Introduction

    The Government welcomes the report of the House of Lords Select Committee on Science and Technology. The Committee's report has helped to clarify the key issues on the use of digital images as evidence.

    The recommendations concerning digital images are generally supported, in particular that consideration be given to removing the uncertainty surrounding the use of digital images as evidence. The Government also supports the use of CCTV surveillance in public places to help in tackling crime and disorder. However, the Government shares the Committee's view that to be successful, CCTV schemes must commend the confidence and support of the local community: CCTV systems must be deployed and operated with integrity and with respect for personal privacy and civil liberties.

    The Government also shares the Committee's view that CCTV material should be used for the detection of crime and the prosecution of offenders and deplores the sale of CCTV material for entertainment purposes. Hitherto, CCTV has been subject to voluntary regulation, through locally adopted codes of practice. While model codes, such as that developed by the Local Government Information Unit, are now widely adopted, the Government accepts that there is a need to underpin good practice in law.

    The provisions of the Data Protection Bill, currently before Parliament, will regulate CCTV material.

    The Government is also committed to statutory regulation of the private security industry, including private operators of CCTV systems.

The Data Protection Bill

    The Government believes that the controls available under the Bill, which bite where information is processed on identifiable individuals, will be able to address the Committee's main concerns in relation to CCTV systems. The Bill gives effect to the 1995 EC Data Protection Directive which Member States are required to implement by 24 October 1998. It builds on the data protection regime established under the Data Protection Act 1984, which it will replace. Like the 1984 Act, the Bill is framed in general terms rather than by reference to specific technologies, which can swiftly be superseded by new ones.

    Many CCTV systems are outside the scope of the 1984 Act because of the limitations of some of its key definitions. The Government considers that the equivalent definitions in the Bill are sufficiently broad to encompass not only the sophisticated types of CCTV systems with which the Committee were concerned, but even much simpler equipment which merely projects images of identifiable individuals passing a shop into the shop window without actually recording.

    The Bill will require data controllers, including the controllers of CCTV systems, to notify details of their processing to the Data Protection Commissioner and to comply with eight enforceable data protection principles. Among other things, the principles require personal data to be processed (a term which encompasses obtaining, holding, use and disclosure) fairly and lawfully; to be obtained only for specified and lawful purposes, and not further processed in a way incompatible with those purposes; and to be surrounded by appropriate security measures.

    The Bill will give the Commissioner wider enforcement powers and duties than she has as Registrar under the 1984 Act. In particular she will have a duty to promote the following of good practice by data controllers; a power to prepare and disseminate codes of practice for guidance as to good practice and to encourage other bodies to do so; and a duty to advise on the adequacy of codes submitted for her consideration. There will also be a power for the Secretary of State to direct the Commissioner by Order to prepare codes of practice, and any such code would have to be laid before Parliament. Although none of these potential codes of practice would have direct statutory force, they would amplify how the data protection principles, enforceable under the Bill, should be applied to the particular type of data use concerned.

    The Commissioner would not need to wait for a complaint before initiating an investigation. The Bill empowers her to issue an information notice requesting relevant details from a data controller where she reasonably requires these to determine compliance with the principles. This power is backed up by powers of entry, inspection and seizure in cases where there are reasonable grounds for suspecting a contravention of the principles. The Bill also provides for a system of prior checking by the Commissioner of certain processing, to be specified by the Secretary of State by order, subject to affirmative resolution, to assess its likely compliance with the Bill's requirements. Processing will be prohibited during the assessment period. If the Commissioner concludes that the processing is unlikely to comply with the requirements, the processing may still go ahead, but the data controller would then be at risk of enforcement action for any subsequent breach.

DETAILED RESPONSE

Recommendation 3.11

    That the Government encourage the appropriate legal bodies to draw greater attention to the change to digital processing and to widen public awareness that paper originals are rarely necessary.

    The Government agrees with this proposal but notes that while paper originals may rarely be necessary, retention of the original digital file, captured from the original paper or other source, is considered highly desirable, if not essential.

Recommendation 3.18

    That evidence should not necessarily be inadmissible because it does not conform with some specific technological requirement.

    The Government accepts this recommendation although it is unclear how this sits with the concept of type approval as described in paragraph 3.32 and recommended in 3.33. Paragraph 3.14 seems to cast a doubt over type approval.

