SURVEILLANCE CAMERA (.4 BBMMISSIBNER Review of the impact and operation of the Surveillance Camera Code of Practice February 2016 Recommendations 1. The Code to specify that Local Authorities appoint a Senior Responsible Officer/Single Point of Contact, at a senior level, to oversee surveillance capabilities across the entirety of the authority. This is in line with the requirements of the current Codes of Practice for directed surveillance under RIPA and RIP(S)A. 2. Government to require all Relevant Authorities to publish their surveillance camera coverage in terms of its systems, numbers, completed privacy impact assessments, self assessments, industry certification and outcomes of annual reviews (highlighting efficiency and effectiveness of the system). This promotes the government’s transparency agenda to the public and encourages take up of Surveillance Camera Commissioner toolkits and other compliance measures developed to raise standards. This shall be mandated by an additional section to the Code and Protection of Freedoms Act (PoFA 2012) to ensure Relevant Authorities are transparent in showing full compliance when operating public space CCTV systems. 3. Impact of Recommendation 2 to be monitored for compliance. Should compliance be unsatisfactory then Government to consider giving the Surveillance Camera Commissioner limited enforcement sanction powers to issue 90-day transparency notices to Relevant Authorities who fail to demonstrate that they operate systems to the required standards, or publish the required information for the public. Failure to do so will incur sanction penalty of independent inspection of the system by accredited inspectorates at the authority’s cost and any rectification defects found and results published. 4. Police to publicise governance arrangements for ANPR infrastructure including who ‘owns’ the system, how policy is formulated around its usage and ensure widespread communication of its value across England and Wales by police forces. 5. Government should identify measures to encourage use of a ‘Passport to Compliance’ (Operational Requirement & system certification) across Relevant Authorities. Its transparent use will save taxpayers money and raise standards. This will be achieved by mandating in the PoFA Code (or PoFA 2012) full compliance to recommendation 2 and the public (and civil liberty groups) will self-police and identify non-compliance that can be reported to the Surveillance Camera Commissioner. 6. The scope of Relevant Authorities within PoFA is expanded to cover all public bodies in receipt of public monies or publicly funded in anyway. The Act should apply to any authority using overt surveillance in public space that has obligations under the Human Rights legislation and/or capabilities under RIPA. 7. The Government should consider ways to incentivise such organisations with a significant ‘surveillance camera footprint’ to voluntarily adopt the PoFA Code. 8. Government to consider ways in which Local Authorities are incentivised once they certify their town centre/principal schemes against the PoFA Code. 9. Regulators should strive to produce one Code of Practice relating to surveillance camera systems 2 Introduction The Protection of Freedoms Act 2012 (PoFA) reflected the Government’s commitment to regulation of surveillance camera systems used overtly in the public space and paved the way for the Surveillance Camera Code of Practice (PoFA Code). This regulation is intended to complement and be coherent with existing legislation, such as the Data Protection Act 1998, the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000. Ministers committed to conducting a Review of the PoFA Code in 2015. In addition to this the Act will also be subject to post legislative scrutiny in 2017. Advancing technology and the ubiquitous nature of public surveillance presents opportunities for crime prevention, community reassurance and criminal investigations. Post incident investigation of the London riots in 2011 pointed to the value of CCTV and its utility in almost all serious and major police investigations demonstrate its widespread use. However, advancing technology and increasing use of algorithms (automatic facial recognition, predictive video analytics) also present very real issues of privacy and challenge to the legitimacy of its use. It also represents challenges to the development of the Surveillance Camera Code of Practice. Elsewhere, CCTV is not on the same footing as other types of forensic evidence such as DNA and fingerprints with no standardisation of its retrieval across forces – though arguably it is collected in every major criminal investigation. A study of ‘CCTV volume‘ by the British Security Industry Association (BSIA) in July 2013 indicates that in the United Kingdom there exists between 4 and 6 million such devices – the majority operating in the sphere of the private sector. In the last two years there has been a proliferation in the growth of new technology such as body worn cameras, ANPR and unmanned aerial vehicles (drones) equipped with camera technology. Whilst the public sector (police/Local Authorities) are utilising this equipment we are seeing much wider spread of use in the private sector. The figure 4 to 6 million is already beginning to look a little conservative. From the outset government were clear that the public must have confidence that such surveillance is necessary and proportionate, supporting the philosophy of ‘surveillance by consent’ (being analogous to ‘policing by consent’) and that those who operate the systems do so with integrity. The Government therefore adopted an incremental approach modeled on selfregulation with no inspection or enforcement powers. A code of practice with 12 Guiding principles provides a framework that, if followed, will ensure that such systems are legitimate, proportionate, transparent, efficient and effective. The PoFA Code places the statutory burden of ‘Relevant Authorities’ (police, Local Authorities, police and crime commissioners) to have a ‘duty to have regard to the code’ in England and Wales. It also places the requirement on the Surveillance Camera Commissioner to encourage those organisations outside these sectors to voluntarily adopt the PoFA Code. The role of Surveillance Camera Commissioner was introduced to encourage adoption and compliance of the PoFA Code, review its operation and provide advice about the PoFA Code. The government committed to a post implementation review of the PoFA Code ‘the review approach and rationale would be determined in part by the Surveillance Camera Commissioner in consultation with Ministers’ and that ‘stakeholder views and feedback will be an integral part of the process of carrying out the review’. This review will focus on the impact of the PoFA Code, its strengths and weaknesses, and recommendations for development. 