Speech given at Association of University Chief Security Officers' annual conference

30 Apr 2015 01:37 PM

The speech was about the use of surveillance cameras by Universities and Colleges and the benefits of adopting the Surveillance Camera Code of Practice.

Many thanks to the Association of University Chief Security Officers for asking me to speak today.

My team and I have been working closely with Association for the past six months looking at how we can encourage voluntary adoption of the Surveillance Camera Code of Practice amongst its members. Adoption of the code by Universities and Colleges is something your Executive Committee and I have committed to.

Whilst I’ve met some of you personally and others may have joined in our webinar back in November it’s good to see you all in person and I hope this is a partnership that can flourish.

Before I go into how we’re working with the Association and why they’ve invited me to speak I think it’s worth giving some brief background on my role, especially for anyone thinking – who’s he?!

I’ve been in this role for just over a year and it was created under the Protection of Freedoms Act 2012. I’m entrusted to ensure that surveillance camera systems are used to support and protect communities – not spy on them.

To help me do there is the Surveillance Camera Code of Practice containing 12 guiding principles which, if followed, will mean cameras are only ever used proportionately, transparently and effectively. I’m required to:

I terms of my own background I was a police officer for 30 years starting as a Bobby on the beat in Stockport and ending my career as co-ordinating national counter terrorism for the 2012 Olympics in London. Directly before I was appointed to this role I worked at Barclays Bank as Head of Physical Security for 18 months.

So I have first-hand experience of how technology, such as surveillance cameras, is used in both the private and public sector. How images captured by these devices can be used as evidence and lead to prosecutions. How they do protect communities.

Surveillance in Universities/Colleges

For many young people going to University or College is their first experience of living away from home. For new students it’s probably an exciting, lively and liberating time where they are free from the shackles of their parents and home. For their parents it’s probably worrying, daunting and perhaps also liberating!?

Dare I say it but perhaps these youngsters minds might be on what’s going on at the student union rather than what they are studying for the first few weeks – or months…

I doubt many freshers give much thought to their safety or who’s looking after them. Do they securely lock their laptops, smart phones and tablets away? Are their doors and windows secure, is the campus safe and who can they call in an emergency?

These sorts of things probably aren’t on their minds, or the minds of many students, until something happens that affects that. However, as a parent of a daughter who went to University in September, away from home for the first time, her safety is at that forefront of my mind and will continue to be for the duration of her course.

And I’m sure it’s the same for hundreds of thousands of other parents whose children are living away from home for the first time. Perhaps even more so for the parents of overseas students? They want to know campuses are secure and safe from potential threats. Could a perceived safer University or College see a greater influx of overseas students which may correlate to more funding?

If Universities are to achieve a ‘gold-standard’ and attract more funding then surely the safety of its students must be a key factor for any institution. And it must be a key factor for you and your teams as security officers.

A well thought out and designed CCTV system can be an excellent weapon in the armoury of a University to show that student safety is of real importance to them.

At the same time there are privacy issues to consider. Over the last five to ten years we’ve seen an ever increasing interest in surveillance. We’ve seen the fall out from Snowden, the concerns about the data Google capture when we use their search engine and the Smart TVs record everything in its owner’s home. This interest in surveillance has seen groups such as Big Brother Watch and NO CCTV emerge. So, surveillance is at the forefront of a lot of people’s minds – that includes CCTV – and in this country we have installed almost six million cameras. So, whilst CCTV can be the silent guardian that protects your campuses it can not be at the price of a person’s right to privacy.

Due regard

As I have mentioned the Surveillance Camera Code of Practice was published by the Home Office in 2013.

Relevant authorities such as the police and local councils must pay due regard to the code. For everyone else adoption is voluntary. For Universities and College adoption is voluntary – for now.

I said earlier one of my objectives is to review the operation of the code and report back to the Home Secretary. How is it working? Is it working? What works well and what needs to change? I will be submitting that review in the autumn.

