CH214200 - How to do a compliance check: records: CCTV - Obtaining, copying and viewing overt CCTV footage in a civil compliance check

Introduction

HMRC is responsible for obtaining evidence of tax evasion and taking the necessary action through a civil compliance check. You should consider the many different approaches that are available. Obtaining and viewing CCTV footage is just one of these.

CCTV footage is considered to be a document - see Part 7 Chapter 1 Finance Act 2008 and CH23320.

Information recorded by CCTV, like all data, is subject to both legal and policy constraints and considerations. To meet legal requirements, HMRC’s use of CCTV in a civil compliance case must comply with the provisions of:

  • the General Data Protection Regulation (GDPR) (This content has been withheld because of exemptions in the Freedom of Information Act 2000)
  • Article 8 of the European Convention on Human Rights on the right to private life

and public law principles of reasonableness and proportionality.

When this guidance applies

This guidance applies to the obtaining of a copy of CCTV footage that:

  • is routinely and overtly recorded, for example, with ‘CCTV in operation’ signs displayed
  • does not target or track a person

Obtaining such recordings is unlikely to require a Directed Surveillance Authority (DSA).

It gives information about the process of copying and removing CCTV footage from a business’s premises to support already identified risks in a civil compliance case.

This guidance does not apply to cases where HMRC wishes to ask a third party to target or track a person covertly using their CCTV. In such cases, you must seek advice from the Central Authorities Bureau (CAB) as a DSA is likely to be required. (This content has been withheld because of exemptions in the Freedom of Information Act 2000)

Directed Surveillance Authority (DSA)

Before requesting CCTV, you must consider whether you need to seek a Directed Surveillance Authority (DSA) under the Regulation of Investigatory Powers Act (RIPA).

A DSA is required when surveillance is:

(i) covert

(ii) likely to obtain private information

(iii) conducted as part of a specific operation or investigation

(iv) not carried out in immediate response to events.

Only when all of these requirements are met will a DSA become necessary.

If CCTV targets a specific person without their knowledge, or if you are building a profile of a person’s movements without their knowledge by obtaining a volume of CCTV footage, then a DSA will be required.

If you are obtaining any of the following:

  • CCTV footage that focuses on a particular individual
  • large volumes of CCTV footage
  • CCTV footage from multiple sources

you should consider whether a DSA is needed and take advice from CAB if in any doubt.

For more detailed guidance, see the RIPA Surveillance Codes.

If you are certain that no DSA is needed, you must make a record of your decision and the reasons for taking it. You should retain that record.

(This content has been withheld because of exemptions in the Freedom of Information Act 2000)

Any CCTV footage you view must be pre-recorded. You must not view live footage in real time.

Requesting and securing CCTV footage

Officers conducting a civil compliance check may:

  • request access to, inspect and check the operation of, any computer and any associated apparatus or material which is or has been used in connection with a relevant document
  • request permission to copy internal CCTV footage – make sure to accurately record the request and any associated correspondence in your notes
  • if required, request a copy of the CCTV footage within a Schedule 36 notice.

If a business claims compliance by providing records and allowing access to other systems such as EPOS, requesting CCTV footage may not be considered proportionate given the time and costs involved in downloading footage, be that by HMRC officers or the customer themselves. Only when a business has admitted not retaining the appropriate records might it be proportionate to obtain any CCTV footage which is available to establish the level of trade.

The Systems and Data Compliance Team (SDC) will support visits where a CCTV uplift is required. Any duplicating of CCTV footage must only be conducted by a trained SDC officer. To use this service, you should make a request through the Single Service Portal (SSP) in Excel SEES. Each work request will be considered on a case-by-case basis. If CCTV uplift is not considered appropriate, SDC will give you details in their response.

Although SDC will be there to support visits to uplift CCTV footage, they do not have the resource to analyse footage. You will be responsible for analysis of the CCTV footage they deliver to you.

Before requesting permission to copy and remove CCTV footage, you must first make sure that:

  • you have contacted SDC to confirm an officer is available to provide assistance
  • HMRC has the appropriate software to view and if necessary retain whatever information is being provided.

If a customer gives you CCTV data on USB without the need for an uplift, then SDC will need to carry out the necessary virus checks. You will need to make an SSP work request and a local SDC officer will make arrangements for virus checking.

Footage on USB will need to be checked for viruses whether provided by the business or obtained by HMRC. It normally takes about 6 seconds to check one hour’s footage.

Downloading CCTV onto a USB stick is a lengthy process. Typically, it takes one hour to download a day’s footage from a single camera. You should take this into account when considering your options.

It is your business area (not SDC) which must cover the cost of providing a USB to copy any footage.

The format of CCTV footage will depend on the age of the recording equipment used by the business. AVI format is compatible with Windows Media Player which is installed on most HMRC devices. This enables caseworkers to view footage from their own devices and needs no conversion.

Data-gathering powers

For information on data-gathering powers, see:

CCTV footage you obtain will usually be held to support identifiable risks such as suppression of sales and will therefore be very recent. A business will not normally retain footage for a lengthy period of time. In the unlikely event that historical CCTV footage exists and it is reasonable and proportionate to request it, see the guidance at CH28260.

Retention policy

You should refer to your business area’s retention policy for guidance. If nothing specific is available, the standard SDC guidance for dealing with Electronic Point of Sale (EPoS) data notes is to retain information for 12 months, unless advised of a need to retain for longer.

SDC data is retained in a CAF with access limited to SDC and Data Conversion and Analysis Team (DCAT) staff only. It would be sufficient for other business areas uplifting this type of information to adopt the same policy, though retaining data in the document store of your case management system, e.g. Caseflow, should be the norm.