|
Gambling firms risk falling foul of the Data Protection
Act because they radically underestimate their responsibilities
when they use CCTV security systems, according to a leading UK
technology law expert. Jimmy Desai, a partner at Blake Lapthorn,
said many companies using CCTV face specific requirements to
conform to the law.
The issue is significant for many gaming firms who use CCTV
either for direct security reasons, such as High Street bookmakers,
or in order to prevent cheating and reassure customers, such as in
casinos and poker clubs.
The Information Commissioner has this year issued a revised CCTV
Code of Practice to help firms conform to the Data Protection Act.
But Mr Desai believes many firms do not understand their legal
obligations and warns that companies which fail to comply could be
criminally responsible along with their directors.
“I think a lot of firms do not fully understand the CCTV code,”
said Mr Desai.
“A lot of firms use CCTV because it is just one of the things
they do. A lot of organisations do not understand they are under
obligation to use the data in a protected way."
“Anyone who is operating CCTV - because it is dealing with
personal data - falls under data protection requirements,” he
said.
“The question is if someone is running CCTV, and that is
personal data, then what should they be doing?
“Gaming firms need to be aware of the rules. In terms of
casinos, many have not cottoned on to the rules. I have not really
seen anyone refer to the Data Protection Act.”
Mr Desai said using CCTV raised many issues that often were not
fully considered.
These included:
- how long should CCTV images be held for?
- can gaming firms use images for commercial purposes or even
sell images or information on to others?
- what should be told to people coming into a CCTV monitored
enclosure?
- how secure should CCTV images be?
Although in many cases specific circumstances will determine
where firms use of CCTV falls in relation to the Data Protection
Act, the code is clear that use of CCTV should be justifiable and
that it should be used “responsibly and with effective
safeguards”.
“Maintaining public trust and confidence in its use is essential
if its benefits are to be realised and its use is not to become
increasingly viewed with suspicion as part of a surveillance
society,” said Information Commissioner Richard Thomas.
Mr Desai said that if firms were compliant with the CCTV code
they could expect to be compliant with the Data Protection Act.
Some of the main areas of regulation are clear from the
code:
Informing customers and staff they may be monitored
Mr Desai says: “Generally the code says that if people are in
enclosures where CCTV is used there have to be notices at the doors
so there is an implied consent. There should be signs and one of
the areas that applies to the code is staff monitoring.
“A lot of organisations might use CCTV to monitor staff and make
sure money transactions are right. If a member of staff is not told
they are being monitored they would be able to say the firm is
breaching the Data Protection Act.”
Keeping information
The code does not give a minimum or maximum length of time that
images should be kept for. Instead it suggests data is kept for as
long as is reasonably needed in the specific circumstances.
However, the stress in the code is that this should not be “longer
than is strictly necessary”.
Dealing with requests for information
Individuals whose images are recorded have a right to view
images of themselves and be provided with a copy of the images.
This must be provided within 40 calendar days of receiving a
request with a maximum fee of £10.
However, this is not as straightforward as it may at first
appear. Firms must also consider if images of third parties are
also shown with the images of the person who has made the access
request and whether they need to obscure the images of third
parties. The code says that if providing these images would involve
an unfair intrusion into the privacy of the third party, or cause
unwarranted harm or distress, then they should be obscured.
Failing to provide an image could lead to a complaint to the
Information Commissioner.
Disclosure of images
The code suggests that passing on information to a law
enforcement agency for the prevention or detection of crime is
acceptable. However, passing it on to the media or publishing it on
the internet for entertainment purposes would not be. One area that
particularly could affect gaming firms is using CCTV images of
people who have not committed a crime but are suspected of “sharp”
practice or are consistent winners who a firm does not want to
serve anymore.
One of the underlying key issues of the code is that firms need
to be in control of their CCTV use. This includes reviewing its
continued use, who is responsible for the system in the firm and
how the public are dealt with in relation to CCTV.
Mr Desai said: “CCTV is pretty important from lots of angles –
you would expect people to be really up to date with it. But I am
not sure if people generally are aware of it or that people realise
CCTV falls under the area of data protection.”
16 March 2008
Dan Townend (Gamblingcompliance Ltd)
http://www.gamblingcompliance.com/node/13248
|