There’s a lot written in the fire and security industry about adhering to fire system compliance, and the penalties that can apply – from relatively small fines through to two years imprisonment!
But what about security systems? Are CCTV, intruder and access control systems subject to regulatory laws?
The short answer – yes. Security systems do have to comply with certain regulations. However, because they’re not a life safety system as fire alarms etc. are, they don’t carry the similar penalties for non-compliance.
CCTV systems must comply with the Information Commissioner’s Office Code of Practice and General Data Protection Regulations (GDPR). Surveillance cameras are no longer a passive technology that just records footage. CCTV systems are now more proactive, utilising sophisticated video analytics to identify people of interest and retain details of people’s activities. Because of the increase in data that footage can collect, there needs to be some protection for members of the public.
The first step is to perform a Data Protection Impact Assessment. This will identify any possible impact on an individual’s privacy, which must be taken into account when installing and operating your CCTV system. The ICO have made it easy and provided a downloadable Data Protection Impact Assessment template here.
ICO Data Protection Fees
Once this is completed and you’ve determined the purpose for which your business will be processing an individual’s data, you’ll need to pay the relevant data protection fee to the ICO. The fees vary depending on various factors such as the size of your business and turnover. More information on the ICO fees can be found on their website.
To comply with the ICO CCTV Code of Conduct, you must also have a policy which details the use of the CCTV system, and an appointed individual who is responsible for operating the system. The policy should cover the purposes for which you’re using a CCTV system and also detail procedures on recording and disclosures.
Your CCTV policy should also include a process to follow when an individual or organisation requests copies of the footage from your CCTV. People have a right to request copies of any images of themselves from your CCTV and it must be handled appropriately.
You must also ensure your employees know about the CCTV policy and are trained where necessary.
Data Retention and Security
The ICO’s guidance states you should only keep CCTV footage for as long as necessary for it’s purpose and delete the footage when it’s no longer required. In addition to this, the ICO recommends your business should perform systematic checks to ensure compliance with the retention period in practice.
You also need to ensure footage from your CCTV system is stored securely, and that it can only be accessed by authorised individuals.
Signage should be displayed to inform people that CCTV is in operation on-site. Signage should be clearly visible and readable. It also needs to show details of the organisation operating the system, the purpose of its use and contact details for any queries.
The added benefit of having CCTV signage is that it acts as a deterrent to potential criminals.
Penalties for non-compliance
Not complying with GDPR for data protection and privacy can carry some substantial fines. One of the first penalties given was for a shop not displaying signage outside stating CCTV was in operation. The fine was approx. £4250.
However, GDPR violations can attract a fine of up to €20 million or 4% of an organisation’s turnover, whichever is greater. Whilst it’s unlikely that minor CCTV practices will attract large fines, it does demonstrate that the ICO takes the GDPR regulations seriously. And so should you.
Intruder Alarm systems
Intruder alarms should be installed, monitored where necessary and maintained to comply with the site risk assessment and below standards.
The standards to be aware of include:
BS 8243: 2010 (installation and configuration of intruder and hold-up alarm systems designed to generate confirmed alarm conditions)
PD 6662:2017 (scheme for the application of European standards for intrusion and hold-up alarm systems)
BS EN 50131-2-2:2017 (European Standard for passive infrared detectors installed in buildings for security grades 1 to 4).
Whilst it’s important to ensure your intruder alarm system is correctly installed to comply with the relevant standards, it is usually your insurance company that stipulates more specific requirements for your system to comply with.
Intruder Alarm Grades
For your insurance policy to be effective, your insurer will usually require an intruder alarm fitted to a certain grade. There are four grades of intruder alarm system, with Grade 1 providing relatively low security, and Grade 4 providing the highest level of security. The risk factor of your business and it’s operations will dictate the grade of system you require. A risk assessment is the best way to determine which grade alarm system you should have installed.
Penalties for non-compliance
Whilst there’s no penalties for your intruder alarm system not complying to current regulations, such a system would likely invalidate your insurance policy. It’s therefore advisable to ensure your installation company is accredited by a third party such as the SSAIB or NSI. Once installed you should receive a certificate of compliance to show your intruder alarm system has been installed to meet the relevant standards.
Access control systems
As with all security systems, access control systems should be installed to meet the relevant British Standards.
BS EN 60839-11-2:2015 defines the minimum requirements and guidance for the installation and operation of electronic access control systems. However, of equal importance is ensuring the design of the access control system takes account of the Equality Act and Disability Discrimination Act. Any installation of access control needs to ensure disabled people are able to acquire access to a building or a room in the same way as everyone else.
Access Control and GDPR
Whilst access control systems are generally seen as securing a building, the fact they record personal data is often overlooked. So it’s important to consider the rules of GDPR when installing any access control system.
Your access control system will collect and record substantial amounts of personal data such as their name, employee number, photo ID and possibly more. It will also record a person’s movements throughout a building, allowing you to monitor their activity. System administrators can view all such data, so the secure storage of this data is imperative.
To ensure your access control system is GDPR compliant, its essential to consider data protection and data security. How is the data accessed, how long is it retained for, how often is data erased – all these questions need addressing when designing a GDPR compliant access control system.
The following aspects should be considered when installing an access control system:
The reason for identifying card/fob holders
What kind of data is retained and who has access to it
How is data entered to the system – manually or automatically
Where is data stored and how long is it retained
Whether data is shared with third parties and the basis for this
Triple Star Fire & Security have many years’ experience in the design, installation and commission of electronic security systems and are accredited by SSAIB for all security system installations. If you’re looking for a new CCTV system, intruder alarm system or access control solution then call us. Our number is 0203 189 1960.