One area I will definitely exploring is the reach of the code. Should other organisations have to ‘pay due regard’ to the code, who must comply with it. This was one area of fervent debate when the Government consulted on the code in 2013 – Government opted for an incremental self-regulated approach.

This means the code only covers around five per cent of cameras. But what about all the other places that the public have access – Universities, Football Stadiums and shopping malls but to name a few. All places that a member of the public would probably consider as public space. When someone walks from a street monitored by Local Authority CCTV in to a University Campus monitored by you do they consider themselves to still be in a public space – I would hazard a guess that they do. So, why must one organisation comply with the code whereas it’s voluntary for the other?

Should anyone operating CCTV that monitors public space have to comply with the code? Would they have to do much more than they are already doing such as comply with the data protection act. There could be a point in the near future that your organisations are deemed ‘relevant authorities’ and must pay due regard to the code. So, it could be in your interests to consider adopting the code now.

Code of Practice

It enables the public and communities to hold users of surveillance camera systems to account. To make sure they are being used for their intended purpose and that they don’t impinge on an individual’s right to privacy.

This can be summed up quite succinctly in the term ‘surveillance by consent’ which is explained in the code. It means the public consent to being observed where there is a pressing need and it is in their best interests. But this consent is fragile and there needs to be consultation about how, where and why cameras are deployed.

So, maintaining public confidence in the people your cameras are protecting is an incentive for complying with the code. It can wane very quickly if your communities begin to think they are being looked at rather than looked after.

I think it’s worth pausing here to say that the code applies to all types of public space surveillance – CCTV, ANPR, Drones and Body Worn Video. The last of these is proliferating at a rate of knots and I’m not always convinced how well it is being managed.

For example in Local Authorities you have various departments such as parking, environmental and even libraries buying this equipment for their staff to use but with no oversight. Are they code compliant – I’m not sure? I know that lots of Local Authority public space CCTV is but I can’t say the same for Body Worn Video and if it spreads like this it becomes difficult to monitor – no pun intended.

I’m also aware that more Universities are buying this kit for their security officers so I think it is important to remember they are surveillance devices. So, they should fall in line with the same policies and practices that you use for CCTV. They should be code compliant if you’ve adopted it.

Guiding Principles

The 12 guiding principles in the code will help you identify why you need CCTV in the first place, is it the best solution to meet your pressing need or could something else such as better lighting solve the problem.

They will make you think about consulting the people that are monitored by the system and about their privacy as well as carrying out annual privacy impact assessments and publishing these – it’s about transparency.

Signage is also key to a well run system. The public must be made aware of whenever they are being monitored by a surveillance camera system. This signage must also include a point of contact for a member of the public for raise a query or compliant. Are you confident that your systems are well signposted?

You must have strong governance arrangements in place. Who is responsible for the operation and the development of the system? For a University is it the Chief Security Officer?

And what about the data your system captures? Some of this falls into the domain of the Information Commissioner who I have a memorandum of understanding with. They also recently updated their code of practice so it follows what is in mine. It complements it so if you follow one you should, in theory, also be complying with the other.

It goes without saying that you shouldn’t store images on your system for longer than is necessary. I know that there has been some debate amongst your members about this.

There is no set retention period as it may vary from system to system. For CCTV most of the systems I’ve see automatically delete data after 31 days unless it has been pulled out for use as evidence. For Body Worn Video this could be different and again different for ANPR. It is for you to satisfy yourself that your retention of data is proportionate and deleted when no longer needed. But as a rule of thumb I’d suggest 31 days unless the images are being retained as evidence.

Access and disclosure of images and data is also incredibly important. Who is able to access the images your system records? Does your system record an audit trail of who has reviewed or downloaded footage?

Can you pixelate or mask out individuals to protect their privacy. Individuals can make a subject access request to view footage that they are in – perhaps following a RTA – but the system operator has the discretion to refuse access to information unless there is an overriding legal obligation.

The code also talks about standards and I have a Standards Board whose role it is to demystify the standards framework which is horribly complex.

