Commissioner’s speech at the Association of University Chief Security Officers annual conference on 6 April 2016.
Good afternoon. Many thanks to the Association of University Chief Security Officers for asking me to speak today.
I spoke at this conference last year so I must have said something right or nothing so bad that I wasn’t invited back. But seriously, thank you for inviting me back again – the work you and your colleagues do at higher education institutions is essential to keeping over 2 million students safe – not to mention staff.
My team and I have continued to work with the association over the last year looking at how we can encourage voluntary adoption of the surveillance camera code of practice amongst its members. Adoption of the code by universities and colleges is something your executive committee continues to commit to.
I won’t bore you with my background or much about the code – I covered that ground last year. You may also recall that last year I was encouraging you to complete our recently launched self-assessment tool and publish it on your website. Now we never asked people to tell us when they had done this so a quick show of hands – how many of you have?
Thanks. That wasn’t designed to embarrass anybody but I wanted to get an idea of who is showing outward signs of compliance with our code. Since I was last here we have launched a third-party certification scheme but more this in a few moments.
Surveillance in Universities/Colleges
Many universities in the UK are the size of small towns:
- University of Manchester: almost 40,000 students
- Cardiff: around 30,000
- University of Birmingham: almost 35,000
They are thriving, bustling places where people work, rest and, of course, play. With so many people attending colleges and universities they are not without their security risks as you will all well know. How do you keep that many people safe, how do you deter crime or even terrorism?
When you also consider that for many young people going to university or college is their first experience of living away from home. For new students it’s probably an exciting, lively and liberating time where they are free from the shackles of their parents and home. For their parents it’s probably worrying, daunting and perhaps also liberating!
Dare I say it but perhaps these youngsters’ minds might be on what’s going on at the student union rather than what they are studying for the first few weeks, or months, or years.
I doubt many freshers give much thought to their safety or who’s looking after them. Do they securely lock their laptops, smart phones and tablets away? Are their doors and windows secure, is the campus safe and who can they call in an emergency?
These sorts of things are probably not on their minds, or the minds of many students, until something happens that affects that. But for the millions of parents whose children are at university, away from home for the first time, I am sure that their safety is at the forefront of their minds and will continue to be for the duration of their courses.
Perhaps this is even more acute for the parents of overseas students? They want to know campuses are secure and safe from potential threats.
A well-thought-out and designed CCTV system can be an excellent weapon in the armoury of a university to show that student safety is of real importance to them.
At the same time, there are privacy issues to consider. Over the last 5 to 10 years we’ve seen an ever increasing interest in surveillance. We’ve seen the fallout from Snowden, the concerns about the data Google capture when we use their search engine and the smart TVs’ recording of everything in its owner’s home. Right now the draft Investigatory Powers Bill is before Parliament.
This interest in surveillance has seen groups such as Big Brother Watch and NO CCTV emerge. I would argue that one of the most surveillance-savvy groups is probably students – politically aware and interested in current affairs.
So, whilst CCTV can be the all seeing eye that watches over your campuses it cannot be at the price of a person’s right to privacy. The instances I just mentioned have all played out in the media and it’s not always good press.
Over the past few years I’ve seen articles in the press on the use of surveillance cameras in educational institutions too – schools, universities and so on. The press is invariably bad, focussing on where cameras have been deployed badly. Here are a few I remember:
Cameras put in school classrooms to monitor pupils and make sure teachers are working hard enough! The National Association of Schoolmasters Union of Women Teachers conducted research which showed that whilst two-thirds of teachers said cameras were introduced for pupil safety, 31% believed they were used to monitor behaviour standards and 15% thought they were to help improve teaching standards.
One interesting quote from the article was:
Now, in some schools, they [teachers] are being subjected to permanent surveillance through CCTV cameras. Lab rats have more professional privacy.
Another article covered a story where a school had put CCTV in toilets – the headmaster said it was to combat bullying and vandalism. The cameras faced the wash basins rather than the cubicles but parents and students alike were up in arms about installation of CCTV in such a private place in the school.
One final story was a London University who installed CCTV in prayer rooms. This was to make sure people feel secure and not vulnerable. However, prayer rooms are private, sensitive places and parts of the student body feel like they are being spied on, not protected – it has lead to a backlash and there has been national media coverage.
Obviously these are stories in the press so will have a certain slant – but what they have in common is that there appears to have been no consultation with those the cameras are there to protect or no privacy impact assessments carried out.
If you take the last example at the university, this draws some parallels with one of the catalysts for the creation of my role: Project Champion, a ‘ring of steel’ erected in a predominantly Muslim area of the Birmingham to monitor a terrorist threat. There was no consultation with the local community, who were outraged to discover they were all being monitored as potential terrorists. The system of around 200 cameras was never switched on and it cost around £3 million.
