As advocates of operating our CCTV systems responsibly, and maintaining correct compliance, we spotted that Professor Fraser Sampson, the Biometrics & Surveillance Camera Commissioner (BSCC), is to step down at the end of October. This is ahead of the abolition of his post and the Surveillance Camera Code of Practice.
The BSCC wrote to the Home Secretary, Suella Braverman, tendering his resignation earlier this month. Originally, he had planned to stay on until the Data Protection and Digital Information Bill, which abolished his role, had passed through Parliament and attained Royal Assent.
However, Fraser Sampson had already told officials he would be out of the country for a substantial period towards the end of 2023 for personal reasons. With the Bill now not expected to become law until spring 2024 he said he would not be able to fulfil the functions of the BSCC role beyond 1st November and therefore tendered his resignation.
Data Protection and Digital Information Bill: Aiming to remove complexity
The Data Protection and Digital Information (No.2) Bill was introduced to the House of Commons in March by Michelle Donelan, Secretary of State for Science, Innovation and Technology, and it had its second reading debate in April.
This replaced an earlier version of the Bill introduced by Nadine Dorries in July 2022 when she was Secretary of Department for Digital, Culture, Media & Sport, which was subsequently withdrawn. This followed the changes of Prime Ministers from Boris Johnson, to Liz Truss and subsequently Rishi Sunak last year, and a change in department remits.
In March Michelle Donelan stated: “This new Bill is being introduced following a detailed co-design process with industry, business, privacy and consumer groups to determine how we could improve the Bill further.”
The Government said it will reduce compliance costs and burdens on business in the way they process data but will continue to maintain high data protection standards and protect the privacy of individuals. It stated that “the current oversight arrangements for police use of biometrics and surveillance cameras to help identify and eliminate suspects are complex and confusing for the police (as controllers) and the wider public.”
Changes in governance of data protection rules
The Bill transfers functions of the Biometrics Commissioner to the Investigatory Powers Commissioner. Meanwhile the government stated that under the Data Protection Act (DPA) 2018, the Information Commissioner provided independent oversight of all controllers’ use of all personal data, which included the use of biometrics and surveillance cameras and had extensive regulatory powers. Therefore, the government suggests that while the Surveillance Camera Commissioner position and the Surveillance Camera Code of Practice would be abolished, the overview of CCTV use would continue through data protection regulation.
Fraser Sampson, previously argued when responding to government consultation held in the run up to the Bill in 2021, that his role goes far beyond data protection, and related to achieving public trust for surveillance by bodies like the police. These include ethical concerns about a technology like facial recognition and the use of CCTV in ways that could violate human rights. For example, the BSCC has been calling for public bodies to consider where they procure their CCTV from after ethical concerns about Chinese manufacturers.
Under the Bill the Information Commissioner’s Office (ICO) is to be abolished and will be replaced by an Information Commission, with a board and chief executive. The current, Information Commissioner John Edwards, would become chair of the board. Separately there are amendments to the UK General Data Protection Regulation (UK GDPR) and the DPA 2018, including provisions to minimise differences across the GDPR and the law enforcement processing regimes as some public bodies may need to process data under both. The changes are aimed to remove burdens from organisations where the government could see little value in the requirements.
Professor Fraser Sampson noted previously in his consultation response that while regulators like the ICO have enforcement powers they rarely used them in respect of surveillance compliance. He stated: “IPVM recently found that, over the first three years of the GDPR being in place, the ICO had issued zero surveillance fines, in common with the majority of national data regulators, while only one country’s data regulator – Spain – had imposed more than seven GDPR video surveillance fines over that three-year period”
Look out for the Bill becoming law
The Bill is currently at its Report Stage in Parliament and will be undergoing further scrutiny in the Lords once Parliament returns in the autumn. This may mean there are further changes made to the Bill.
We have produced a number of blogs and videos covering data protection compliance including on specifying the purpose of your CCTV, use of redaction, and embedding data protection by design and default. According to legal blogs organisations already compliant with the current UK GDPR will not be forced to make changes to comply with the new Bill.
This means if you are already processing personal data, and meeting your compliance for operating CCTV cameras then you may need to make few changes. For those organisations which adopted the Surveillance Camera Code of Practice they will also be complying with data protection best practice.
If you want support or information as a CCTV operator, take a look out our news page or YouTube channel and we will provide further updates once the legal changes take effect.