CCTV in the dock

OUT-LAW Radio, 27/09/2007

We hear how the cameras that try to catch us misbehaving are mostly themselves operating illegally.

• Download OUT-LAW Radio, 27/09/2007 (11MB, 11 minutes)
• Low quality recording for 27/09/2007 (3MB, 11 minutes)
• Instructions for listening and subscribing to OUT-LAW Radio
• For a text transcription, email: radio@out-law.com

A text transcription follows.

This transcript is for anyone with a hearing impairment or who for any other reason cannot listen to the MP3 audio file.

The following is the text spoken by OUT-LAW journalist Matthew Magee.

Hello and welcome to Out-Law Radio, the weekly podcast that keeps you up to date on all the twists and turns in the world of technology law.

Every week we bring you the latest news and in depth features that help you to make sense of the ever-changing laws that govern technology today.

My name is Matthew Magee, and this week we ask who guards the guardians are the CCTV cameras that are designed to keep us in line themselves breaking the law and how can companies manage to avoid having to deal with employees surfing eBay for two hours a day.

But first, the news:

• IBM faces virtual picket; and
• GMTV fined two million pounds in phone competition scandal

IBM faces virtual reality's first picket line today at the Company's offices in online game Second Life. Workers have taken their industrial relations dispute online and have received attention and backing from all over the real world.

IBM is a major investor in its presence in Second Life on which, some reports suggest, it has spent it has spent $10 million.

IBM workers in Italy have been protesting over pay. They had asked for a salary increase of €, plus improvements to pension and health rights, according to union representatives at IBM in Italy. Those representatives said that they then had benefits worth a thousand Euros a year stripped from them. Christine Revkin of international union UNI said her members were supporting the action:

Revkin: We started at 09.00 am London time and it will finish today at 09.00 pm the idea is that people come into Second Life and when they reach these IBM locations they will meet other protestors, participants and will put their banners on and their flying fish with slogans above their advertised heads. It just made sense that we tried something original especially in Second Life where IBM invested so much money and is really building business there.

Media regulator Ofcom has fined broadcaster GMTV £2 million over its misconduct in viewer competitions over a four year period. It is the highest fine ever issued to a broadcaster by Ofcom, which said that up to 25 million people may have been cheated.

GMTV will have to pay the fine and broadcast the regulator's findings on three separate occasions.

Ofcom said that the operation of the competitions represented 'gross negligence' and identified three flaws in the operation of them. It said that competitors were chosen to be finalists up to three hours before phone lines closed, meaning that many entrants had no chance to win the competition

That Was This Week's Out-Law News

Barely a day goes by without another apocalyptic warning about how closely watched we are, how Britain is a surveillance society and how our basic right to privacy is little more than a memory.

Britain is littered with CCTV systems; we have more than any other nation per head of population. They are set to increase tenfold in number in the next five years, say experts, and are designed to catch us out in illegal activity.

But could the cameras themselves be illegal? With new regulations about to take a hold in Scotland we reveal that as many as 95% of existing cameras are operating outside of the law in the UK, according to one expert.

Business owners who run CCTV systems must make sure that they have notified the information commissioner that they are collecting data about the public, and must comply with the Data Protection Act in how they use that information.

This says Bernie Brooks of Datpro, a CCTV compliance consultancy, is where the problems begin.

Brooks: From my own experience, after personally surveying many, many hundreds of buildings I would say that probably less than 5% are compliant so in other words 95%, I would say, are probably non compliant in one way, shape, form or another within the Act. Obviously that is quite a worrying thing for numerous reasons. One, if a system is non compliant it could invalidate the usefulness of the evidence in a court of law which obviously would be worrying to some people because obviously it is everybody's expected right to believe the system is fit for the purpose. Any CCTV system in business, retail, commercial, industrial whichever, where the system is operated and monitors what is going on in the work place or outside the work place which is basically used for property management, shall we say, or for crime , yes, it does need to notify.

Data protection law is there to ensure that information on us is not gathered excessively, stored carelessly or used inappropriately. CCTV operating companies have to be aware of all its dimensions, says Brooks.

Brooks: There are eight principles to the Act and of those eight principles, dependent on interpretation that equates to around about 70 points of law. One of those is notifications, which is basically where you register with the office of the Information Commissioner and basically if you have a CCTV system in, it basically has to be operated within compliancy of the Data Protection Act.