I completely get that if you’re looking for information on standards it can be bewildering. As a first step I have published a list of relevant British and International Standards on my website – here you will find information on the standards and links to the BSI site where you can purchase them. There is currently a discount if you go through my site to buy them!

Security is also of paramount importance – you need a system in place that is secure, so no one can compromise it or the data that is stored. How do you make sure only authorised people can use the system? Is it password protected? Can you see who’s accessed the system and when? If you’re using wireless networks what do you have in place to maintain the integrity of the connection to ensure it can’t be lost or hacked?

And do you evaluate the performance of your system to make sure it is still effective. I’ve heard stories of a camera put up in the winter but by the summer it’s useless as its view is now obscured by a tree!

Systems should be reviewed regularly, at least annually. This is to make sure that cameras and systems remain necessary and justified. This will ensure that the system is being used for its intended purpose as well as help you see if you can decommission any cameras or actually need to increase coverage. As good practice the outcome of the review could be published.

Does your system support law enforcement and provide data that is of evidential value? Are the police easily able to export data from your system that can be used as evidence in court? Can your system time and date stamp the images that are downloaded? Is the quality good? It’s essential that any digital images that are likely to be shared with law enforcement agencies are in a format that can be exported, stored and analysed without any lose to ‘forensic integrity’.

Why adopt the code?

So, why would you want to voluntarily adopt the code? You may be thinking to yourself ‘there are quite a lot of things I need to comply with!’

I think if you have a good system in place you will probably be meeting most of the principles. I mentioned at the start of this speech that security is now becoming factor in deciding where a student will go to study. Particularly from a parents point of view even more so if it is a student coming from the UK from overseas.

By adopting the code it visibly enables you to show prospective students and their parents that you use CCTV in a transparent, proportionate and ethical way. It shows that you are serious about security in your campuses whilst also factoring in students’ right to privacy and their human rights.

It can help you to ensure that your systems are running effectively – regular reviews will help you identify ineffective cameras or where you may need to deploy additional cameras.

It will instil confidence in those being protected that it is being done proportionately. That any data captured is done securely and only viewed by designated operators.

Adoption of the code will enable you to be transparent with the public about the use of cameras and we encourage anyone adopting the code to publicise the fact.

Furthermore, just because you aren’t a relevant authority who must pay due regard to the code now doesn’t mean you won’t be in the future.

Self Assessment

I fully appreciated that adoption of the code is something that you will have to think about and each of you will have different reasons for adoption. Each of you may also not currently know where you are in terms of meeting the principles in the code.

To help organisations see where they are in relation to compliance we’ve launched easy to use self assessment tool. It’s an interactive PDF document that can be downloaded from my site on GOV.UK saved and completed.

The tool has been developed in partnership with certification bodies – the SSAIB and NSI – and tested thoroughly with CCTV managers and operators.

As I just said it will enable organisations to show how closely they comply with the principles in the code as well has help them identify where they may need to make adjustments. It will help them draw up an action plan to set out what they may need to do where they are falling short. I would not expect this to be War and Peace! There is a limit to how much text can be typed into the document.

The tool could be a great way to have internal discussions about meeting the principles. But more than that I want organisations to publish their self assessment once completed - publish it on your websites.

This will show that you are serious about being transparent and open. That you are serious about their privacy. That you are serious about using CCTV responsibly.

The tool has been developed for you. You don’t have to send us completed assessments back – my small team wouldn’t be able to cope! But we do welcome feedback on the tool. How was it to complete? Did you understand the questions? Can we make it easier for you?

What next

So, please complete the self assessment tool and publish it if that’s something that you want to do. Start to look at our code and see where you can incorporate parts into your own polices and codes where it’s appropriate.

If you are complying with the code publicise it! We are keen to carry out case studies with organisations who are adopting the code so if you are one get in touch with us. I want to continue this partnership with AUCSO, with you and your colleagues. I was recently told that Universities and Colleges are like small towns and villages. You play a crucial role in keeping the inhabitants safe and protecting them whilst at the same time ensuring their human rights and privacy remain in tact.