3 Success criteria Within the consultation document the Home Office issued as part of the development of the PoFA Code, they issued a list of “draft success criteria” – listed below – against which the operation and impact of regulation, including the PoFA Code, might be reviewed after it comes into force. Whilst these have not been made available to me and were not included in the PoFA Code, and there are no metrics against them, they are a useful baseline against which to gauge success or otherwise. I will not comment on each of the criteria, but the processes I have put in place such as the selfassessment tool, certification, clarity on the standards landscape and the soon to be published Passport to Compliance have made a significant contribution to ensuring systems are used proportionately, transparently and effectively. They have raised standards and ensured that the criminal justice system benefits from the evidence collected. That is applicable to those that have used the tools available. This is not everybody. To date, not all relevant authorities have used the tools so this is work in progress but I am encouraged by the interest of voluntary adopters. The challenge is to widen the reach so that all the system owners who use overt surveillance camera systems in overt public spaces use the tools. There is much work to be done and the recommendations in this report will help me achieve that. Regulation of surveillance camera systems under the Protection of Freedoms Act 2012 should: 1. Provide clarity over purpose and scope, particularly in defining surveillance camera systems, public place, overt use and privacy. 2. Be easily understood by both the public and system operators alike. 3. Ensure system operators are transparent and proportionate in balancing privacy and security considerations in any systems deployment, and they regularly review if the system meets its stated purpose. 4. Improve effectiveness of surveillance camera systems in providing better quality and more accessible images for use in the criminal justice system. 5. Enable the management of public safety (including the investigation and detection of crime). 6. Further help ensure compliance with other legislation affecting the use of surveillance cameras systems, such as the Human Rights Act 1998, the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000, with no contradictions or inconsistencies and minimal gaps or overlaps. 7. Follow better regulation principles, introducing minimal bureaucracy and regulatory burdens. 8. Include sufficient flexibility to respond to developments in technology and occupational standards. 9. Be capable of differentiating between different purposes of surveillance camera system. 10. Secure widespread voluntary adoption by system operators Review Methodology Work on the Review officially commenced in March 2015. Prior to that, together with BSI, we conducted national workshops in Bristol, London and Manchester. They were aimed at understanding the views of manufacturers, installers, designers, integrators and end users on where they go to get information on CCTV and how easy it is to find that information. The 4 workshops were organised to bring similarly interested groups together as part of consultation; they incorporated police, transport, government departments, criminal justice system, technology and end users. During the Review I hosted several private round table discussions with individuals whom, throughout my term in Office, had demonstrated clear desire to help raise standards and challenge current practices. They comprised, in addition to the above, civil liberty group representatives, information lawyers, manufacturers and so on. In addition to these highly informative round table groups I held one to one meetings with senior National Police Chiefs Council leads on Body Worn Videos, ANPR, UAV’s and CCTV. Throughout my term in Office I have been supported by an Advisory Council and Standards Group. Both groups comprise senior strategic leads across my areas of responsibility and technical expertise in equal measure. The emerging issues have been documented and discussed in detail by these groups. Also, throughout this period, I have continued a high level of national and international speaking engagements including workshops. These have incorporated events held by National Security Inspectorate (NSI) and BSIA where discussion has focused on the practicalities of the PoFA Code, where it was seen to work and where there may be scope for enhancing the PoFA Code. I have benefited from the continued support of the CCTV User Group who kindly coordinated a survey amongst delegates. Whilst it was not an official part of the review it has enabled me to obtain a detailed ‘ground-up’ view of regulation and the impact the PoFA Code is making. Additionally the CCTV National Standards Forum, comprising a broad mix of representatives (many not representing Relevant Authorities as identified within the PoFA Code) have aligned to my meeting schedules. This has enabled a more holistic view of the impact and potential for future voluntary adoption of the PoFA Code. Finally, I ran a survey for four weeks in June 2015 for anyone with an interest in CCTV to complete which almost 500 individuals/organisations took the time to fill in. From the evidence gathering sessions and survey the issues quickly began to focus on the following areas;      Standards Scope of the Code (expanding Relevant Authority group/extending to Scotland) Powers Emerging technologies Duality of regulation History and Development of CCTV The development of public space CCTV is well documented. The iconic grainy images captured by CCTV of Jamie Bulger being led to his death by two juveniles are still scarred on the public consciousness. The potential