Various questions regarding a domestic CCTV system in block of flats

[TedTom]

Hi all,

I am struggling to find some suitable advice on our CCTV implementation and legal matters. I have contacted the ICO by chat, but they couldn't really provide definitive answers on most questions. It's actually quite hard to find good guidance.

Background:

• I live in a block of 31 flats (only residential properties, no commercial properties)
• Block is part of a private estate, with other separate blocks and vast private communal gardens
• We decided to install CCTV on various parts of the building to monitor the block and surroundings (private communal gardens and private roads, rather than public street) several years ago, as we had anti-social behaviours in the gardens, various crimes, theft, drugs etc.
• CCTV has been valuable since its installation, used many times to record issues, to provide footage to the Police and also improve security reviewing issues. Police has also several times requested footage from us as they know we have CCTV, and in one occasion requested direct access to monitor live an ongoing investigation
• System was installed by a professional CCTV company, with the relevant signage, retention, privacy filters (when camera is facing another block) etc. CCTV recorder is in a dedicated, locked, secure cabinet
• No cameras have microphones, no sound recorded
• CCTV system is connected to the internet so that I have remote access to it (can view live feed, control some of the cameras, retrieve footage), as opposed to having to go physically to the CCTV cabinet
• Block is paying for the installation, maintenance and dedicated internet connection. Nobody inside of the block (residents) is objecting to the system in place (as it's contributing to making the place safer)
• I am the designated person managing the system, monitoring it, retrieving footage when required, liaising with the Police when required etc. I guess that makes me the data controller

As far as I aware, the system is fully justified and compliant with the various guidelines.

However, I still have some questions I am struggling to find answers for:

• Question 1: does this still qualify as a "domestic" installation (and associated rules), even though it's for a block of flat rather than an individual property?
  
  
• Question 2: can I share footage/pictures of incidents with other residents for the prevention of future crimes/incidents?
  For example, we had a non-resident breaking into the building twice and stealing some bikes. Can I share his picture with other residents so that they are aware and look out?
  ICO guideline says: "Make sure nobody can watch the footage without good reason" (quite vague) but I have also been told footage/pictures can only be shared with the Police (but often Police won't do anything or cases might not even be raised with them)
  
  
• Question 3: can I give access to the system to some other residents, so that live monitoring and management is not just done by me (resilience)? Or should we only have a single person with access to the system at any one time (which is of course a burden on one person)?
  
  
• Question 4: if someone has some queries about the system and its purpose/what it's recording, how do we address it?
  I am aware people can raise subject access requests (which are well defined on the government website), but what if they want some demo/review of the system (for instance, are privacy filters working as expected, is sound recorded etc.)?
  Or do we need a trusted third party to be involved in the review of the system, like the Police? Who can provide an independent audit?
  
  
• Question 5: do I have any personal liability in case someone decides the system is unlawful and takes me to court (base on recent news regarding the Ring doorbell case). Or would the whole block be the target/liable? How do I formalise this (everybody knows I am the "data controller" but there are no formal documents)?
  
  
• Question 6: signage. What do we need to have on the signs, as once again, this is not 100% clear. Do we need to have the purpose (e.g. crime prevention), contact details of data controller, organisation managing the system (block freeholder in this case)?

Thanks!

 

[codlord]

I have gone through something very similar recently and I can't say I am 100% correct but for what it's worth:

• Question 1: does this still qualify as a "domestic" installation (and associated rules), even though it's for a block of flat rather than an individual property?

Our block management company is a UK Ltd, so although installed in a domestic block the Ltd company is managing the communal areas and CCTV so we took it as non-domestic and wanted to comply with the relevant advice/legislation.
I thought that a personal/domestic system if it's only covering your property you can pretty much "do what you want" with no ICO registration. The Ring case was of course covering someone else's property AND recording audio.

• Question 2: can I share footage/pictures of incidents with other residents for the prevention of future crimes/incidents?
  For example, we had a non-resident breaking into the building twice and stealing some bikes. Can I share his picture with other residents so that they are aware and look out?
  ICO guideline says: "Make sure nobody can watch the footage without good reason" (quite vague) but I have also been told footage/pictures can only be shared with the Police (but often Police won't do anything or cases might not even be raised with them)

I don't know, but I think you would have to be very careful here. If you have any police contacts or PCSO I would ask them.

• Question 3: can I give access to the system to some other residents, so that live monitoring and management is not just done by me (resilience)? Or should we only have a single person with access to the system at any one time (which is of course a burden on one person)?

I don't see why there could not be more than 1 person with access, but I would document the decision and names etc by the management company to give access to others and make those people fully aware of your policies and ICO guidance regarding data protection etc.

