Search
  • Welcome to the LegalBeagles Consumer and Legal Forum.
    Please Register to get the most out of the forum. Registration is free and only needs a username and email address.
    REGISTER
    Please do not post your full name, reference numbers or any identifiable details on the forum.

CCTV and bank dispute

Collapse
Loading...
X
Collapse
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous Next
  • #1

    CCTV and bank dispute

    Can a bank be asked to release CCTV from their ATM as part of a Subject Access Request even if the person concerned does not bank with them?
    THis is an issue related to disputed ATM withdrawal. Would CCTV footage be allowed to be released? What would be required to be done for the release of the footage?
  • #2
    Re: CCTV and bank dispute

    Originally posted by natweststaffmember View Post
    Can a bank be asked to release CCTV from their ATM as part of a Subject Access Request even if the person concerned does not bank with them?
    THis is an issue related to disputed ATM withdrawal. Would CCTV footage be allowed to be released? What would be required to be done for the release of the footage?
    Yes. All live footage recorded by a CCTV camera is considered under the DPA as processing personal data and therefore Data Subjects have a right to request all footage and images where they are featured. The issue of whether or not the Data Subject banks with the bank which recorded the images is irrelevant.

    If the bank refuse, they need to have a good reason for the denial.
    • 1 thank

    Comment

    • #3
      Re: CCTV and bank dispute

      If its an issue eg they dispute they took the money out of the ATM and someone else did re fraud and therefore the person in the cctv wouldnt be the account holder, would that still allow the cctv to be part of the request?
      #staysafestayhome

      Any support I provide is offered without liability, if you are unsure please seek professional legal guidance.

      Received a Court Claim? Read >>>>> First Steps

      Comment

      • #4
        Re: CCTV and bank dispute

        They are not an account holder and their original thread stated that their bank suggested it was only used to monitor vandalism and that they had no case with the police. They were telling the original poster that they had lied or someone else took the money yet there was nowhere for them to turn. It is apparrently not a crime for someone to gift accidentally £250 for example, by not picking it up from the ATM and prior to the notes retracting.

        Comment

        • #5
          Re: CCTV and bank dispute

          Originally posted by Amethyst View Post
          If its an issue eg they dispute they took the money out of the ATM and someone else did re fraud and therefore the person in the cctv wouldnt be the account holder, would that still allow the cctv to be part of the request?
          In the case of making a SAR for CCTV images, the only way the Data Subject can expect the Data Controller to be able to carry out the request is by providing a picture of themselves along with their SAR. Otherwise, whoever is charged with fulfilling the request will not know who to look for in the recordings. If it is the case that the image of the Data Subject does not appear in the recorded images, then that would appear to solve both issues.

          If images of third parties are also shown with the images of the person who has made the access request, the Data Controller must must consider whether they need to obscure the images of third parties. If providing these images would involve an unfair intrusion into the privacy of the third party, or cause unwarranted harm or distress, then they should be obscured.

          Comment

          • #6
            Re: CCTV and bank dispute

            Access by Data Subjects
            This right is provided by section 7 of the Data Protection Act 1998 - Data Protection Principles 1, 6 & 7.

            1. When data subjects make a request for accessing their information, those operating the system must be able to recognise such a request.

              A standard subject access request form should exist for this purpose and should indicate:
              • What information is required to locate the requested images
              • What information is required in order to identify the person making the request
              • What fee is charged for carrying out the requested search (max £10.00)
              • Whether merely viewing the images recorded would satisfy the individual
              • That within 40 days of receiving the required fee and information the response will be provided
              • An explanation of the Rights provided by the 1998 Act

            2. Written information should be given to individuals of the types of images retained, their purpose and the policy concerning disclosure in relation to those images
            3. Standard 2 above should also be provided with the subject access request form
            4. The designated person should deal with all subject access
            5. The images requested should be located by a designated person
            6. A designated person should make the decision whether disclosure also entails disclosure to a third party
            7. A designated person should determine the decision as to whether the images of third parties are held under a duty of confidence
            8. A designated person must ensure that third party images are disguised if third party images are not to be disclosed
            9. An editing company may be used if the system does not have the capability to comply with standard 8 above
            10. If a third party or an editing company is used the following procedures apply:
              • There is a contractual relationship between the data controller and the editing company
              • The editing company must give appropriate guarantees regarding the security measures taken in relation to the images
              • It is the responsibility of the designated person to check and ensure that the guarantees are met
              • That the editing company can only use the images in accordance with the instructions of the designated person should be explicit and in the form of a written contract
              • The security guarantees provided by the editing company should be explicit and in the form of a written contract