value of CCTV as a crime reduction and community reassurance tool was recognised. The Home Office, via its Crime Reduction funding in the 1990’s released millions of pounds to Local Authorities to set up and establish Town Centre schemes across the Country. The predecessor to the Home Office 5 Centre for Applied Science and Technology (CAST) issued an Operational Requirement (OR) which Local Authorities were instructed to comply with. This OR was last refreshed in 2009 and is still utilised by consultants and designers. It does not however carry with it any mandate to comply other than signposting good practice and relevant British Standards. I will focus in greater depth on this issue. Properly developed the OR represents a key opportunity to ensure public monies are properly invested and CCTV industry specialists are held to account for products provided. As the use of CCTV in the public sector took hold its proliferation in the private sector gained increasing momentum. Its versatility in crime prevention, crime investigation, asset protection and reassurance was immediately recognised. The most recent study conducted by BSIA underlines this fact. Indeed, in my short term in Office I have seen the proliferation of new technology already changing the landscape - Body Worn Video cameras being used by supermarket chains and Local Authorities alike; Unmanned Aerial Vehicles utilising surveillance technology used by police, roofing contractors, farmers and so on and Automatic Number Plate recognition – no longer simply used for Traffic Management (its initial use) but for serious and organised crime, national security and, its most recent usage, collection of vehicle excise revenue. The Government’s contention underpinning the introduction of the PoFA Code issued under The Protection of Freedoms Act 2012 that over regulating in such a fast moving sector would render any such legislation obsolete within a year is proving prescient. Since the widespread introduction of CCTV in the Public Sector in the late 1990’s a number of competing issues have been brought to my attention on matters that directly impact on its usage. Self-Regulation The industry largely filled the vacuum created by lack of regulation and sought to support themselves through such groups as CCTV User Group, Public CCTV Managers Association and CCTV National Standards Forum. Many Codes of Practice emerged from these groups however, the resounding message I receive from across England and Wales is that greater consistency is required. A more focused direction as to how organisations can comply with regulation is required. The Information Commissioners Office developed a role in providing advice and guidance on the product of CCTV (being ‘data’) and supporting the end users and industry in understanding its obligations in maintaining and managing that data. Documents advising on Privacy Impact Assessments and small business obligations provided much needed guidance and support. However, whilst I am seeing in Local Authorities, some compliance to PoFA in relation to principal public space CCTV schemes emerging evidence points to a much broader use of CCTV outside of its principal schemes (within waste, recreation, housing and so on). Emerging anecdotal evidence to-date suggests compliance to PoFA and DPA is less rigorous than in principal public CCTV schemes In my time in Office I have been struck by the call for greater leadership from various stakeholders – manufacturers, designers, installers and integrators. How can the industry understand required standards of technology? How can an ‘operator/controller’ understand the myriad of complexities in devising, commissioning and procuring public space CCTV systems? 6 This is a space I have sought to occupy during my tenure and these are issues I seek to address within this review of the PoFA Code. I ran joint workshops with the BSI in November 2014 looking at where operators of CCTV go to get information on the subject. These workshops highlighted that there was no framework for this information it is confused and often duplicated by similar organisations. A recommendation from the workshops was the creation of a central on-line hub where everything can be corralled. Working with the BSI we have commissioned some further research to delve into this idea more deeply and this will be available in Spring 2016. Austerity I refer at length to this issue in my Annual Report (2014/2015). Its direct impact for this review centres upon the requirement for Local Authorities to update ageing equipment or to seek alternative ways of delivering the same objectives. An active debate upon the value of CCTV is playing out across England and Wales. An absence of empirical evidence that supports or justifies its use is often cited by those against developing new systems. However, significant political pressure is applied locally in response to even greater calls for the use and installation of CCTV to address new and emerging issues. Austerity may also mean new technologies such as automatic facial recognition or algorithms that can predict behaviour cannot be utilised on Local Authority cameras as, for the most part, they are ageing and are not of the right specification or capability to support new technology. However, in light of the current austerity measures I am seeing new and innovative ways to collaborate amongst key stakeholders. There are cities and towns such as Bristol, Rugby and Glasgow where a number of organisations such as Local Authorities, the police and local businesses have combined forces to run the town centre CCTV scheme and other services. In Cumbria the Police and Crime Commissioner has funded six town centre schemes with feeds going back to the police headquarters. My call for greater collaboration in the aforementioned Annual Report is also showing signs of success. I have recently been approached by the Police and Crime Commissioner of South Wales to discuss such an approach across South Wales. I have written to Ministers at the Department of Communities and Local Government about greater collaboration. So far they declined to help provide leadership to ensure CCTV provision within Local Authorities is effective, efficient and proportionate. However, I will continue to work with them, and Local Authorities, on this matter. Alignment