Having become totally confused trying to figure out how the U.K.’s Data Protection Act applied to the security and data retention of CCTV surveillance, I wrote to the ICO to ask.
Today I received a response. Here’s the relevant portion of it:
The fifth principle of the Data Protection Act 1998 (the Act) states that: “Personal data kept for any purpose shall not be kept longer than is necessary for that purpose” but it would be impractical for the Act to be able to give specific retention periods for every type of organisation that must comply with the Act and it does not define how long is “necessary.” Therefore the fifth principle means in practice that once it is no longer necessary for a data controller to retain data collected for a particular purpose, they should take the appropriate steps to dispose of it. In order to comply with the Data Protection Act, the organisation must therefore merely have a retention policy in place which allows for a system for the removal of different categories of data from their system after certain periods. It is the position of our office that data controllers themselves should formulate their own retention policies as they alone are best placed to judge how long it is ‘necessary’ for them to hold information. You could therefore ask the organisation for details of their retention policy.
The 7th Principle of the Data Protection states that organisations have a duty to take ‘appropriate technical and organisational measures’ to guard against accidental loss, destruction or damage to personal data. Therefore, when deciding what measures to take in relation to the 7th principle, the data controller must take into account the nature of the data and the harm that might result from any failure to comply with this. However, the Data Protection Act does not lay down clear guidelines as to how an organisation should keep secure or process individuals’ personal data and the Information Commissioner would expect each organisation to make its own assessment of what safeguards are necessary.
Should you have any concerns about the way a particular company has processed CCTV footage which includes your personal data, you should make a complaint to them in the first instance. If you are dissatisfied with their response, you could at that stage make a complaint to our office. In doing so, you would need to fill in one of our complaint forms and include your evidence which demonstrates what you believe the organisation has done wrong plus any correspondence between the company and yourself.
So it’s not that I couldn’t find the specifics. It’s that they’re not codified and it’s all left to the discretion of the data controller. Nothing particularly unusual in that as our federal laws also leave it up to the discretion of organizations as to how they secure PII or PHI.
In November 2009, Big Brother Watch submitted FOI requests that included requests for copies of internal guidance if they existed, but I do not see in their report how many organizations actually produced written policies in response to their inquiry and what the policies indicated. Has any UK privacy organization or media actually obtained written policies from councils or organizations about their security protocols or data retention policies? If so, please leave me a link in the Comments section.