            11. If it is decided by a designated person that an access is not to be complied with, the following should be documented:
              • The date of the request
              • The identity of the person making the request
              • Why the request to supply the images was refused
              • The name and signature of the designated person making the decision

            12. All staff should be aware of individuals' rights
            13. If disclosure is made, it should be in private with only authorised staff present
            14. The Data Subject is entitled to a copy of his data in intelligible format (Standard VHS tape)

            Under Sections 10, 12 And 13 Of The Data Protection Act 1998 Other Rights May Also Apply

            1. When there is a request from an individual to prevent processing likely to cause unwarranted and substantial damage or automated decision taking in relation to that individual. All operators must be able to recognise such a request
            2. When such requests are made all staff must be aware of the designated person who should respond to them
            3. The response from the designated person must indicate whether they will comply with such requests
            4. There must be a response in writing within 21 days of the designated person receiving the request
            5. The designated person must give written reasons if the request cannot be complied with
            6. A copy of the request and response must be kept
            7. The designated person must notify the individual if an automated decision is made
            8. If the individual makes a request in writing within 21 days the designated person must reconsider an automated decision
            9. The designated person will respond within 21 days setting out the steps they will take if they receive a receipt of the written request in standard 8 above
            10. The designated person will document the original decision, the request from the individual and their response to the request
            11. Data Subjects can take court action to prevent unlawful processing
            12. Data Subjects can claim compensation for "damage" suffered as a result of breaches of this Act


            Action Surrounding Subject Access Requests, Complaints And Audit
            1. The contact point indicated on the sign should be available to members of the public during office hours Employees staffing the contact point should be aware of the appropriate policies and procedures
            2. Specific documentation should be provided to each enquiry

              Enquirers should be provided, on request, with one or more of the following:
              • The leaflet which individuals receive when they make a subject access request as general information
              • A copy of this code of practice
              • A subject access request form if required or requested
              • The complaints procedure to be followed if they have concerns about the use of the system
              • The complaints procedure to be followed if they have concerns about the non-compliance with the provisions of this code of practice

            3. A complaints procedure should be clearly documented
            4. A record of the number and nature of complaints or enquiries received should be kept together with an outline of the action taken
            5. A designated person should use the report in standard 4 to assess public reaction to and opinion of the use of the system
            6. A designated person should undertake regular reviews of the documented procedures to ensure compliance with the code
            7. A report of the reviews in standard 6 should be provided to the data controller so the legal obligations and provisions of this code can be monitored
            8. An internal annual assessment should be undertaken
            9. The results of the report in standard 7 should be compared with the purpose of the scheme. If the scheme is not achieving its purpose, it should be discontinued or modified
            10. The results of the report in standard 7 should be made publicly available


            Images should not be retained for longer than is necessary Images should not be retained for longer than is necessary. While retained, the integrity of the images must be maintained to ensure their evidential value and/or to protect the rights of the people whose images have been recorded. Access to, and the security of, the images should be controlled. - Data Protection Principle 3, 5 & 7

            1. Images should not be retained for longer than necessary to achieve the purposes of the CCTV system
            2. Once a retention period has expired, images must be erased
            3. If images are to be held for evidential purposes, they should be kept in a secure place with controlled access away from other routine data
            4. There are procedures for removing the medium on which the images have been recorded for use in legal proceedings. The following should be documented:
              • The date on which the images were removed from the general system
              • The reason why they were removed
              • Any crime incident number to which the images are relevant
              • The location of the images
              • The signature of the collecting officer; see below

                If the medium on which images are recorded is removed the following should be documented:
                • The date and time of removal
                • The names of the person removing the images
                • The name(s) of the person(s) viewing the images and the organisation(s) they represent
                • The reason for the viewing
                • The outcome if any of the viewing
                • The date and time that images were returned to the system (or secure place if they have been retained for evidential purposes)

            5. Monitors in areas where individuals would have an expectation of privacy should not be viewed by unauthorised operators and/or employees of the operators
            6. Access to images should be restricted to designated staff
            7. All CCTV data must be stored securely with access limited to authorised personnel only
            8. Viewing of recorded images should only take place in a restricted area
            9. There are procedures for the removal of the medium on which images are recorded see 4 above.
            10. All operators and employees to be informed of the procedures for accessing the recorded images
            11. All operators to be trained in their responsibilities so they are aware of the user's security and disclosure policies and the rights of individuals.