• Question 4: if someone has some queries about the system and its purpose/what it's recording, how do we address it?
  I am aware people can raise subject access requests (which are well defined on the government website), but what if they want some demo/review of the system (for instance, are privacy filters working as expected, is sound recorded etc.)?
  Or do we need a trusted third party to be involved in the review of the system, like the Police? Who can provide an independent audit?

Personally I would only give them a copy of our CCTV policy document, unless they had just-cause to see the coverage of a particular camera (e.g. they were a neighbor and were concerned that a camera captured their garden or something like that).

• Question 5: do I have any personal liability in case someone decides the system is unlawful and takes me to court (base on recent news regarding the Ring doorbell case). Or would the whole block be the target/liable? How do I formalise this (everybody knows I am the "data controller" but there are no formal documents)?

Not sure, I am a director of the management co and we have directors liability insurance. Follow all the ICOs advice and document everything (see below).

• Question 6: signage. What do we need to have on the signs, as once again, this is not 100% clear. Do we need to have the purpose (e.g. crime prevention), contact details of data controller, organisation managing the system (block freeholder in this case)?

As I understand, yes, you need to specify the purpose and who the CCTV system is controlled by (a point of contact/contact details to a company/person). We got a sign from our installer and wrote purpose "Crime Prevention & Public Safety" and contact details. Ours is a small block so we have one sign where all residents/visitors can see it, then several more smaller generic "CCTV" signs in around the entrances/car park.

For our system we started at the ICO Checklist:

CCTV checklist

Data protection law covers the use of CCTV. This checklist help you to assess the compliance of your CCTV systems including the installation, management, operation, public awareness and signage.

ico.org.uk

We built our CCTV policy document around that - we wrote out every point and clearly documented when and how we implemented every single point. Along with setting out a policy of public requests, a form for public to fill out if requested, setting down £10 costs for requests as well as costs for USB storage sticks unless supplied by the requestor etc.

Also If not already see the Surveillance camera code of practice (and the 12 principles doc):

[Withdrawn] Surveillance camera code of practice

Published in June 2013, this code of practice was developed after a consultation on the code's scope, clarity and likely impact.

www.gov.uk

We also maintain a log - a monthly check of cameras working/clean/date & time correct. But also to log anything and everything related - annual maintenance/check by the installer, requests for info from public or police (thankfully none yet), software updates. Whatever - keep a log of everything.

 

[TedTom]

I have gone through something very similar recently and I can't say I am 100% correct but for what it's worth:

Our block management company is a UK Ltd, so although installed in a domestic block the Ltd company is managing the communal areas and CCTV so we took it as non-domestic and wanted to comply with the relevant advice/legislation.
I thought that a personal/domestic system if it's only covering your property you can pretty much "do what you want" with no ICO registration. The Ring case was of course covering someone else's property AND recording audio.

I don't know, but I think you would have to be very careful here. If you have any police contacts or PCSO I would ask them.

I don't see why there could not be more than 1 person with access, but I would document the decision and names etc by the management company to give access to others and make those people fully aware of your policies and ICO guidance regarding data protection etc.

Personally I would only give them a copy of our CCTV policy document, unless they had just-cause to see the coverage of a particular camera (e.g. they were a neighbor and were concerned that a camera captured their garden or something like that).

Not sure, I am a director of the management co and we have directors liability insurance. Follow all the ICOs advice and document everything (see below).

As I understand, yes, you need to specify the purpose and who the CCTV system is controlled by (a point of contact/contact details to a company/person). We got a sign from our installer and wrote purpose "Crime Prevention & Public Safety" and contact details. Ours is a small block so we have one sign where all residents/visitors can see it, then several more smaller generic "CCTV" signs in around the entrances/car park.

For our system we started at the ICO Checklist:

CCTV checklist

Data protection law covers the use of CCTV. This checklist help you to assess the compliance of your CCTV systems including the installation, management, operation, public awareness and signage.

ico.org.uk

We built our CCTV policy document around that - we wrote out every point and clearly documented when and how we implemented every single point. Along with setting out a policy of public requests, a form for public to fill out if requested, setting down £10 costs for requests as well as costs for USB storage sticks unless supplied by the requestor etc.

Also If not already see the Surveillance camera code of practice (and the 12 principles doc):

[Withdrawn] Surveillance camera code of practice

Published in June 2013, this code of practice was developed after a consultation on the code's scope, clarity and likely impact.

www.gov.uk

We also maintain a log - a monthly check of cameras working/clean/date & time correct. But also to log anything and everything related - annual maintenance/check by the installer, requests for info from public or police (thankfully none yet), software updates. Whatever - keep a log of everything.

Thanks, very helpful!