of costs, function and economy of scale will enable development of modern, wellmanaged and compliant systems thereby raising standards and legitimacy of surveillance in the eyes of the public. Standards Standards in this area are complex and my Standards Group was put in place to look at how we can simplify the standards framework. It is worth noting that there remains no statutory or legal obstacle to installing a CCTV camera or system and it is open to anyone to do so provided they meet the requirements of the DPA. The introduction of the PoFA Code places an additional burden on Relevant Authorities to ‘have due regard to the Code’. Relevant Authorities are defined as all police forces within England 7 and Wales, National Crime Agency, Local Authorities, non-designated police forces and Police and Crime Commissioners. The Act also encourages the Surveillance Camera Commissioner to encourage non Relevant Authorities to voluntarily adopt the PoFA Code and more recently an EU judgment (Rynes) now means domestic users of CCTV fall under the jurisdiction of the DPA. Despite this strengthening of the regulatory landscape, if the BSIA study is accurate (that there exists between 4m and 6m surveillance cameras in the United Kingdom) it is generally recognised that those cameras operated by Relevant Authorities represents a slim proportion of that number – many commentators suggesting at most five per cent of the total. In addition to this in the past 18 months we have seen many police forces roll out Body Worn Video and it is also being used by other organisations such as door supervisors, traffic wardens and so on. It became clear at every workshop, conference and seminar that there was a requirement for even greater clarity regarding standards and what compliance should look like. I have published on my website the current standards framework. These standards represent the current suite of British Standards. What I feel is lacking is any process or element of guidance to prospective or current system operators as to how and why they should move to compliance. I was shocked to discover, through engagement with two UKAS accredited certification bodies National Security Industry (NSI) and Security Systems and Alarms Inspection Board (SSAIB), that only two per cent of Local Authorities achieve the rigours inherent within the most relevant British Standard, namely BS7958, the management and operation of CCTV. Other highly relevant British Standards i.e. BS EN 62676 1-4 series (standards and quality of surveillance systems themselves) are equally under utilised. I was delighted that BSI introduced a refreshed BS7958 earlier this year that focused on the requirements of the 12 Guiding Principles of the PoFA Code. This has served to raise the profile of the PoFA Code across England and Wales – although, for the reasons mentioned above, I am not optimistic this alone will drive up standards. More worryingly it has become clear during the course of the review that whilst Local Authority CCTV control rooms, generally, seek compliance with both DPA and the PoFA Code, there are many systems operating outside the purview of skilled CCTV managers within Local Authorities. Essentially the skill built up by these managers in complying with DPA and the PoFA Code are not necessarily utilised across the breadth of Local Authority surveillance camera systems. A comment at one of my roundtables was that: There should be a lead person in each Local Authority at Assistant Director level who oversees CCTV I have worked with some larger metropolitan authorities throughout this period and recognised the appointment of a Senior Responsible Officer within a Local Authority will provide some rigour to the management of the emerging use of surveillance technology – particularly the increasing usage of body worn videos and unmanned aerial vehicles. Recommendation One The Code to specify that Local Authorities appoint a Senior Responsible Officer/Single Point of Contact, at a senior level, to oversee surveillance capabilities across the entirety of the authority. This is in line with the requirements of the current Codes of Practice for directed surveillance under RIPA and RIP(S)A. 8 British Standards are not mandatory for public space CCTV and many CCTV Control Room operators argue that the inherent cost of adhering to the suite is prohibitive. Extrapolate this figure across all 433 principle Local Authorities per annum and that makes a persuasive argument. Indeed, extrapolate across the 600 (approx.) Town and Parish Councils that operate CCTV (who are also Relevant Authorities under PoFA) it is clear that a sensible and pragmatic approach needs to be taken. Government argues that the PoFA Code will represent a light touch and incremental approach to raise standards across public space surveillance. I have considered all issues through this prism. In November 2014 I introduced a simple Self Assessment Tool (SAT) that enables System Operators to assess their own performance against the PoFA Code. It includes a simple action plan that enables managers to ensure continued compliance and I have encouraged Relevant Authorities, particularly Local Authorities, to publicise this SAT on their website. This alone will provide an outwards demonstration that a Relevant Authority is paying due regard to the PoFA Code. I am currently engaging in a comprehensive and exhaustive communication strategy with all principle Local Authorities further encouraging them to demonstrate compliance by publicising this SAT. I have been clear that I do not expect wholesale changes to systems or inordinate costs being attributed to these areas during a time of austerity. However, most measures are cost neutral – publicising a completed SAT on a website, conducting an Annual Review of the system, ensuring a Privacy Impact Assessment is conducted – there should be the skills set within Local Authorities to conduct this work without considering added costs of consultants. I intend to publish known figures within my 2015/2016 Annual Report to Parliament. I believe this is exactly the type of soft lever of power the government considered prior to passing the Act. Recommendation Two Government to require all Relevant Authorities to publish their surveillance camera coverage in terms of its systems, numbers, completed