Policy Review: The Evolving Governance of Surveillance Cameras in the UK 1

1. Introduction

This policy review explores developments in governance arrangements surrounding the use of surveillance cameras in the UK. It makes specific reference to provisions within the Data Protection and Digital Information (DPDI) Bill2

The technological backdrop is the widespread use of surveillance cameras, often referred to as CCTV (Closed Circuit Television), in public places in the UK and elsewhere (see for example: Webster, 2009). More recently, advances in computerisation, especially around Artificial Intelligence (AI), have provided new opportunities for innovative applications to be integrated into public space camera systems. The most significant of these is Face Recognition Technology (FRT), where algorithms match faces in crowds to those contained in police databases. FRT is controversial for a number of reasons, including: poor success rates, inbuild racial bias, a presumption of guilt and because there is a lack of public support for such systems (Webster, 2019). To date, FRT applications have been limited in number, primarily because of oversight safeguards embedded in the BSCC’s Surveillance Camera Code of Practice4

Whist there is a noticeable evolution of the technology in recent years there is also a significant change about to happen in the regulatory landscape. Buried in the 2023 DPDI Bill is a clause which abolishes the BSCC and its associated functions. Furthermore, there are no clauses in the Bill setting out the transfer of roles or functions to other agencies – instead, the existing legislative requirements relating to surveillance cameras will simply cease to exist. Here the Bill posits that a new ‘Information Commission’, the proposed UK’s new data protection regulatory authority which will replace the Information Commissioner’s Office(ICO),5

The review is based on research commissioned by the BSCC in spring 2023. The authors have acted completely independently in the preparation of the research findings and have not pursued a specific outcome or agenda in relation to specific provisions in the Bill. The research process underpinning the report incorporated: a review of relevant literature, including grey material; a review of relevant provisions in the Bill; an overview of the roles and functions of the office of the BSCC; and, a series of over 20 semi-structured interviews with leading experts, regulators and stakeholders with insight and expertise in the governance and oversight of surveillance and biometrics. They include leading actors responsible for policing, regulation and service provision. Full details of the interviewees are published in the final report. The final report relating to this research is to be published in autumn 2023 on the website of the BSCC.6

The existing regulatory landscape in the UK governing the use of surveillance cameras is fragmented and involves multiple agencies and pieces of legislation. Most prominent are the the office of the BSCC and the ICO. The BSCC plays a vital role in the governance of the use of biometric materials and surveillance camera technologies by state and public service agencies. The key roles of the Commissioner are defined in legislation and include statutory and non-statutory activities. Combined these activities provide: important safeguards for users and citizens in a world where fast moving technologies offer the potential for individual and societal harm; guidance for those public agencies wishing to deploy these technologies; and, mechanisms to hold users of these technologies to democratic account. As such, the Commissioner and the Office, are a significant part of the oversight and stewardship landscape ensuring these technologies are used in the ‘public interest’.

The oversight of public space surveillance cameras is realised through statutory functions laid out in Protection of Freedoms Act 2012(POFA)7

The Code, as laid before Parliament, is a unique document covering all aspects of a public space surveillance camera system. As a ‘code’ it is not legally enforceable. However, POFA states that “relevant authorities must have regard to the surveillance camera code when exercising any functions to which the code relates”. Failure to act in accordance with the Code does not bring criminal or civil liability but may be admissible in relevant legal proceedings. As Section 33(4) of POFA states, “a court or tribunal may, in particular, take into account a failure by a relevant authority to have regard to the surveillance camera code in determining a question in any such proceedings.” The Code also sets out very clearly, how a designated agency should conceive of a system, how it should be designed, constructed and implemented, including all technical and governance matters. This includes compliance with all relevant legislation and how to approach new technological developments, including AI-driven systems such as FRT. Underpinning the ‘purpose’ of the Code is the belief that agencies using such systems should comply with legislation and ‘best practice’. Adhering to the Code provides these agencies with confidence and certainty regarding how they conduct public surveillance and offers public reassurance over appropriate use.

To deliver the statutory functions set out above a number of activities have been pursued in order to ensure that the Code delivers its purpose and to make sure that those operating camera systems have clear guidance about how they should be used. Whilst many of these activities are not statutory, in that they are not directly specified in POFA, they are crucial in supporting the work of the Commissioner, without these activities the Code could not be realised and oversight not achieved. These activities include the formation of a National Surveillance Camera Strategy,9

Beyond the BSCC a number of other agencies are involved in the governance of surveillance Cameras. This ICO has a key role in governing data processes and has issued guidance for those operating systems.10

The following text is a revised version of the Interim Report which was submitted as evidence to the UK Parliament House of Commons Public Committee Stage of the Data Protection and Digital Information Bill. As such, it is recorded in Hansard,15

1. Society is witnessing an unprecedented acceleration in the capability and reach of digitally mediated surveillance technologies. These new and advancing technologies hold clear potential to enhance public safety yet also have the capacity for enormous harm. The possibilities for integrated surveillance technology, driven by Artificial Intelligence (AI) and supported by the internet, create genuine public anxieties over civic freedoms. These anxieties exist across almost all jurisdictions. Within this context, consideration of genuine, meaningful and trustworthy governance and oversight is urgent and pressing.

