Tony Porter encourages the health service to comply with the surveillance camera code of practice.
Many thanks to National Association for Healthcare Security (NAHS) for inviting me to speak at this event today.
I intend to discuss:
- my role
- relevance to NAHS
- national surveillance camera strategy for England and Wales
I am really pleased to be here – and that is not just a standard line.
There is some background to this as I’ve spent the last 3 years trying to promote better use of surveillance cameras not only across the healthcare estate but across police, local authorities, transport sector, universities, pubs and clubs and retail.
Across most sectors – huge success. Across NHS – not much.
So when I say I’m really pleased you can start to get the feeling that I might just be – OK – and a little frustrated.
But first – my role.
You may think from what I am about to say that I am anti surveillance – I am not. I am anti bad surveillance – surveillance that shouldn’t be there, is badly run, its data isn’t protected, its presence isn’t reviewed frequently.
In my previous occupation I was a commander in charge of counter terrorism at New Scotland Yard for the Olympics and prior to that head of the North West Counter Terrorism Unit. I was also head of intelligence at Barclays Bank so I really get surveillance.
I was appointed by Home Secretary in 2014 but am independent from government.
I oversee compliance with the surveillance camera code of practice – it contains 12 guiding principles which if followed will mean cameras are only ever used proportionately, transparently and effectively.
My remit applies to England and Wales and my role is 3-fold to:
- encourage compliance with the code
- review the operation of the code
- advise on any amendments to how the code should develop
I submit annual report to Home Secretary which is laid before Parliament.
Relevant authorities (police, police crime commissioners, local authorities and non-regular police forces) must pay due regard to the code.
Within Protection of Freedoms Act and code my role is to encourage voluntary adopters – more of that shortly – it’s where you come in. NHS Trusts, NAHS will class as organisations that might voluntarily adopt.
And here’s the payload – if organisations follow the code, they will not only be able to reflect that they operate an efficient and effective system, that is transparent, but importantly that they will be complying with the Data Protection Act, where you are at risk of extremely large fines from the Information Commissioner’s Office (ICO), and other regulatory issues - compliance with Security Industry Authority (SIA) guidelines etcetera.
I have called however for government to expand its list of relevant authorities to capture organisations such as this. Surveillance, in public space, where such sensitivity exists creates an overwhelming argument for compliance. This is a view adopted by my colleague, the former Information Commissioner, during the Protection of Freedoms bills consultation phase.
The government wants an incremental approach to the regulation of surveillance cameras in England and Wales. So how does that look since introduction of my role?
- local authorities – a relevant authority – have uplifted from 2% demonstrating any British Standard to 85% compliance with the code – outstanding
- police forces – a relevant authority – slowly gaining traction; the Met has 22,000 body worn video cameras and are moving towards compliance via my certification scheme (more of that in a bit)
- drones – tick – movement; Devon and Cornwall have just been awarded my certification mark
- automatic number plate recognition (ANPR) – National Police Chiefs’ Council (NPCC) lead has written to all forces requesting compliance – target 100% self-assessment completion in 18 months
- Transport for London (TfL) – 20,000 plus cameras voluntarily adopted the code because they recognised importance for reputation and integrity of its operations
- Marks & Spencer – a voluntary adopter – have attained full certification across 600 stores, distribution centres and head office buildings
- universities – they get the imperative – attract students on grounds of safety and security; it sets a standard and we are seeing many universities adopting the code
Why is NAHS Important?
There is a wide increase in the use of technology in general such as automatic facial recognition (AFR), body worn video (BWV), automatic number plate recognition (ANPR), unmanned aerial vehicles (UAVs). All of which are or will be used across NAHS and trusts in due course.
All these can provide massive benefits to your organisation and society in general:
- AFR – patient and carer access to designated area
- ANPR – parking across NHS estates
- BWV – for local security – protection again of carers and public visiting
All such surveillance platforms have potential for privacy invasion – of the highest order. Let’s just do the numbers:
the total annual attendances at accident and emergency departments was 22.9 million in 2015 and 2016, 22% higher than a decade earlier (18.8 million)
there were 15.9 million total hospital admissions in 2014 and 2015, 31% more than a decade earlier (12.1 million).
the total number of outpatient attendances in 2014 and 2015 was 85.6 million, an increase of 4.4% on the previous year (82.1 million)
there were 1.836 million people in contact with specialist mental health services in 2014 and 2015. 103,840 (5.7%) spent time in hospital
there were 67,864 physical assaults on staff reported to NHS Protect in 2014 and 2015
Examples of getting surveillance wrong and potential impact
Operation Champion – an operation established by West Midlands Crime and Terrorism Unit to develop a ring of steel (of ANPR cameras). This was done without apparent transparency and, despite costing £3 million was never operated.
