The owner had ignored three letters from the ICO requiring him to register his CCTV and pay the £35 annual charge, as required under the Data Protection Act. He didn’t, and he’s one criminal conviction and at least £365 the poorer for it.
I tend to view the ICO as a bit of a champion of pubs. Back in 2009 it issued guidance attacking the enthusiasm with which the police and licensing authorities were slapping standard CCTV conditions on premises licences with little regard to the rights of customers not to have their privacy intruded upon without justification.
The note states that if there has been no history of crime or antisocial behaviour associated with the premises and no likelihood of future trouble, then in the ICO’s view it is difficult to see how the installation of CCTV can be justified as a licensing condition. If other measures are better suited, then these should be employed — for example, if your problem is solely vandalism of cars in your car park, then the ICO has suggested that better lighting might be preferable to the wholesale installation of CCTV.
The ICO is particularly critical of model conditions that state CCTV images should be provided “on request” to the police. Such conditions do not fit with the provisions of the Data Protection Act 1998, which incorporates a “prejudice” test.
If you’re lucky enough to run a pub with little or no history of crime or antisocial behaviour, don’t feel you immediately have to agree to any police request for a CCTV condition, simply because “every other licence has one”.
Under the Data Protection Act 1998, if you do have CCTV then someone must register with the ICO as the ‘data controller’, which the ICO states is the licensee. Now, we all know that since 2005 the licensee is a many–headed beast. The designated premises supervisor, the premises licence holder or any personal licence holder could legitimately describe themselves as the licensee. In reality, whoever controls the processing of images caught by CCTV is the data controller. This doesn’t mean the door team or your manager on any particular night, but the person or organisation with the authority to disclose these images, to the police for example. If you are a tenant of a pubco, be clear who really is in control of these images — the ICO fully expects both parties to register as data controllers
if responsibility is shared.
It is well worth training your staff on how to handle this personal data. The ICO is no paper tiger, and our Lancashire bar owner may consider himself to have escaped relatively lightly. In the past year alone his own local police force was fined £70,000 for
losing highly sensitive personal information in a public place.
For more information visit www.ico.gov.uk/for_organisations.aspx.