privacy impact assessments, self assessments, industry certification and outcomes of annual reviews (highlighting efficiency and effectiveness of the system). This promotes the government’s transparency agenda to the public and encourages take up of Surveillance Camera Commissioner toolkits and other compliance measures developed to raise standards. This shall be mandated by an additional section to the Code and Protection of Freedoms Act (PoFA 2012) to ensure Relevant Authorities are transparent in showing full compliance when operating public space CCTV systems. Recommendation Three Impact of Recommendation 2 to be monitored for compliance. Should compliance be unsatisfactory then Government to consider giving the Surveillance Camera Commissioner limited enforcement sanction powers to issue 90-day transparency notices to Relevant Authorities who fail to demonstrate that they operate systems to the required standards, or publish the required information for the public. Failure to do so will incur sanction penalty of independent inspection of the system by accredited inspectorates at the authority’s cost and any rectification defects found and results published. 9 Outside of Local Authorities there have been calls for police forces to more routinely share information on the use of ANPR – not locations of cameras but numbers and outcomes. As Body Worn Video and Unmanned Aerial Vehicles become more widely used by forces I would expect that transparency around their use is commonplace. Principle two of the PoFA Code discusses transparency regarding the use of surveillance systems. I have received several observations that governance surrounding police use of ANPR is opaque. How can the public understand the infrastructure and policy making process underpinning this system? Indeed, one contributor forwarded me an Freedom of Information (FoI) response requesting policy documents relating to the governance of ANPR from the National College of Policing. He was advised that no such documents existed. This undermines public confidence in the system and needs to be addressed as a matter of urgency. Recommendation Four Police to publicise governance arrangements for ANPR infrastructure including who ‘owns’ the system, how policy is formulated around its usage and ensure widespread communication of its value across England and Wales by police forces. Throughout this consultation I have been repeatedly asked by both public and private sector operators why no formal third party certification has been developed to recognise those organisations that have achieved a recognised standard of compliance. I am delighted to report that on 10 November 2015 I launched such a certification process overseen by National Security Inspectorate and Security Systems and Alarms Inspection Board. I have geared this Certificate to represent a significant cost saving compared to annual accreditation to BS7958 (circa 70 per cent cheaper). It is a two-stage process geared towards the 12 Guiding Principles in the PoFA Code and I aim for it to become the recognisable standard for all Relevant Authorities operating surveillance cameras in a public space. I am delighted to report that a number of Local Authorities have applied for accreditation and I will be pursuing this course throughout 2016. I have also received expressions of interest from other authorities. The final stage of laying strong foundations for ensuring all Relevant Authorities adhere to the PoFA Code rests with a concept known as ‘Operational Requirement’ (OR). A recent report by Big Brother Watch has shown a 46.6% decrease on funding spent on the installation, maintaining and monitoring of CCTV by Local Authorities since 2012 – from £515m to approximately £277m. Despite the reduction in spending highlighted in the report I am certain that new and advancing technologies will see further investment by local authorities to deliver new and exciting capabilities; from smart cities to smarter surveillance, the use of video analytics and algorithms to help protect its citizens from crime, support the night time economy and ensure free passage of traffic in our cities and towns. The sums of money involved are massive and it’s important that those charged with delivering this service get it right – the OR will help to achieve this meaning public money is not wasted on ineffective systems. Several such documents have been produced over recent years by the organisation formerly known as Home Office Scientific Development Branch and now recognised as Home Office Centre for Applied Science and Technology. These Operational Requirements were primarily utilised as advisory documents for organisations wishing to develop a new CCTV system, General feedback received throughout this review felt that this OR needs to be developed into a process and guidance manual – akin to a ‘Passport to Compliance’. The ownership needs to be clearly centred in the hands of the system owners. The technical jargon needs to be weeded out to enable procurement within given organisations to properly hold suppliers to account. A criticism received throughout this review has been the lack of support and direction to those 10 prospective system owners – the cumulative effect has been a gross waste of monies (often taxpayers). I intend to utilise the PoFA Code and further develop the current OR into such a manual. Easy to use, clear about standards and hold consultants and suppliers to account for the requirements within the document. The approach will be systemised and simple to follow. Adherence to this approach at outset will vouchsafe any organisation is following and paying regard to the PoFA Code. It will be measurable against the 12 Guiding Principles and will lend itself to supporting further applications for certification. The idea of an OR, even a mandatory OR, was discussed at length during this review and in the main was seen as something positive: It would mean public space systems would have to meet a minimum standard – that is a good thing. Recommendation Five Government should identify measures to encourage use of a ‘Passport to Compliance’ (Operational Requirement & system certification) across Relevant Authorities. Its transparent use will save taxpayers money and raise standards. This will be achieved by mandating in the PoFA Code (or PoFA 