Edward Snowden and the Investigatory Powers Bill – comments on surveillance that is the different side to the same coin. Surveillance by state agents should be operated with the highest level of discretion and integrity.
How many people here, whose organisations use BWV or ANPR would testify that these systems are run to the highest levels?
OK – it’s rhetorical but I guess you probably don’t have that level of reassurance. And you’re right not to.
The question is how do we achieve the correct balance?
So, what have I tried to do?
We have worked with the Chair of the NHS Protect Security Group to seek to weave in voluntary adoption of the code – as we have successfully done in an ever growing number of organisations.
The annual security standards review group, for a second year voted down the proposal to require all trusts to complete my self assessment tool.
There was considerable argument and debate around the subject and it was ultimately rejected on the grounds that we could not enforce compliance with none mandatory guidance.
The group stated that, were the guidance to be mandatory for the NHS then there would be no issue in NHS Protect policing the requirements.
Section 33 of the Protection of Freedoms Act provides the power to create a statutory instrument to include a new authority as being a ‘relevant authority’ for the purposes of the act and code.
To me this seems the only way forward. The chair of this group has tried to get NHS bodies to become voluntary adopters and failed as the NHS will only act on mandates, and so he has tried to make it a security management required standard and failed on the same grounds.
To that end, I have just written to government ministers suggesting that they should consider increasing relevant authorities to include the NHS for England and Wales.
Why? – I shall re-iterate.
Hospitals and other healthcare providers have many millions of people pass through their doors – both people who are sometimes at vulnerable points in their lives and the families and friends who visit. Staff are also subject to assaults – over 64,000 in 2014 and 2015. Surveillance cameras play an important role in maintaining public and staff safety, preventing and resolving crimes yet they are not subject to scrutiny and standards and therefore can we be reassured that they are fit for purpose and doing what they are meant to be doing.
Why shouldn’t the NHS be included in a mandate to raise the standards of surveillance camera use?
And it’s not like I am a nasty kinda guy – I don’t have any powers of enforcement. In fact, I don’t believe I require them – based on what I’ve seen, many organisations who are required to comply are complying or close to compliance. However, I believe it’s a real risk for the NHS to ignore the code and doing so would risk reputational damage through appearing unwilling to engage with the public or follow good practice.
Well it’s not all sweetness and light. I do use my annual report to Parliament to highlight compliant organisations and those with much to do. I can see that as an option with NHS to further persuade government to include NHS within the list if their is no uptake.
So, maintaining public confidence is an incentive for complying with the code.
And there’s no getting away from it: surveillance cameras are everywhere across the NHS. We are talking about hospitals, drop-in centres, pharmacies, surgeries, accident and emergency departments, clinics and car parks. This is a vast estate with much in the way of expensive technology and drugs in constant use that need some form of protection.
So, I think it is probably safe to say that surveillance cameras in the healthcare arena are here to stay. What interests me however, is that there is no indicator of whether camera use is compliant with good practice or legislative requirements or meeting any standards at all. Given the sensitivity of the personal data being collected, that concerns me and the ICO. I want to continue working with the sector to raise standards of use.
How to get your ship in order
In the 3 years that I’ve been in post one of my mantras has been ‘we must raise standards’ so I thought it might be worth highlighting a few successes from the past few years that we’ve had in that area:
- A self-assessment tool which is easy to use enabling any organisation using surveillance cameras in public places to identify where they are meeting the 12 guiding principles or where they are falling short – it allows them to develop an action plan to show due regard to the code; 85% of local authorities have completed the tool.
- NAHS organisations can start the process, complete the SAT and publish. Accept voluntary adoption and commit to raising standards. It does not rely on expensive consultants but good management. I do not expect surgeons to leave the hospital theatre to undertake this, I also know how pressurised the NHS is for cash and a myriad of issues. This should be undertaken by security and/or facilities management. You may find you save an awful lot of taxpayers’ money getting rid of rubbish that should have been removed years ago.