2. In its current form, the Bill will delete several surveillance oversight activities and mechanisms that are set out in legislation and arise from the fulfilment of statutory duties placed on Commissioners. Prominent among these is the tabled abolition of POFA legislative requirements to (a) appoint a Surveillance Camera Commissioner and (b) to publish a Surveillance Camera Code of Practice, which offers governance coverage far beyond data-related issues. The Code is realised through the national Surveillance Camera Strategy, which would also disappear. The value of the Code and Strategy for providing surveillance oversight, raising standards in surveillance practice, delivering guidance for camera users, and offering transparency and public confidence is set out in more detail below. The POFA Act was enacted in 2012 to provide citizens with safeguards in an era where law enforcement agencies were given more intrusive powers to combat terrorism.

3. Other functions of the Biometrics and Surveillance Camera Commissioner are manifold and comprise both judicial and non-judicial elements. Key activities and benefits include, but are not limited to: developing, and encouraging compliance with the Code; raising standards for surveillance camera developers, suppliers and users; public engagement; building legitimacy and consent for surveillance practices; annual reporting to Parliament via the Home Secretary; convening expertise to support these functions; and reviewing all National Security Determinations and other powers by which the police can retain biometric data.

4. Surveillance oversight is historically and currently overburdened and under-resourced. Activities undertaken by the Surveillance Camera Commissioner have extended the Commissioner’s role, not in terms of regulatory overreach, but to compensate for this shortfall, thereby raising standards and increasing professionalism across the sector. While not defined in the original legislation (POFA), these activities have arisen as a result of successive Commissioners fulfilling their statutory duties. The Bill proposes the erasure of these functions and, by extension, their associated value to society. As one expert interviewee for the report expressed, in relation to a new ‘Information Commission’ absorbing the BSCC role “the Bill makes no provision for absorption whatsoever. It just deals with extinction”. For example, the Bill contains no provision for continuing the work of driving up standards for the development, procurement, adoption and use of surveillance cameras, a programme of work widely applauded across police, practitioner and industry communities.

5. The value of these activities is widely recognised and easily evidenced across civil society organisations, industry professionals, Parliament, and law enforcement communities – and is evidenced in the final report for this research. In relation to law enforcement communities, it is important to acknowledge significant evidence of (a) police support for the BSCC role and (b) requests for clarity over appropriate uses of surveillance tools.

6. The Commissioners’ functions are not regulatory in the same sense as the Information Commissioner. Whilst the ICO tends to work with a formal regulatory framework the BSCC co-creates standards and rules with stakeholder communities. This difference has several implications. First, the roles are not directly comparable with ICO. Consequently, the impact of BSCC functions arises through different and sometimes less visible or direct means. It also means elements cannot be directly “lifted and shifted” into a different regulatory format and destination.

7. Also crucial is that these activities extend significantly beyond matters of data use. Considering surveillance impacts and harms purely in terms of data protection is widely recognised as a highly restrictive and selective framing. It is also widely acknowledged that rights concerns arising from surveillance are not reducible to issues of privacy alone. One could further argue that adding POFA to the existing data protection landscape constituted recognition of this over a decade ago.

8. Advanced digital surveillance, particularly AI-driven forms, is a global phenomenon. The Bill’s reduction of surveillance-related considerations to data protection compares unfavourably to regulatory approaches in other jurisdictions. Many have started from data protection and extended to cover other germane issues. Examples include EU proposals around an AI Commissioner, and the MEP (Members of the European Parliament) vote to support a compromise text for the AI Act16

9. Examples of these wider activities of the BSCC and their impact are:

a.

The BSCC’s recent success in addressing widespread use of Chinese cameras with known cyber vulnerabilities in sensitive UK sites.17

10. The Bill removes reporting obligations to Parliament currently embedded in the Commissioner’s statuary obligations. This removes a mechanism for assuring Parliament and the public of appropriate surveillance use, affecting public trust, and legitimacy invested in surveillance practices. We are at a critical moment concerning public trust in institutions, particularly law enforcement, something central to the success of UK policing. As drafted, the Bill reduces public visibility and accountability of related police activities.

11. The independence of oversight is similarly crucial to public trust. Clause 28 of the Bill requires the new ‘Information Commissioner’ to respond more explicitly to “strategic priorities” designated by the Secretary of State. This may reduce independence of the regulator and risk diluting public trust and confidence in the paramount condition of independent oversight.

