit Chapter 1 of Part 2 (regulation of CCTV and other surveillance technology).
Within the House of Commons Research Briefing, published on 31 August this year, it’s further clarified that: Clause 104 (1) would abolish the office of Surveillance Camera Commissioner. Clause 104(2) would repeal Part 2 Chapter 1 of the 2012 Act to remove the requirement for a Surveillance Camera Code. The Bill’s Explanatory Notes state that the Information Commissioner would continue to provide independent oversight and regulation of this area, without duplication by the Surveillance Camera Code and Commissioner.
Early days
What does this mean, then, for those who rely upon the Surveillance Camera Code of Practice and/or those organisations who are currently certificated against it? First and foremost, it must be stressed that it’s still early days for this draft Bill and it has yet to go through even the Committee Stage in the House of Commons. Safe to say it’s extremely unlikely to go through the full passage – from the House of Commons to the House of Lords and on to Royal Assent – without amendments being made. Consider it a first draft of a Bill that, thus far, has entered the world largely without scrutiny from Parliament.
Nevertheless, it appears from this draft Bill that the Government may have underestimated the impact of the removal of the Office of the Biometrics and Surveillance Camera Commissioner through focusing on Code simplification over the current scope of Code application.
While reference has been made to the merging of guidelines between the ICO and the Surveillance Camera Commissioner, issuing guidance is just one of the Commissioner’s many roles and, at present, no consideration appears to have been given to formal certification and mechanisms to ensure continuity of this valuable process.
When we recall that this amendment was first proposed on the basis of simplifying the oversight framework for the police and local authorities – entities who are required to have due regard for these guidelines as opposed to the specific requirement for formal certification – and not the private sector, then perhaps we have some explanation for this apparent omission.
Seeking clarification
Concerned by the ramifications of the Government’s proposal and what – on the surface, at least – appears to be a regulatory step backwards, IQ Verify reached out to its local MP for clarification. Specifically, the company asked the following questions:
*What was the justification for such a change in light of the success of the Surveillance Camera Commissioner and the seemingly exponential growth of surveillance usage – both in the public and private sectors – across the UK?
*What’s being done to protect the interests of those countless organisations who rely upon – or, indeed, have achieved – certification against the Surveillance Camera Code of Practice?
A few weeks later we received a response direct from the Home Office and, specifically, the Government minister with policy responsibility for this area. The minister explained that the change was being made to reduce duplication between the ICO and the Surveillance Camera Commissioner and increase the regulatory powers available to investigate and fine data breach episodes.
Reference was also made to consolidating guidance and oversight in order to bring expertise into one place and ensure consistency, making it easier for the police and the public at large to understand.
Somewhat predictably, no reference was made within this explanation to organisations outside of the police service, nor indeed to those within the private sector.
The second question – the more critical of the two for the planning and continuity of those organisations who draw value from existing surveillance certification processes – was answered in the final lines of the letter. The following is a direct quote from the response: “I recognise that some of the Surveillance Camera Commissioner’s ancillary functions, such as the third party certification scheme, are aimed at encouraging Best Practice and consistency in operators’ use of surveillance cameras, and I expect that there will continue to be a demand for similar assurance going forward. The Government is considering whether another existing body could support continuation of the scheme in some form and would welcome the chance to engage with key stakeholders, such as IQ Verify, in due course.”
What springs to mind?
Two things leapt out of the page from these comments. The first is that insufficient consideration may indeed have been given to “ancillary functions” of the Office of the Biometrics and Surveillance Camera Commissioner, including third party certification, within the draft Data Protection and Digital Information Bill. The second is more reassuring in that it appears this potential oversight is now firmly on the Government’s agenda to address.
What happens next, then? For those organisations who rely upon the existing Code of Practice, be it for guidance or formal certification, the long and short of it is they don’t need panic. From the response provided above, the Government appears (now) to be in the process of developing a strategy to ensure continuity of third party certification services against the Surveillance Code of Practice. While this process may – or may not – have different ownership in the future, at present there’s no indication that there will be any change to the availability or recognition of formal organisational surveillance certification.
The updated Data Protection and Digital Information Bill will most likely contain the outline for these arrangements in due course.
However, we would strongly recommend that all interested parties reach out to the Home Office and register their interest as a stakeholder in this project as soon as possible. In doing so, collectively we can help to ensure surveillance standards – and the mechanisms by which these can be reliably assessed and, just as importantly, evidenced – remain in focus over the full passage of the Bill through the Houses of Parliament.
As for my own prediction, I have a sneaking suspicion that the end result will be the continuation of existing certification activities with a renewed focus on the private sector and the introduction of a Commissioner 2.0. That individual may very well be the same person.
Laurie Clarke is Certification Manager at IQ Verify Ltd
*Established in 2013, IQ Verify Ltd is a UKAS-accredited certification body specialising in security and surveillance standards. For more information on certification against UK surveillance standards e-mail: info@iqverify.org.uk