Legislation
Intruder Alarm
Installing an inappropriate grade of intruder alarm may lead to insurance cover being refused.
From October 2005, businesses arranging the installation of a new intruder alarm system will have found that they need to comply with new European Standards for alarm design and installation. According to Norwich Union, failure to check with an insurer that the appropriate grade of alarm is being installed may lead to insurance cover being refused or made conditional upon potentially expensive additional work being undertaken.
The European Standards for Intruder and Hold up Alarm Systems (Euro Stds), identify four different grades of alarm based on increasing levels of expected capability and tools available to an intruder. Alarm installers are required to undertake a security risk assessment to help determine the grade that may be appropriate, but as part of this process will usually advise customers to check whether any interested insurer agrees with the grade proposed.
Richard Underwood, specialist security risk adviser at Norwich Union Risk Services said: "It has always been important that insurers are involved in providing advice to businesses on alarm installations, but the difficulty and expense of making alterations to systems installed to the new European Standards make it critical that businesses seek insurer input at an early stage."
"At Norwich Union we usually expect a grade 3 system to be installed in business premises, but we have found that a number of businesses are agreeing to installers suggestions of cheaper grade 2 systems without seeking insurer advice. As it requires replacement of nearly all the alarm components to retrospectively move a grade 2 system to grade 3, failing to seek insurer advice can prove an expensive omission."
"In addition to helping select an appropriate grade of system, at Norwich Union we have a team of Risk Advisers that can provide other useful advice concerning alarm coverage, signalling and response measures. In view of the complexities of modern alarm systems, the advice to businesses must be to always consult your broker or insurer before installing an alarm."
CCTV Systems and the Data Protection Act 1998 (DPA)
Good Practice Note on when the Act applies
- Why is there a need for additional guidance?
- There has been a recent court case which affects whether particular CCTV activities are covered by the DPA. This Guidance Note makes clearer which CCTV activities are covered by the DPA. It is particularly aimed at helping users of basic CCTV systems such as small businesses.
- What CCTV activities are covered by the DPA?
- The court case dealt with when information relates to an individual and is then covered by the DPA1. The court decided that for information to relate to an individual, it had to affect their privacy. To help judge this, the Court decided that two matters were important:
- That a person had to be the focus of the information.
- The information tells you something significant about them.
So, whether you are covered or not will depend on how you use your CCTV system.
- The court case dealt with when information relates to an individual and is then covered by the DPA1. The court decided that for information to relate to an individual, it had to affect their privacy. To help judge this, the Court decided that two matters were important:
- I only use a very basic CCTV system, how am I affected?
- If you have just a basic CCTV system, your use may no longer be covered by the DPA. This depends on what happens in practice. For example, small retailers would not be covered who:
- Only have a couple cameras,
- Can't move them remotely,
- Just record on video tape whatever the cameras pick up, and
- Only give the recorded images to the police to investigate an incident in their shop.
The shopkeepers would need to make sure that they do not use the images for their own purposes such as checking whether a member of staff is doing their job properly, because if they did, then that person would be the focus of attention and they would be trying to learn things about them so the use would then be covered by the DPA2.
- If you have just a basic CCTV system, your use may no longer be covered by the DPA. This depends on what happens in practice. For example, small retailers would not be covered who:
- It sounds like many users of basic CCTV systems are not covered by the DPA, is there an easy way to tell?
- Think about what you are trying to achieve by using CCTV. Is it there for you to learn about individuals' activities for your own business purposes (such as monitoring a member of staff giving concern)? If so, then it will still be covered. However if you can answer 'no' to all the following 3 questions you will not be covered:
- Do you ever operate the cameras remotely in order to zoom in/out or point in different directions to pick up what particular people are doing?
- Do you ever use the images to try to observe someone's behaviour for your own business purposes such as monitoring staff members?
- Do you ever give the recorded images to anyone other than a law enforcement body such as the police?
- Think about what you are trying to achieve by using CCTV. Is it there for you to learn about individuals' activities for your own business purposes (such as monitoring a member of staff giving concern)? If so, then it will still be covered. However if you can answer 'no' to all the following 3 questions you will not be covered:
- How are more sophisticated CCTV systems affected?
- In many CCTV schemes, such as are used in town centres or by large retailers, CCTV systems are more sophisticated. They are used to focus on the activities of particular people either by directing cameras at an individual's activities, looking out for particular individuals or examining recorded CCTV images to find things out about the people in them such as identifying a criminal or a witness or assessing how an employee is performing. These activities will still be covered by the DPA but some of the images they record will no longer be covered. So if only a general scene is recorded without any incident occurring and with no focus on any particular individual's activities, these images are not covered by the DPA. In short, organisations using CCTV for anything other than the most basic of surveillance will have to comply with the DPA but not all their images will be covered in all circumstances. The simple rule of thumb is that you need to decide whether the image you have taken is aimed at learning about a particular person's activities.
- What should I do next?
- If some of your CCTV activities are still covered you still need to comply with the DPA by making sure you have notified the Commissioner, having signs, deciding how long you retain images and making sure your equipment works properly. The Information Commissioner has issued a CCTV Code of Practice3 and this together with a checklist for users of small CCTV systems provides detailed guidance for those using CCTV systems. The only difference is that you will no longer have to give individual's access to those images that are just general scenes neither focusing on a particular individual nor being used to learn information about individuals.
If you are a user of a basic system and are not covered, you do not have to comply with the DPA though you may find the guidance on compliance in the CCTV Code of Practice helpful as this gives good practice advice to help make sure the images are up to the job of preventing and detecting crime. If you have already notified the Information Commissioner of your CCTV activities you will not have to renew this when it is due. Just let us know when you get your renewal reminder.
- If some of your CCTV activities are still covered you still need to comply with the DPA by making sure you have notified the Commissioner, having signs, deciding how long you retain images and making sure your equipment works properly. The Information Commissioner has issued a CCTV Code of Practice3 and this together with a checklist for users of small CCTV systems provides detailed guidance for those using CCTV systems. The only difference is that you will no longer have to give individual's access to those images that are just general scenes neither focusing on a particular individual nor being used to learn information about individuals.
- Will you be issuing further guidance on CCTV?
- The Information Commissioner is already conducting an extensive review of the existing CCTV Code of Practice to make sure it has kept up to date with technological and other developments. This review will also take into account the changes to the interpretation of the DPA covered by this paper. The revised code should be published later in the year.
- Confused?
- Just give us a call. Or call the Data Protection Helpline staff who will be happy to help, their number is 01625 545745.
The Data Protection website is www.informationcommissioner.gov.uk
- Just give us a call. Or call the Data Protection Helpline staff who will be happy to help, their number is 01625 545745.
1 The case is Durant-v- Financial Services Authority and was heard by the Court of Appeal. Guidance on the general effect of this case is available via the DPA website.
2 We have published an Employment Practices Code. Part 3 includes guidance on what you have to do to comply with the DPA if you are monitoring your staff. This is available from the DPA website.
3 Copies of the CCTV Code of Practice and other publications are available on the DPA website.
Access Control
Text coming soon