2012) full compliance to recommendation 2 and the public (and civil liberty groups) will self-police and identify non-compliance that can be reported to the Surveillance Camera Commissioner. Scope of the Code A consistent refrain throughout the review has been a challenge to the limited scope of those authorities classed as ‘Relevant Authorities’. The arguments presented to me are as follows; • Any organisation that is in receipt of public monies or is in any way publicly funded, ought to be a Relevant Authority. • Any organisation having obligations under the Human Rights Act should be a Relevant Authority • Any authority having capabilities under Regulation of Investigatory Powers Act (e.g. NHS) ought to be a Relevant Authority. • Any Government Department ought to be a Relevant Authority. • Any organisation ‘walking in the shoes’ of a Local Authority but is not classified as such (e.g. Residential Social Landlords or Transport for London) ought to be a Relevant Authority. Each of the above statements is persuasive in its own right. Indeed many people I have spoken to cannot account for how or why certain bodies in receipt of public funding, e.g. Educational Academies, fall outside the requirement given the heightened capacity for infringement of freedoms. I engaged with NHS Protect which acts as the security umbrella organisation for those elements within the NHS who will operate public space surveillance. Disappointingly, out of 600 organisations approached, only two completed the self-assessment tool and expressed a desire to demonstrate compliance with the PoFA Code. This is not good enough (given their adherence to DPA may also be questionable). I was delighted to be advised that the Minister for Policing, Crime and Criminal Justice and Victims has recently written to Cabinet colleagues asking them to comply with the PoFA Code. 11 Reference was made to criticism in my Annual Report (2014/2015) that it was incongruous that Government Departments were not voluntarily adopting the PoFA Code given my statutory responsibility to promulgate the PoFA Code outside the Relevant Authorities. Much has been achieved in my short term in Office. A process to enable organisations to selfassess combined with a certification process that enables outward recognition of inward success. Utilisation of soft levers of influence are key to my strategy – the Office of Surveillance Commissioner (OSC) and Her Majesties Inspectorate of Constabularies (HMIC) are engaged in supporting my effort to raise awareness of the PoFA Code by including it in their inspection mechanisms. A strategy to understand compliance amongst the current Relevant Authorities will come to fruition in the next reporting year. Publicising those authorities that have demonstrated compliance will enable me to apply greater focus on those who have not. The success or otherwise of the self-assessment tool and certification process will be better known and understood. As I said at the start of this section virtually everyone I spoke to said that expanding the scope of the PoFA Code must be explored: Any organisation that performs a public function should have regard to the Code. It’s too narrow and should cover any CCTV that monitors public space. It’s too narrow but it’s easier to work with a smaller group such as the public sector – get that right then branch out – use a staged approach to widening the scope. Should expand the list of Relevant Authorities so long as it doesn’t have an adverse effect on business. The survey I ran (comprising around 500 respondents and involving Advisory Council and Standards Group) also pointed at widening the scope of the Code with almost 90% of respondents agreeing the scope of the PoFA Code should be all public sector organisations. My recommendation below follows from the commitments given by ministers during the passage of the bill that an expansion of the list of Relevant Authorities would be an iterative process. Recommendation Six The scope of Relevant Authorities within PoFA is expanded to cover all public bodies in receipt of public monies or publicly funded in anyway. The Act should apply to any authority using overt surveillance in public space that has obligations under the Human Rights legislation and/or capabilities under RIPA. Voluntary Adoption of the Code I have discussed the potential inclusion of organisations in receipt of public funding into the Relevant Authority bracket. Now I turn to those organisations who I will encourage to adopt the Code. 12 Engagement with 1000 businesses in Manchester (through Cityco) revealed a mismatch between the obligations of small private business and publicly funded Local Authorities. Take up of the PoFA Code was disappointing and I am reviewing our approach to small business to see if we can simplify and highlight the cost benefits to such organisations. Universities have proved more fertile. Aston University has successfully adopted the PoFA Code and received certification as have Salford University. Further work is underway with Association of University Chief Security Officers to further develop this approach with the many Universities within that group. Engagement with the British Banking Association has taken the form of webinars and seminars with a view to persuade the bigger institutions to adopt the PoFA Code. At this stage I report interest but no voluntary adopters. I am also engaging with the insurance industry to seek additional ways to provide incentives for voluntary adoption. Transport for London (TfL) have voluntarily adopted the PoFA Code. This is a large organisation with thousands of surveillance cameras across its vast network. I am working closely with them to take each of their systems through my self-assessment tool and longer term, aspire to achieve certification against the PoFA Code. I have been impressed with the commitment of TfL management to voluntarily adopt and ensure its standards are compliant with the PoFA Code. Whilst it is early days – I feel the encouragement within the PoFA Code to encourage voluntary adoption is worthwhile. The advent of the refreshed OR (Passport to Compliance), selfassessment tool and Certification will provide cost benefits to any organisation in terms of efficiency and effectiveness. I remain confident that there remains many opportunities to promulgate the