I’m not saying the cameras were installed in the prayer room to monitor potential terrorists but that is how it’s been portrayed in the media. I wanted to use those examples to illustrate that where surveillance goes wrong it can make a big splash and seriously dent the support of those who it’s there to protect.
And people generally are supportive of CCTV – a survey in 2014 indicated that 86% of people like CCTV – but that support can wane incredibly quickly if people feel they are being looked at instead of looked after.
You may think having listened to the last few minutes that I’m anti-surveillance but let me assure you I am not. I am pro-surveillance and I have first-hand experience of how essential CCTV can be in criminal investigations. I am pro-surveillance where it is good surveillance – transparent, effective and proportionate. But I am anti-surveillance where it is bad – badly thought-out, badly consulted on and badly managed. That is the surveillance we don’t need – get rid of it.
Third party certification
You may now be thinking:
I have a good scheme and comply with the surveillance camera code of practice and other relevant legislation such as the DPA.
If you do that’s great and you should be singing about it from the rooftops!
In November last year I launched a third-party certification scheme – it’s a scheme that will enable organisations to achieve certification against the code and use my certification mark. This mark will enable organisations to clearly show the communities they are monitoring that they comply with the relevant regulations. It’s a badge of honour that should be displayed proudly – an outward sign of inward excellence.
You may be thinking – why now? Well, I’ve spoken to and listened to a large range of the industry, particularly but not exclusively, the local authorities and police who are relevant authorities as stated in the code and they have always asked the question – how can I show compliance with the code?
Third-party certification provides the answer as it enables anyone that operates public space surveillance cameras to show they comply. This scheme supports my vision to uplift standards in the industry and improve public support for surveillance. It supports surveillance by consent – yes, people are monitored but it’s done transparently, effectively and proportionately.
My certification mark demonstrates this.
In line with my vision I have worked with certification bodies to develop a process that is simple, affordable and accessible to all organisations that want to evidence compliance to the code. There are currently 3 UKAS accredited certification bodies to carry out the process. This is to ensure that process is consistent and is completed to a high standard. The 3 bodies are the National Security Inspectorate (NSI), the Security Systems Alarms Inspection Boards (SSAIB) and IQ Verify.
The certification process allows organisations to be audited against the code. Certification is scheme-specific and a successful audit on one scheme will not guarantee a successful audit on another scheme run by the same organisation. Organisations will need to specify what scheme they are seeking to be certified against.
There are 2 steps to achieving certification. The first is a desktop approach which is aimed at organisations that are working hard to comply with the code but are not quite there yet. The second step is for those that are close to or are fully complying with the 12 guiding principles of the code.
The first thing to do will be to decide what type of certification you want to apply for. Whichever type you choose you must complete the self assessment tool which will enable you to understand how close you are to complying with the 12 guiding principles of the code.
Once you have completed the self assessment tool and you consider that you are ready for certification, you should submit your completed self assessment tool to one of the certification bodies as part of your application for certification. You will be able to find the contact details of bodies on my website.
The desktop certification will be a document audit of your self assessment form as well as other related documents such as your code of practice, information sharing agreements, privacy impact assessment and procedures manuals and so on, depending on what the auditing body requests. If you are successful you will be awarded a certificate which will be valid for one year. At the end of the year you will be expected to apply for full certification – if you don’t you are no longer certified against the code.
Full certification means that a physical audit will be conducted on your premises and if you are found to be compliant with the 12 guiding principles of the code you will be awarded a certificate that will be valid for 5 years subject to your own internal annual review.
For an organisation like a university, I think it is a no-brainer to apply for certification. This is not a sales pitch, it’s to ensure you and your staff are using systems that can greatly intrude on an individual’s privacy responsibly. It means you can evidence their compliance to the code by displaying a certificate and using the certification mark on your website and other publicity material.
Do you want to be the next media story? Do you want your students to feel safe but not spied on? Do you want parents to have peace of mind that their kids are secure?
I mentioned some figures around the number of students in the UK at the start of my speech. One final figure is that there are around 200,000 overseas students in the UK. I don’t know the fees they pay but I would imagine that it’s not an insignificant amount. Do they want to know campuses are secure and safe from potential threats? Could a perceived safer university or college see a greater influx of overseas students which may correlate to more funding? Can third-party certification help that perception?
You may be thinking I don’t have to comply with this legislation or code, and you are right. But in my recent review of the impact of the code I have recommended to ministers that consideration be given to expanding those who must pay the code due regard. Perhaps universities could be included in the future.
Two universities here today are already certified – Salford and Aston – so well done to them, I’ll be presenting them their certificates shortly. If you want first-hand experience of the process speak to either of them. I started off by saying many universities are the size of small towns – they are. Surely the rest should follow Salford’s and Aston’s lead in getting their surveillance camera systems certified.
Thank you. I’m happy to take any questions.