As an ever-greater volume of increasingly sophisticated devices watch us all, PublicTechnology talks to regulator Tony Porter about his office’s role in ensuring surveillance is always used ‘proportionately and sensitively’

Credit: SCC

Last year’s Champions League final between Real Madrid and Juventus brought with it a number of firsts.

Played at the Millennium Stadium in Cardiff, it was the first time that Wales had hosted European club football’s biggest game. Real Madrid’s 4-1 victory, meanwhile, made them the first club to retain the trophy since the old European Cup was reformatted and rebranded 25 years ago. The Spanish side’s triumph also meant that they became the first team to win 12 European titles. In contrast, their Italian opponents became the first outfit to lose in the final on no fewer than seven occasions.

And, away from the pitch, there was another important first.

On 31 May, a few days before the match took place, a citizen of the Welsh capital reportedly became the first person in the UK to be arrested as a result of the use of facial-recognition software. 

As part of a £177,000 two-year project, South Wales Police piloted the use of real-time facial recognition technology before, during, and after the match, which was played on 3 June. The technology was installed in and around the Millennium Stadium, as well as at Cardiff Central rail station.

As an estimated 170,000 football fans descended on the city, local police used software to cross-check images captured against watchlists of hooligans and other criminals. 

But more than 24 hours before kick-off, the force confirmed that it had already made its first – and, ultimately, only – facial recognition-related arrest of the operation. On Wednesday 31 May, a local man with an outstanding arrest warrant was apprehended by officers. The police said he was “unconnected” to the Champions League final.

I really want to see the Home Office pay due regard to the code, recognise its aims, and support me and the public in realising them

Since then, South Wales Police has continued to use the technology, and has made a number of arrests. On the day of a Six Nations rugby union match between Wales and Scotland in February, three people were arrested as a result of the software’s use.

The force is not the only one to have piloted the use of facial recognition. London’s Metropolitan Police has trialled the technology during the Notting Hill Carnival. While, in 2015, Leicestershire Police used facial recognition as part of its policing of the annual Download Festival in Donnington Park.

All of these deployments have attracted criticism, with numerous advocacy groups, politicians, and members of the public voicing concerns about the ramifications for individuals’ privacy.

Tony Porter, the Surveillance Camera Commissioner (SCC) for England and Wales, tells PublicTechnology that, while the use of automated facial recognition (AFR) has not progressed beyond the trialling stage, the police could stand to be a lot more open about its use. 

“I recognise that AFR is not yet being used in anger [and that] they are trying to use it efficiently and effectively,” he says. “But they run pilot after pilot, and they have made mistakes. They could have engaged more… they have not been transparent enough about the positives, and the negatives have been shut out.”

2012
Year in which the office of Surveillance Camera Commissioner was created by the Protection of Freedoms Act

93%
Percentage of local authorities that now comply with the code, according to the commissioner

May 31, 2017
Date of reported first UK arrest to take place as a result of facial-recognition software

135
Number of cameras – including static and body-worn technology – owned by Barnsley Hospital NHS Foundation Trust, the first UK trust to voluntarily achieve compliance with the code

Local government, police forces, and the National Crime Agency
The entities that currently have a statutory obligation to comply with the code

Porter adds: “The Champions League final, and the rock concerts – all of those are trials. But what happens if it is adopted – what is the legal framework? What is the human-rights framework? Legislation cannot hope to keep up. What the regulators do is encourage each other and advise government.”

In addition to his own organisation – an independent team of five people that is housed at the Home Office and works with an in-house policy team at the department – other watchdogs with which the SCC works include the Biometrics Commissioner, the Information Commissioner, and Her Majesty’s Inspectorate of Constabulary of Fire and Rescue Services.

Protecting freedoms
The office of Surveillance Camera Commissioner was created by the 2012 Protection of Freedoms Act. Porter has held the role since March 2014, and his term of office is due to run until at least 2020.

The commissioner (pictured above) spent 30 years as a police officer with Greater Manchester Police, including three years as head of the force’s Special Branch, followed by six as leader of the North West Counter Terrorism Unit. He rose to a position as Greater Manchester’s assistant chief constable, before taking a role as a security executive at Barclays in 2012.

The post of Surveillance Camera Commissioner was “established to reflect the concerns” of citizens and rights groups, Porter says.

“The essence of the role is to ensure that there is surveillance with consent,” he adds. “Whether or not people like surveillance cameras, we do not really know if they have consented.”

He adds: “I am absolutely certain that the public [often] has no idea of the capabilities of video surveillance.”

Porter points to research conducted in 2014 by surveillance camera firm Synectics, which found that 86% of people in the UK supported the use of CCTV in public spaces. But there is a disparity between this figure and people’s feelings about newer, biometrically enabled kit, Porter believes.