PoFA Code amongst these groups. More importantly, going forward, I will be in a position to provide Ministers with empirical evidence regarding take up of the PoFA Code through certification. I believe there is scope with support of relevant government departments such as DCLG and BIS to seek options to incentivise organisations to voluntarily adopt the PoFA Code – I am willing to work with government to achieve this. Recommendation Seven The Government should consider ways to incentivise such organisations with a significant ‘surveillance camera footprint’ to voluntarily adopt the PoFA Code. England, Wales and Scotland? I was approached by Community Safety Glasgow who, prior to the Glasgow Commonwealth Games (2014), have invested in a high technology CCTV Operations Room. This organisation requested to apply for the Surveillance Camera Commissioner’s Certificate to validate their systems and processes against the PoFA Code. The review was conducted by SSAIB and I am delighted to report that they were successful. I have also been invited to address the CRISP (Centre for Research into Surveillance and Privacy) at University of Stirling. Feedback was positive and several attendees queried why the PoFA Code was not applicable in Scotland. Elsewhere, we have had much interest in the PoFA Code and certification from authorities in Scotland even though they are not covered by the legislation. Extending the scope here could 13 be good for public protection and confidence in Scotland. It could also create greater consistency in regulatory requirements for businesses such as system designers, installers and contractors who may operate across the UK. Whilst extending the scope to Scotland was not an area that was specifically discussed as part of the review the interest there should not be underestimated. Whilst I recognise that there is no reserved power for Scotland, it is worth considering how the interest from the Scotland should be utilised. Powers A persistent criticism throughout the consultation period of the Protection of Freedoms Bill and beyond is the fact that, as Surveillance Camera Commissioner, I have no powers of inspection or sanction. This was raised frequently throughout the review whilst 70% of survey respondents thought the PoFA Code was an effective way of regulating the sector 80% thought that the Commissioner required enforcement powers. The roundtables also pointed to the need to consider powers of sanction: There should be sanctions for non-compliance but not necessarily fines – powers of inspection or correction. Although the Commissioner has no powers of sanctions he has other tools to encourage compliance – naming and shaming. The Commissioner needs ‘teeth’. I recognise the element of dual regulation and overlap with the Information Commissioner (who has helpfully developed a roadmap and memorandum of understanding) to clarify the respective roles and responsibilities. Throughout my period in Office my team has effectively identified issues relating to the PoFA Code via a trawl of media, social media and industry contacts. These mechanisms have acted as a tripwire enabling me to engage in conversations, visits, reviews and voluntary inspections of relevant authorities. Accordingly we have been able to provide support and advice to those organisations. A brief resume of the type of interdiction is as follows: • Advising Local Authorities around the non compliance of proposed systems; resulting in the immediate cessation of the activity • Advising police that failing to publicise Privacy Impact Assessments fails to comply with guiding principle three of the PoFA Code around transparency • Working with professional bodies (National Police Chiefs Council) to develop standards of operating practice for body worn video • Informing and advising bodies such as ‘The British Parking Association’ regarding their obligations under the PoFA Code and how to introduce the PoFA Code into their activities. • Supporting Town Councils in a local authority area to realign their practices to meet all regulatory issues. The absence of any official powers has not impacted on my role. The ability to use soft levers of power, akin to the HMIC and OSC, are not to be understated. That said, we are still in a period of austerity and so maybe another punitive measure is the wrong approach. I believe that good surveillance systems can bring wider benefits such as assist in economic regeneration and 14 safer communities. Both of these objectives are a part of government’s wider agenda and the government should ensure that Local Authorities are appropriately rewarded if their town centre/principal scheme is certified against the code because of the wider regenerative benefit if could bring. Recommendation Eight Government to consider ways in which Local Authorities are incentivised once they certify their town centre/principal schemes against the PoFA Code. Emerging Technologies The legislation and PoFA Code recognise that technology advances rapidly. Indeed in my first week in Office I witnessed emerging automatic facial recognition technology at the Home Office CAST technology event – many commentators were saying its introduction was still some way off. A year later police were receiving criticism for its use at Download Festival (June 2015) in Leicestershire – and challenges were emerging from civil liberty groups and privacy campaigners. I believe that the PoFA Code is still robust enough in its present format to meet the emerging challenges presented by advancing technology. There are key developments on the horizon that will challenge the PoFA Code. The emerging concept of ‘Smart Cities’ where street lamps are utilised to convey digital data (including surveillance imagery) is perhaps the most obvious example. How surveillance might change, be operated and shared between partners may require a different perspective. Increasingly, the challenges are not the camera or what it records or even the quality of the human intervention. With increasingly higher quality cameras on the market, their capability is enhanced. High quality cameras now have in-built algorithms analysing behaviour and identifying individuals via facial recognition or identifying patterns or even claiming to read emotions! In order to do this, they are connected with databases over which