There is another complication. Few people outside the security industry know that if you work for a security contractor and operate a CCTV system you need a licence. In fact, few people in the security industry seemed to know it when the law was brought in 2006 in England and Wales, causing backlogs and missed deadlines.

Licences are granted by the security industry authority. SIA head of investigations Jennifer Pattinson explained why they are needed at all.

Pattinson: If you operate CCTV equipment monitoring either public or private space and you are monitoring members of the public then it is likely that you would need a Security Industry Authority licence in order to do that. The reason for licensing is to remove the criminal element from the private security industry but also to improve levels of training and professionalism within the industry. There are a large number of convictions that are mainly related to public order offences violence, assaults and sexual offences and drug related offences. They are offences which we consider relevant to the role in which the individual is deployed.

Licences have been needed in England and Wales since 2006, and will be needed in Scotland from November 1st of this year. You only need a licence if you work for a contractor, so small shop owners, for example, do not need a licence to operate the system. Pattinson explains why.

Pattinson: The reason being is that the issues in the security industry have generally been around contracted security guards. We would take it that an employer who is employing security directly takes a responsibility for their employees and does these kinds of checks as part of the recruitment process.

Pattinson is confident that most practitioners now have licences, though the SIA still acts on tip offs and conducts raids on operators.

Brooks though is far less optimistic about the practices of the companies on whose behalf the systems are used. He says our basic rights as those who are surveyed are rarely considered.

Brooks: If you went in and said look I would like a couple of images from yesterday because I want to see how I looked in that coat and you have not given them a specific time,  they can say: well look it takes us ages to review this and we would just say it is disproportionate effort because you are not really saying it’s a crime it is just seeing how you looked. So there are ways somebody could refuse data. They could turn around and say we refuse you but they have to give the reason why but there are very few reasons why they can refuse you. So yes, you could in theory walk in and say I would like a copy of my images from yesterday and I will tell you now if you went and did that in 75% of the businesses out there, if not 95% of the businesses, I would bet you they (a) would not know what you are talking about and (b) would not know how to handle it or they would just say we only give them as we come across a lot or that only the police are allowed them , which is rubbish. Basically if someone does not know how to handle a request it is an offence under the Act.

Brooks even said that the fact that there are two kinds of licences confuses companies, giving some a false sense of security.

Brooks: More and more people are getting trained but intriguingly what we do come across is where people have been trained, they think that automatically it makes them able to operate a CCTV system in compliance with the Data Protection Act and it does not, the system is its own thing.

Three Welsh council workers recently got more than they bargained for when the hours a day they spent on auction site eBay resulted in their losing their jobs.

Trade union officials are blaming Neath Port Talbot Council for not blocking the website and putting temptation in the workers way, so where does personal responsibility stop and workplace policy begin, when it comes to the web at work?

Employment expert Ben Doherty of Pinsent Masons the law firm behind Outlaw explains that, as in all such cases, the devil is in the detail of an employer's technology usage policy.

Doherty: Every employer who has concern with internet access and use of e mail should have an internet user's policy which sets out what the appropriate level of access is and the times when the employees are allowed to use internet at work and also the content of the sites that they are allowed to use.

Doherty says that the more detail goes into your policy, the better you are protected if you do want to take action against employees who you think are breaching it.

Doherty: Those that have them are aware of the reasons for them and therefore aware that the more content there is and the more descriptive they are in the policy, the better. The issue that comes out of that is that having the policy itself is not necessarily enough. Obviously you have to police the policy and police it in a consistent way.

Neath Port Talbot council said that the employees were spending up to two hours a day on eBay. This kind of situation raises two problems for employers, said Doherty, forcing some to take action.

Doherty: And probably an employers' concern is two fold, it is an issue of reputational risk if employees are accessing inappropriate websites with pornographic pictures on them but also it is a question of the employer is paying the employee to do a job and does not necessarily want them using personal websites if you call them that such as eBay such as Amazon during normal working hours whenever they are being paid to produce something for the employers benefit.

That's all we have time for this week, thanks for listening.

Why not get in touch with out-law radio? Do you know of a technology law story? We'd love to hear from you on radio@out-law.com.

Make sure you tune in next week; for now, goodbye.

Out-law radio was produced and presented by Matthew Magee for international law firm Pinsent Masons.