“In that survey, the level of public support for public-space CCTV was astronomically high,” he says. “But technology changes – we now have drone technology, mobile-phone tracking, automatic number plate recognition (ANPR). I am absolutely certain that 86% do not want that.”

First published by the SCC in June 2013, the Surveillance Camera Code of Practice lays out 12 “guiding principles” (see below) to which system operators should adhere. As defined by the Protections of Freedoms Act, the commissioner’s role covers all surveillance activities taking place in a “public space”, Porter says.

“It refers to CCTV, street furniture, body-worn cameras, and ANPR and the analytics – not just the cameras, but the cross-reference database, the management, and the storage,” he adds. “My role must also have a key role in regulating the impact of advancing technology… and we have also covered cameras run by members of the public.”

Police forces and local authorities have a statutory duty to comply with the code, as does the National Crime Agency. Although the SCC does not have punitive powers, Porter says he has ample means of ensuring compliance among the police.

“My approach has been to identify areas where they are underperforming and bring in the chief officers, and let them recognise that they will be held to account,” he says. “I have just completed a survey of 43 police forces, and identified every one that is compliant, and every one that is not. I am writing back [to the forces] with those results saying that I look forward to their response.”

Porter adds: “There is a very real risk that, if they do not comply… evidence that has been captured by CCTV will be dismissible in a court of law – a defence barrister could say to a judge ‘are we happy to allow this evidence into court that has been collected in breach [of the code]?’.”

For local authorities, the SCC has developed a self-assessment tool for demonstrating compliance. Alongside this is the promise of being able to display a kitemark of compliance for those that successfully complete the process – while those that fail to comply risk being named and shamed in the commissioner’s annual report to parliament.

The Surveillance Camera Code of Practice 12 Guiding Principles

1. Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need
2. The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified
3. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints
4. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used
5. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them
6. No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged
7. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes
8. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards
9. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use
10. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published
11. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value
12. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date 

Source: SCC 

These measures have seen the rate of compliance among councils skyrocket from 2% to 93%, Porter claims.

As the implementation of the EU General Data Protection Regulation creeps closer, the commissioner is now encouraging councils to nominate a named employee to ensure their surveillance camera set-up remains on the right side of the law.

“I am very keen to make sure that local authorities all appoint a single, responsible officer,” he says. “While a local authority may have one public control room, some have 30 to 50 different [CCTV] systems – the most I have heard of is 51. I am calling for dedicated officers, [and] I would be looking for the person that runs public-space surveillance to work closely with the data protection [officer].”

By the end of 2018, Porter is aiming to drive adherence to the code among police and local authorities up to 100%.

Next steps
But the commissioner remains frustrated that other parts of the public sector – particularly NHS trusts and higher-education establishments – are not mandated to comply with the code.

“I have written to the [home secretary] saying there is no reason on earth why a parish council is covered by the code, but not an institution [such as a hospital] that has people at their most vulnerable, in a public space, being seen by security guards with body-worn cameras,” he says. “A lot of trusts also have drones and ANPR. This must be used sensitively and proportionately. I am still trying to push this government to accept that the capability for invasion of privacy is significant.”

Even without a statutory requirement, many universities have voluntarily adopted the code, Porter adds, as has Barnsley Hospital NHS Foundation Trust, which in 2016 became the first trust to achieve compliance, after submitting to an external assessment of its estate of 135 cameras. 

The police could have engaged more on facial recognition… they have not been transparent enough about the positives, and the negatives have been shut out

Marks & Spencer, meanwhile, last year became the first retailer to be certified compliant, after volunteering to undergo an audit. 

While the existing code applies to entities that own and operate CCTV systems, the SCC is now working to create a companion document to provide a framework of guiding principles for companies that manufacture camera hardware and the software that powers it, as well as individuals and companies that maintain surveillance systems.

A rough draft has been drawn up and is being assessed by security consultants, with the aim of launching a framework sometime this year.

The introduction of such a framework will come alongside a wider drive for people to “recognise the SCC brand”, and come to see adherence to is codes and attainment of its certifications as a mark of trustworthiness. A large part of that will be attracting more buy-in from the SCC’s landlords in Westminster, according to Porter.

“My next ambition is that the relevant authorities pay due regard to the code,” he says. “I really want to see the Home Office pay due regard to it, recognise its aims, and support me and the public in realising them.”

The commissioner adds: “We are talking about human rights, and the power of the state.”

As technology progresses, those rights could potentially be ever-more compromised, as the power in question changes and magnifies. 

But not without the commissioner and his team watching very closely.