Recommendation 3.20

    That the Government encourage the use of authentication techniques. Members of the legal profession should be made aware of the benefits of these techniques, their value in adding weight to evidence and the possible significance of their omission.

    The responsibility of proving the reliability and authenticity of data falls to the body carrying out the capture, processing and modification. Thus an audit trail, either electronic or enshrined in operational procedures, or preferably both, is essential. While any digital image can be considered for presentation as evidence, the court would be well advised to place a greater weight on evidence which can be rigorously demonstrated to have been derived from an authenticated original. The Forensic Science Service has offered to support any training initiatives where it could make a useful contribution.

Recommendation 3.21

    We recommend that the Government produce guidance on the benefits of conformance with procedural measures necessary to establish the reliability of evidence, with particular reference to existing standards. When this guidance is available, we recommend that the trade associations of those organisations likely to be concerned with it produce training material on its use.

    The Government accepts this recommendation. The use of accepted procedures, particularly those based on existing standards where they might exist, provides a means for establishing the reliability of evidence. Unfortunately, as far as is known, there do not appear to be any recognised specific standards in this field but this should not be a barrier to establishing what such procedures might be. The FSS, for example, works to standard procedures within a quality management system which at the same time meets the requirements of the International Standard ISO 9000 and ISO Guide 25.

Recommendation 3.27

    We recommend that consideration be given to the Turnbull Warning being appropriately adapted so that the uncertainties inherent in images as evidence are made clear to the jury, particularly the implications of any measures to substantiate authenticity and breaks in the audit trail, and any processing which the image has undergone. This is a matter which the Judicial Studies Board may care to take up.

    The Government supports this recommendation and will invite the Judicial Studies Board to give it consideration.

Recommendation 3.28

    That consideration be given to measures to reduce the uncertainty over the use of digital images in court and Government ensures that there is a satisfactory resolution of the uncertainty.

    The Government agree that the best way to reduce uncertainty over the use of digital images in court, in particular those relating to fingerprints, is to put appropriate legislation in place. That is why the Home Office is reviewing existing fingerprint legislation to ensure that it reflects recent technological advances and is considering whether to consult interested parties.

Recommendation 3.33

    That the Government encourages the adoption of technological measures for the authentication of images as evidence by giving type approval to them. The Forensic Science Service should provide ongoing advice for manufacturers and users of imaging equipment on authentication technologies; and

Recommendation 3.36

    that the Government devise incentives or put in place measures such as the endorsement of relevant codes to increase the adoption of good practice.

    The Government supports these recommendations. While the Government may usefully set standards for systems, actual type approval, i.e. allowing the use of particular makes and models in a global permissive statement, can never be more than part of a package of recommendations. The quality, integrity and authenticity of data produced by a system depend on a number of factors, examples of which are:

	—	the manner in which the system was tested: factory or on-site, by technicians or users;
	—	setting up procedures;
	—	calibration: extent, rigour, frequency;
	—	maintenance: extent, rigour, frequency;
	—	environmental conditions;
	—	operational procedures;
	—	user selection and training;
	—	automatic quality warnings and overrides thereof.

Recommendation 3.34

    We recommend that the Judicial Studies Board consider establishing a programme of education on the implications of digital technology for the judicial system.

    The Government supports this recommendation and will invite the Judicial Studies Board to give this matter consideration.

Recommendation 4.6

    That the Government commission a substantial, rigorous and independent study of the cost and effectiveness of publicly funded surveillance systems; and

Recommendation 4.7

    that an interim report be available within 12 months to provide a broad indication of the scale of any increase in convictions, any reductions in crime and the fear of crime, and separately, disorder, that have been achieved by public space surveillance systems.