            Access to and the disclosure of CCTV images Access to, and the disclosure of, CCTV images and the disclosure of images to third parties should be restricted and carefully controlled to ensure the rights of individuals are protected. The chain of evidence must remain intact if the images are required for evidential purposes. Reasons for the disclosure of the images must be compatible with the purpose for which the images were originally recorded. - Data Protection Principles 2, 7 & 8

            1. Access to the images should be restricted only to those who need access to fulfil the purpose of the system
            2. All access should be documented
            3. Disclosure should be made in limited and prescribed purposes
            4. All requests for access should be recorded and reasons for any denials
            5. There are procedures for allowing access or disclosure

              When access to or disclosure of the images is allowed then the following should be documented:
              • The date and time of access or disclosure
              • Identification of third party to whom access or disclosure is allowed
              • The reason for allowing access or disclosure
              • The extent of information to which access or disclosure is allowed

            6. Recorded images should not be made widely available e.g. on an intranet site
            7. If the images are made widely available, the decision should be made by a designated person and the reasons documented
            8. If the images are disclosed to the media, the images of individuals will need to be disguised to avoid identification
            9. If the system does not have the capability to comply with standard 8 above, an editing company may be used

              There are procedures if an editing company is used
              • There is a contractual relationship between the data controller and the editing company
              • The editing company has given the appropriate guarantees regarding the security measures they take in relation to the images
              • The designated person checks to ensure the guarantees are met
              • The written contract makes it explicit that the editing company can only use the images in accordance with the instructions of the designated person
              • The written contract makes the security guarantees provided by the editing company explicit

            10. There are procedures if the media organisation receiving the images undertakes the editing (See notes under point 9 above.)


            Quality of the Data Quality of the Data - Images produced by the system must be as clear as possible to ensure that they are effective for the purposes for which they are intended. - Data Protection Principle 3.4 & 5

            1. When installed, the equipment should be checked to ensure it performs correctly
            2. Tapes (if used) should be of good quality
            3. The maximum number of passes is 13 times
            4. The medium on which the images are recorded should be cleaned to prevent recording on top of previous images
            5. The medium on which the images are recorded should no longer be used if there is a deterioration in the quality of the images
            6. If the system records location of camera, date, time etc. these should be accurate
            7. There should be a documented procedure for 5 above
            8. Cameras should be sited only where they will capture relevant images
            9. If automatic facial recognition systems are utilised, the database of images should be clear
            10. A human operator should assess and determine the action to be taken to verify matches made by automatic facial recognition systems
            11. The assessment in 9 above should be documented regardless of a match on the data base
            12. Consideration must be given to the physical conditions in which the cameras are located
            13. Operators should assess whether real time or specific timed recordings are required
            14. Cameras should be properly maintained and serviced
            15. Cameras should be protected from vandalism (if it is a likely problem)
            16. A maintenance log should be kept
            17. If a camera is damaged, there are clear procedures for:
              • Defining the person responsible for making arrangements for ensuring the camera is fixed
              • Ensuring the camera is fixed within a specific time period
              • Monitoring the quality of the maintenance work


            CCTV Information

            Comment

            • #7
              Originally posted by natweststaffmember View Post
              They are not an account holder and their original thread stated that their bank suggested it was only used to monitor vandalism and that they had no case with the police. They were telling the original poster that they had lied or someone else took the money yet there was nowhere for them to turn. It is apparrently not a crime for someone to gift accidentally £250 for example, by not picking it up from the ATM and prior to the notes retracting.
              This is nonsense and the bank need to be made aware of their responsibilities when they choose to operate a CCTV system.

              The rules are quite simple. they must let people know that they are in an area where CCTV surveillance is being carried out, regardless of its purpose and they cannot deny a Data Subject their statutory rights by being evasive about the reasons for installing and operating the system.

              Comment

              Previous Next

              View our Terms and Conditions

              LegalBeagles Group uses cookies to enhance your browsing experience and to create a secure and effective website. By using this website, you are consenting to such use.To find out more and learn how to manage cookies please read our Cookie and Privacy Policy.

              If you would like to opt in, or out, of receiving news and marketing from LegalBeagles Group Ltd you can amend your settings at any time here.


              If you would like to cancel your registration please Contact Us. We will delete your user details on request, however, any previously posted user content will remain on the site with your username removed and 'Guest' inserted.

              Announcement

              Collapse
              No announcement yet.

              Court Claim ?

              Guides and Letters
              Loading...



              Search and Compare fixed fee legal services and find a solicitor near you.

              Find a Law Firm


              Working...
              X