there is often little scrutiny paid. This will be a challenge for me to address. The ‘internet of things’ - a similar concept whereby organisation and databases join up to provide information, analysis and prediction will provide similar challenges. To support my role I have commissioned a Horizon Scanning capability under the auspices of Professor Lacey at Home Office CAST. However, this modern technology relies on algorithms or biometric capability to enable prediction. Clarity regarding regulatory responsibility is an emerging issue, for example in automatic facial recognition use by police – which regulator has responsibility – the Biometric Commissioner, the Information Commissioner or Surveillance Camera Commissioner. In this instance the Biometric Commissioner has taken the lead. Future challenges well may be difficult to predict. Dual Regulation My final observation from the review, which I have alluded to in the section on Standards, is the impact of dual regulation within the sector. The revised Information Commissioner’s Code of Practice – In the Picture (published 2014) and the PoFA Code (published 2013) – the former has been aligned to fit with the latter. This means if you follow one code you should inherently 15 be following the other. However, there is still some degree of confusion amongst stakeholders and whilst the two offices work closely perhaps there is more to be done to make regulation simpler for end users. This was borne out in the roundtable discussions: Having two codes does nothing to help it just makes it more complex for people to understand. The Surveillance Camera Commissioner should provide leadership in the sector not the ICO. The ICO Code should be statutory and the Surveillance Camera Code guidance. I am clear that it is feasible to align the two codes into one document and protect, at the same time, the independence of both Commissioners. The Information Commissioner accepts my role is to provide much needed advice, guidance and leadership across the whole sector. The development of a National Surveillance Camera Strategy will further underline this issue. This strategy will seek to co-ordinate all stakeholders, from manufacturers, installers and designers through to end users with the aim of raising standards and compliance with the PoFA Code. In turn it is clear that the ICO has the responsibility to manage the much broader impact of breaches to DPA, Human Rights legislation and FOI. My aspiration remains to provide all users with a single Code that will harmonise and clarify obligations across the many stakeholders. Recommendation Nine Regulators should strive to produce one Code of Practice relating to surveillance camera systems. 16 Annex A How and who we consulted Workshops with: British Security Industry Association National Security Inspectorate CCTV User Groups Surveillance Camera Commissioner’s Advisory Council Private Roundtables and one to one interviews: Civil Liberty Groups Surveillance Camera Manufacturing Surveillance Camera Installers Local Authority CCTV operators Training Companies Data Protection/Privacy Lawyers Residential Social Landlords Police Forces Data Protection Specialists Surveillance Camera Consultants Government Departments Universities Academic Researchers Private Sector CCTV Operators Surveillance Regulators National Police Chiefs’ Council leads (CCTV,BWV,ANPR, UAV (drones)) Advisory Bodies Representative bodies and Associations An online survey – questions at Annex B Open to members of the public and organisations 17 Annex B Online Survey Questions 1. Please indicate what type of respondent you are: Individual respondent Responding on behalf of an organisation 2. Please indicate what type of organisation: Public sector organisation Private sector organisation 3. Are you aware of the Surveillance Camera Commissioner? Yes No 4. Are you aware of the Surveillance Camera Code of Practice? Yes No 5. To what extent do you agree or disagree the Surveillance Camera Code of Practice is an effective way of regulating surveillance camera systems? Strongly agree Tend to agree Neither agree nor disagree Rend to disagree Strongly disagree Don’t know 6. To what extent to you agree or disagree that the Commissioner requires enforcement powers? Strongly agree Tend to agree Neither agree nor disagree Rend to disagree Strongly disagree Don’t know 7. What enforcement powers do you think the Commissioner should have? (E.g fine, enforcement notice) Open ended question 18 8. Police Forces and Local Authorities are relevant authorities under the Protection of Freedoms Act 2012. To what extent do you agree or disagree that the code should cover all publicly owned public space CCTV? Publicly owned public space CCTV – CCTV owned and operated in public spaces by public sector organisations e.g. Government Departments, National Health Service, Transport etc. Strongly agree Tend to agree Neither agree nor disagree Rend to disagree Strongly disagree Don’t know 9. To what extent do you agree or disagree that the Code should cover all privately owned CCTV operating in public space? Privately owned CCTV is operated in public spaces by private organisations, (e.g. shopping centres, sports stadiums, car parks). Strongly agree Tend to agree Neither agree nor disagree Rend to disagree Strongly disagree Don’t know 10. Are you aware of the regulations that cover individuals who install and use CCTV on their homes? Yes No 11. To what extent do you agree or disagree that the use of CCTV on homes should be regulated? Strongly agree Tend to agree Neither agree nor disagree Rend to disagree Strongly disagree Don’t know 12. To what extent do you agree or disagree that mandatory minimum standards covering the use of surveillance cameras should be introduced? The standards could be British Standards which are not currently mandatory, or standards that the Commissioner might want to introduce at a point in the future. Strongly agree Tend to agree Neither agree nor disagree Rend to disagree Strongly disagree Don’t know 19 13. To what extent do you agree or disagree that installers and manufactures of surveillance cameras should be regulated? Strongly agree Tend to agree Neither agree nor disagree Rend to disagree Strongly disagree Don’t know 14. If you have any comments, please write them in the box below: Open ended question 20