- A third party certification scheme where such organisations can apply to be assessed for compliance with the code by an independent certification body and if successful use the commissioner’s certification mark for 12 months or 5 years – an outward sign of inward compliance with the code. If M&S, universities and TfL can do it – should NAHS premises?
- A passport to compliance – formerly an operational requirement document that puts responsibility for system development in the hands of those that operate them. The passport to compliance will aim to reduce technical jargon to enable procurement experts within organisations to have the ability to properly hold suppliers to account, where non compliance of the code is evident. This is out for testing.
- A list of recommended British, European and international standards published on the commissioner’s website for CCTV operators, installers, maintainers, manufacturers as well as CCTV monitoring companies.
I could go on but I’m not one to blow my own trumpet.
So, we have had some good successes and you may be thinking – I know he’s consulting on a national strategy (I hope you know I am!) – things seem to be improving without one.
Well, the surveillance camera sector is massive and is an industry that will continue to grow – there was a £2,120 million turnover in the UK in 2015 on video and CCTV surveillance. That’s virtually enough to buy most Premier League football clubs!
Think about the surveillance camera industry and all the organisations and people that have a vested interest:
- local authorities
- police forces
- installers, manufactures, consultants and designers
- government and regulators
- members of the public
- all commercial and business sectors
The list goes on – all of these groups often (but not always) are working in isolation, independently of each other.
So, considering the amount invested in the sector and the many groups involved in keeping the public safe – some already working together, there is a need for an overarching, coherent strategy that underpins the use of surveillance cameras bringing together all relevant groups.
As I said I’ve been in post for almost 3 years now and during that time have been continually impressed by the support, encouragement and engagement across the range of stakeholders. What is clear is the energy for greater co-ordination to improve compliance and raise standards in the world of surveillance cameras. There is certainly an appetite for an over-arching surveillance camera strategy.
This approach was agreed by my advisory council in January and partnership working is at the heart of the strategy. There are 10 work strands all led by an industry expert giving up their time voluntarily to drive this ambitious strategy forward as one coherent plan for the surveillance camera industry.
And it is an ambitious strategy with long-term objectives and delivery plans which extend beyond 2020. My vision for the strategy is quite simple:
The public are assured that surveillance cameras in public places are there to keep and make them feel safe, and that those cameras are deployed and used responsibly as well as transparently in a manner which is proportionate to their legitimate purpose.
And I will do this by:
Providing direction and leadership in the surveillance camera community, to enable system operators to understand best and good practice, and then demonstrate compliance with the principles of the SC code and any associated guidance.
The strategy aims to provide direction and leadership in the surveillance camera community to help system operators to understand best and good practice as well as their legal obligations, such as those contained within the Data Protection Act and the Private Security Industry Act, and then to apply that understanding to demonstrate compliance with the principles of the code and any other associated guidance.
It will provide a blueprint and a delivery plan that will afford significant operational cost benefits, economies of scale, enhanced training opportunities and more focused direction for manufacturers and suppliers. The end result being a more transparent, efficient and effective approach to public space surveillance – benefiting the public who will be safe in the knowledge that surveillance cameras are there to keep them safe and protect them.
This is not the first attempt at a national strategy for surveillance cameras in England and Wales. The 2007 CCTV strategy attempted to do this with regard to CCTV. It was an ambitious, systematic and innovative approach but for a number of reasons much of it didn’t move from recommendations into delivery. Much of today’s strategy owes a lot to the remnants of the 2007 CCTV strategy.
As I said there are 10 work strands to this strategy each with its own objectives – I won’t go through these but you can find them in the draft strategy document.
But briefly, in consultation through their networks the strand leads have identified high level objectives. They each work towards and support achieving the vision and mission.
Each of the strategic objectives will have a supporting delivery plan setting out specific action and outputs which contribute towards achieving the strategic mission. The delivery plans are owned by strand leads.
This draft strategy has been 10 months in development, I’ve been working with the strand leads and many others to get it into shape and now we are ready to consult on it.
So, I welcome views from anyone whether they are an expert in the industry or a member of the public – the strategy is designed to benefit them so their input will be invaluable to making sure it meets their needs when we begin work on delivering its objectives in 2017.
The consultation is open now and you can submit your views via an online survey – the consultation will remain open until 6 December.
Once we have gathered and analysed responses we will feed them back into the strategy to make it even better and publish the final document and delivery plans in 2017.