12. The Bill seeks to transfer some responsibilities of the BSCC outlined in POFA (fingerprints and DNA) to other entities, allowing others to lapse, and makes no provision to the functions and oversight activities arising from several POFA Commissioner duties. One argument has been that many of the BSCC activities are not defined in POFA and therefore cannot be transferred. However, the Surveillance Camera Code of Practice enables the BSCC to provide and issue guidance across the surveillance landscape. It also requires ‘relevant authorities’ to comply with its principles. These are two powerful requirements which hold state institutions to account and yet the Code is to be deleted. Several issues arise from this decision to restrict formal transfer of only those biometric responsibilities specified in POFA and deleting anything relating to surveillance camera standards. These are explored below.

13. Biometric technology is expanding and diversifying at an unprecedented rate. Specifying only those biometric techniques mentioned in legislation of over a decade ago challenges notions that the Bill is “future proofed”. By designating fingerprints and DNA to the Investigatory Powers Commissioner (IPCO) also risks a de facto segregation in the oversight of different biometrics techniques, where the governance of all other forms rests elsewhere. It removes any statutory duties from the interface of biometrics and surveillance, the policy basis on which UK Ministers recently combined the ‘biometric’ and ‘surveillance camera’ functions. Moreover, one could argue that given the potential for collateral intrusion, remote biometric surveillance resonates more closely with IPCO’s remit than fingerprints and DNA.

14. The original proposal consulted on was for all biometric and overt surveillance functions to be absorbed by the ICO. The Bill reflects the view of many that biometric casework sits more naturally with IPCO. Expert interviewees for the report highlighted how most gaps left by this Bill could also be addressed if responsibility for the Surveillance Camera Code of Practice (only recently approved by Parliament) also moved under IPCO. This would harmonise all functions for oversight of traditional and remote biometrics in policing under one established and internationally regarded judicial oversight body. Such a move could also add genuine ‘future proofing’ by anticipating the increasing potential for blurring boundaries between overt and covert surveillance brought by new advances in technology.

15. Academic research has demonstrated significant public concern over one such form of remote biometric monitoring, FRT (Fussey & Murray, 2019). Other experts and public bodies have called for more detailed rules for uses of this technology in public. A stark contrast exists in the working of the Bill between mention of relatively uncontroversial decades old biometric techniques and the cutting-edge technologies currently animating public debate. Reference to “remote biometric identification” could be one entry point to addressing this issue.

16. This issue is made more pressing given the Policing Minister expressed his desire to embed facial recognition technology in policing and is considering what more the Government can do to support the police on this.20

17. Excluding IPCO, expert interviewees questioned the suitability of alternative venues for surveillance and biometric oversight. This issue invokes several considerations. One concerns thematic coverage and the spectrum of potential surveillance harms that transcend data-related matters. Additionally, two organisations have been highlighted as possible venues for absorbing public surveillance oversight functions: a modified Information Commissioner’s Office and, separately the Equality and Human Rights Commission(EHRC).22

18. It is widely accepted that current oversight of complex surveillance practices is considered patchy and requires simplification. Simplifying oversight has been consistently stated as a key aim for the Bill. However, such simplification entails at least three further considerations:

a.

Calls for simplified oversight correctly include a requirement for companion policies for implementation and compliance. These translate abstract principles into clear guidance and standards for users of biometric and other surveillance technologies while offering mechanisms for auditing compliance. This relationship between law and policy was central to the Bridges Court of Appeal judgement23

The above text sets out a summary of the ramifications of abolishing the BSCC as proposed by the DPDI Bill. Contemporary digital technologies are evolving rapidly at the moment, especially in the realm of AI. This manifests itself in relation to surveillance cameras and biometrics in the development of applications like FRT, gate analysis and emotional sensing surveillance. These technological developments are happening in the UK at the same time as a substantial reworking of the regulatory landscape overseeing governance and oversight. In particular, the abolition of the BSCC, as proposed by the DPDI Bill, removes all direct regulation of these technologies, and explicitly assumes the new generalist ‘Information Commission’ (replacing the ICO) will provide satisfactory regulation of these technologies. This position fails to recognise that the provision of surveillance cameras and the use of DNA goes beyond mere data processes, and that there is significant regulator activity around procurement, standardisation, certification and training for example, not to mention governing the citizen-state relationship. With these shortcomings in mind, it becomes important to consider the ramifications of the Bill, and the likely outcomes to regulatory practice and technological development. On the one hand, it can be argued that the removal of technological barriers will allow for innovation and encourage public agencies to deploy contested technologies like FRT, whilst on the other, there is a view that significant citizen protections have been removed and the potential for personal and societal harm has increased. It is the view of the authors that the provisions of the Bill relating to citizen safeguards and the provision of surveillance cameras are a retrograde step and will create a vacuum in the governance of public space surveillance camera systems. As a final comment, it is important to note that the provisions of the Bill are likely to change as it passes through the legislative process in 2023–4 and that it is possible that amendments to the Bill retain elements of the functionality of the BSCC. Whatever happens, it is clear that the governance landscape for surveillance cameras will change in the furure.