    The Committee's report recognises that there are a number of professionally conducted case studies which indicate that CCTV can have a real impact on crime and disorder. All of the schemes funded by the Home Office are required to conduct an independent evaluation of effectiveness and the reports will be scrutinised by the Home Office Research and Statistics Directorate. However, an evaluation at national level was not envisaged by the previous administration and mounting such an exercise retrospectively would be a significant task which raises a number of technical issues, such as comparability of data and isolating the effect of CCTV, which is often introduced as part of a package of crime reduction measures, from other factors which could also influence recorded crime. The Government believes that the limited resources available are best focused on particular schemes where the evaluations indicate that there may be scope for developing best practice. Round 4 of the CCTV Challenge competition, which the Government announced in November 1997, is targeted at innovative and imaginative schemes. The evaluation criteria have been specified in more detail than in previous rounds to ensure that effectiveness can be measured and validated so that lessons on what works, and why, can be learned and applied elsewhere.

Recommendation 4.11

    That the Government establish a uniform policy on the control and release of CCTV-derived images from publicly owned surveillance systems.

    The Data Protection Bill will provide a regulatory framework for the processing of information relating to identifiable individuals, including the obtaining, holding, use or disclosure of such information. As explained above, the Bill will apply to CCTV-derived images.

Recommendation 4.14

    That the Government give urgent consideration to introducing tighter control over any system, either publicly or privately owned, covering sites to which the public has free access.

    The controls available in the Data Protection Bill will apply both to publicly and privately owned CCTV systems. The Bill's data protection principles constitute a form of statutory code of good data handling practice. As explained above, the Bill additionally provides for the issue by the Commissioner of codes of practice which, although having no statutory force in themselves, could be expected to include a statement of detailed application of the enforceable principles. As further explained above, the Bill also gives the Commissioner powers to require information from data controllers, which are backed up by powers of entry, inspection and seizure in appropriate cases. Failure to comply with an information notice, or with any other form of enforcement notice, will be a criminal offence.

    The Government is committed to introducing statutory regulation of the private security industry, including the operators of CCTV systems. There is unlikely to be time for early legislation on this issue but the Government is using the time to develop a comprehensive, effective and streamlined system for the private security industry. The Government is considering the results of a recent consultation exercise with the police, the industry and others and hopes to be able to publish proposals for the regulation of the private security industry later this year. One of the options which is being considered is a national licensing scheme for the whole of the private security industry. The Government is also considering ways in which training standards and codes of practice could be laid down for different sectors of the industry.

Recommendation 4.20

    That the Government produces guidance for both the public and private sectors on the use of data matching, and in particular the linking of surveillance systems with other databases.

    The Registrar/Commissioner will be responsible for issuing guidance on data protection issues. The preamble outlines her powers and duties in this regard under the Data Protection Bill. Datamatching already comes within the scope of the 1984 Act regime and it will also be caught by that of the Bill. The Registrar has a duty under the current Act to promote observance of the data protection principles and in August 1997 she issued guidance on developing codes of practice on data matching. Its aim was to provide a framework within which codes of practice could be developed within particular sectors, leading ultimately to model codes which could be commended to those seeking to establish new data matching systems.

Recommendation 4.17

    That the new law encompass CCTV and the DPR be given responsibility to issue or oversee enforceable codes of practice for such systems. The maintenance of public support for CCTV would be further strengthened if the DPR were to be given powers to check, that is to audit, the operation of these systems, and not to have to wait for a complaint to be lodged before taking action; and

Recommendation 4.21

    we recommend that the DPR be given powers to audit the operation of datamatching systems.

    As indicated in the responses to Recommendations 4.14 and 4.20, the Government believes that the Data Protection Bill regime will be able to provide the controls sought by the Committee over CCTV and datamatching.

    The categories of processing to be subject to the "prior checking" mechanism described in the preamble would be set out in an Order subject to affirmative resolution once the Bill had become law: the Government has already identified operations involving datamatching as primary candidates.

Recommendation 4.22

    We want to see public acceptance of surveillance, introduced to deter and assist in the capture and prosecution of criminals, blossom and flourish. This is more likely to be the case if there is a wide public debate of the issues involved, and we recommend that the Government should promote such debate.

    The Government will take every opportunity to promote good practice in the use of CCTV. The Data Protection Bill imposes a duty on the Commissioner to make information publicly available about the operation of the Bill, about good practice and about other matters within the scope of her functions. The Registrar discharges a broadly similar obligation under the 1984 Act in a variety of ways, including the issuing of guidance and discussion papers, the provision of training materials and seminars, attendance at conferences and exhibitions, and publication of an Annual Report to Parliament.

22 April 1998