Guidance

Third party certification guidance (accessible version)

Updated 13 March 2024

Introduction

The office of the Biometrics and Surveillance Camera Commissioner in conjunction with three UKAS accredited certification bodies (IQ Verify, National Security Inspectorate and Security Systems and Alarms Inspection Board) has a two-step certification process. The purpose of this guidance document is to explain the processes and the steps you need to take towards achieving the Surveillance Camera Code of Practice certification.

Background

The Protection of Freedoms Act 2012 introduced the regulation of public space surveillance cameras in England and Wales. As a result, the Surveillance Camera Code of Practice was issued by the Secretary of State under Section 30 of the Act to ensure that the use of cameras in public places is regulated and they are only used lawfully, in pursuit of a specified purpose and in a proportionate way. The code, like the legislation it supports, is enabling in nature and aims to balance the need for camera systems in public places with individual human rights such as the respect for home and private life, freedom of speech and assembly. The code applies to the use of surveillance camera systems that operate in public places in England and Wales, regardless of whether or not there is any live viewing, or recording of images or information or associated data.

The code states that a relevant authority ^{[footnote 1]} must have regard to the guidance in the code when exercising any of its functions to which the code relates. This includes the consideration of future deployment or continued deployment of surveillance camera systems to observe public places, the operation or use of any such surveillance camera systems, or the use or processing of images or other information obtained through the system.

As part of the Commissioner’s role to raise standards, he has a self-assessment tool on his website which enables organisations to find out how well they comply with the Surveillance Camera Code of Practice. Following on from that is the certification process that will enable organisations to be audited against the code by a third party with the view to receiving a certification mark and a certificate issued by the Biometrics and Surveillance Camera Commissioner. This process will help to raise standards in the industry and enable organisations to demonstrate their compliance with the code.

Certification will be scheme specific, so when you apply you will need to state what scheme you want to be certified for. For example, this could be a main town centre CCTV scheme, a housing scheme, an environmental surveillance scheme, a mobile or fixed ANPR site, Body Worn Video or drone deployment.

Who is certification for?

The surveillance camera certification process is available for any organisation that operates surveillance in a public space. This could be a small or large organisation that wants to demonstrate as part of its public accountability arrangements to demonstrate how it has complied with the Surveillance Camera Code of Practice and evidence good practice. This process is primarily for those that must have regard to the code – the regulated sector – and in particular the local authorities who own a large proportion of the systems within the regulated sector. Any non-regulated authorities or bodies can also apply for certification. If you are a voluntary adopter of the code, you are encouraged to apply for certification.

What are the criteria for Certification Bodies to offer SCC certification?

There are a number of criteria that a certification body must meet before it can offer certification against the code.

The criteria for the certification bodies are as follows.

The certification body:

1. Must be UKAS accredited against the current ISO/IEC 17065 to provide product conformity certification in relation to BS7958 for Closed-Circuit Television (CCTV) Management and Operation.

2. Must provide the Commissioner with recent examples of a certification report for product conformity in relation to BS7958 as well as the checklist and/ or reference material used during audit.

3. Will need to assure the competency of each member of their audit team who would conduct any assessments in relation to the Surveillance Camera Code of Practice (this could be through qualification or samples of the auditor’s relevant reports).

4. Should provide details of relevant fees and charges as well as the potential amount of time that will be allocated to the audit. In addition to the above the certification bodies will need to meet the conditions outlined in the framework document.

What’s in it for me?

Any organisation that successfully achieves certification will be awarded a certificate of compliance from the Biometrics and Surveillance Camera Commissioner and will be able to make use of the Commissioner’s certification mark on their website and other communications to indicate their compliance with the code. This will go a long way to reassure members of the public and other organisations that your organisation is complying with the code and its high standards when using surveillance camera systems and the information gathered from them in the appropriate manner. In addition, a list of organisations achieving certification will be published on the Commissioner’s website and may be referred to in the Commissioner’s reports.

What steps do I need to take?

1. Decide on what type of certification you want:

• step 1: desk top certification
• step 2: full certification

Whatever step you decide to apply for, you will need to complete and submit the self-assessment tool to one of the certification bodies as well as having the documents listed below available should they be requested. The information you provide will enable the certification bodies to assess your readiness for certification.

Documents required:

• completed self-assessment tool
• organisations code of practice
• information sharing agreements
• details on number of cameras the scheme has
• procedures manual
• Privacy Impact Assessments (if available)
• Operational Requirement (If available)

2. Contact any of the certification bodies that offer the Surveillance Camera Commissioner certification. The certification bodies will inform the Commissioner of your application for certification.

a. IQ Verify

b. National Security Inspectorate

c. Security Systems and Alarms Inspection Board

Step 1: desk top certification

The desk top certification is aimed at organisations that are working hard to achieve full compliance with the code but are aware that they need more time to become fully compliant. However, you must ensure that you are compliant with your obligations under the Data Protection Act 2018 and with the Human Rights Act 1998 and any corresponding human right obligations. This certification is valid for one year and is awarded with the understanding that within the year the organisation will work on putting measures in place to be in a position to apply for the full certification.

This process involves completing and submitting the self-assessment tool to one of the certification bodies. You will be required to confirm the availability of related evidence (see above). The completed form and documents will then be audited by the certification body who may contact you for more information before recommending your organisation to the Commissioner for Step 1 certification.

If you are recommended for Step 1 certification, you will be issued with a certificate of compliance from the Commissioner and a certification mark which will be valid for a year. You will receive a reminder to apply for full certification at the end of nine months and again at the end of the 12 months. If you do not apply for full certification, you will no longer be able to use the certification mark. However, in exceptional cases (such as waiting for funding approval etc.) you may be able to reapply for the desk top certification, subject to the discretion of the Biometrics and Surveillance Camera Commissioner.

Step 2: full certification

Full certification is aimed at those organisations that are close to or fully compliant with the code. This certification will be valid for 5 years, subject to an annual review of your system. As stated above, you will need to complete and submit the self-assessment tool and have the relevant documents available for assessment. The certification body will then contact you to arrange a date for a full audit of your system.

The full certification process involves an auditor from one of the above-mentioned organisations visiting your organisation’s control room to audit the system, cameras and procedures working with a check list against the 12 guiding principles in the code. So long as you do not have any serious non-compliance issues the auditor will produce a report for the Commissioner recommending full certification. In some cases, you may be asked to make changes or put measures in place to address certain issues before you achieve certification.

If you are recommended for certification, you will be issued with a certificate of compliance from the Commissioner and will be entitled to use the Commissioner’s certification mark throughout the 5 year period subject to your annual review.

Annual review

The code requires you to complete an annual review. You will need to document this review and submit it to the certification body for a desktop review to ensure that you are still code compliant. (This will be subject to the same conditions as the Step 1 process). If the certification body identifies any non-compliance issues you will have six weeks to take the appropriate steps to resolve any non-compliance notices that may have been issued. The Biometrics and Surveillance Camera Commissioner reserves the right to revoke an organisations’ certification, for serious breaches or consistent non- compliance. Towards the end of the 5 years you will need to re-apply for full certification.

1. These are defined at section 33 of the Protection of Freedoms Act 2012. ↩