I am coming to the conclusion that Hackspace cannot feasibly not have CCTV anymore.

There are three main reasons we ought to have cctv:

Assault/harassment
CCTV will help protect the victim. It can also help prove innocence in the case of false accusations being made.

Our space is extremely quiet most of the time, and it has been asked on new member tours I’ve given before if we have CCTV given how quiet it is.

Prevention of theft/crime
Since January, more and more items have been going missing from the space, some returned after months, others never to return. The space is currently extremely vulnerable to theft. Unfortunately it appears the theft is being perpetrated by members themselves. Hopefully this will act as a deterent.

Health & Safety
If someone were to have a bad (hospitalised) /fatal accident in the space, an investigation would take place and the space would likely come under a lot of scrutiny. If we had CCTV the space would be able to use its insurance to pay for legal support in the case of a member grossly misusing equipment.

There is also a small chance someone could injure themselves somewhere away from the space, but then claim it happened in the space in an attempt to sue us.

Privacy

We hear members concerns about privacy and their right to use the space without feeling watched. A correctly written privacy/data protection statement could outline that the CCTV would only be used in the three events outlined above.

Except in the case of gross-misuse, (E.g. Total distruction of the equipment) We are not proposing the CCTV is used to see who didn’t sweep up the dust, or who broke the mug. The board have neither the time nor interest in pursuing this sort of thing.

CCTV in the space would be governed by GDPR And data protection laws. There would be protections in place to prevent misuse by the board or any other bad operators. There would also need to be a data protection officer for the space. This is a legal role and you would be able to complain to the ICO if you were dissatisfied with how your data is handled by the space.

I’d like to begin this discussion here, so I can raise it for a vote at the AGM.

I’m in support of CCTV as the issue of theft has become much more of problem recently and has begun to sour members trust in the space.

In the past discussions on CCTV have limited a camera to either side of the main door. I’m assuming by the wording that the intent here is to now have cameras throughout the space covering all the areas?

Hi Mark,

Yes, correct, I’m proposing cameras throughout the space. A 16 channel system would probably suit us well. It sounds a lot of cameras, but we have 11 rooms/spaces within the space to cover (excluding toilet).

Here’s a first draft of the system locations:

image935×866 47.3 KB

A system like this would cost £350 including 2TB harddrive.

Generally in support, provided details of how the protections for privacy will work can be outlined. e.g ensuring process for only accessing recordings for specific and agreed scenarios is followed. Would be similar level of privacy a, say, going to the library, which I’m comfortable with.

A shame it’s come to this, but sounds like it could be time to try it. I do have questions though which will need considering before it gets installed

• I note that the link you provided only has 12 cameras, so for your proposed plan, an 4 additional ones would be needed. Also does the cave and vestibule need a camera?

• I’m absolutely against anything which has remote monitoring, so this would need to be air gapped from the internet and this be made clear.

• The equipment will need to live in a locked box, we have one in metalwork which isn’t being used, for example. Who has access to the key will need to be managed, ideally in the membership system alongside the current key holder list (I’m happy to update the code as needed to accommodate)

On privacy:

It’s important the privacy policy considers a suitable retention length that isn’t just the maximum we can store on the hard drive. 2 weeks for example would be a sensible amount of time.

You’ll also need to be aware that members can and will notice and report any non compliance with the regs, possibly at great expense to the space in the event of a fine. Given the space can’t pay its business rates on time I have concerns that that this additional layer of compliance will not be achieved - even with a dedicated role for it. On the topic of the role, how does the board plan to recruit for this role? And what responsibility or liability will that person undertake? Will they be or need to be a board member?

It’s a shame that it’s come to this, bit I’d be able to support it if it was done on a review basis, with a review after 6 months where members can say whether they’ve seen a difference and feel comfortable with the cameras, and whether the system should be maintained or turned off. I say this because I don’t know if I’d feel comfortable with it until the cameras are up and I’m pottering about the space.

If there was a review period with a member vote at the end of it, I’d provide my support.

We need to be clear, that whilst we would be recording video, audio cannot be recorded under any circumstances, it would be a significant DPA breach to do so.

Also, for businesses using CCTV, an annual fee is payable to the ICO for any CCTV systems in use.

The front door camera may be better placed internally facing the back of the front doors, external cameras fall under scrutiny of public rights violations.

Lastly, we need to be mindful of anyone undertaking legally acceptable project work subject to potential future patent applications, recording that information could invalidate a patent application unless we agreed to delete the recorded information, or an exception to recording by agreement was reached.

Front door cameras: Yes please, I’m always a bit uneasy at night as we cannot easily see around the sides of the doors. A few years ago the door had a screen next to it showing the blind spot outside and it was very helpful when working late. I’d be happy if this was re-implemented.

However, indoor cameras I’m still sceptical about. It’d be more reassuring if these were (as mentioned above) not recording audio and properly airgapped from the internal network, and that the system handling it can only be accessed by the board members.

Thanks all for the comments so far. Keep them coming!

Ed, the library point is a good way of thinking about it. Yes we would need to come up with a specific information access protocol. The reasons for access would essentially be the three I’ve listed in the post.

Correct Connor, the link was more just a quick example of what’s available. Though I had missed that it’s a 16 channel system but only has 12 cameras. I’ll have a proper look at a later date before going ahead with any purchases.

Good point on the locked metal box and we’ll have to see what’s available in terms of auto-delete systems.

A few people have mentioned about the air-gap, so it’s definitely something we’ll consider.

Correct about members being able to report us, I mention this in my post. The ICO mainly work to educate rather than penalise, so I don’t think there is a large risk of the space being fined, only if we were doing something BLATANTLY ILLEGAL. Yes we would need to make sure we were doing things inline with their guidance though.

The part about who will become the DPO has not been thoroughly discussed just yet, as we wanted to float the CCTV idea first, but it will be addressed before installation.

Due to the time, financial and admin effort of getting this going, I don’t think we’d be proposing a review period. It would either be approved and installed, or not.

Jim, correct, I’m aware of the ICO requirements, hadn’t put thought to the audio recording, but it hadn’t occurred to me this would be recorded. To confirm, I wouldn’t be intending on an audio system. Good point on the camera facing the door.

On the point of patents etc. Again due to admin burdens, I think we would operate more on the lines of members needing to be mindful there is CCTV, rather than us being mindful of members.

My initial thought is that CCTV access will be managed by two board members and an ‘independent’ (but reliable) member.

On the point of patents etc. Again due to admin burdens, I think we would operate more on the lines of members needing to be mindful there is CCTV, rather than us being mindful of members.

Fair point, but there is an equal requirement for the space to be mindful it’s not violating copyright associated with an individual’s work.

I’ve attached a PDF as guidance, whilst members aren’t employees, the legal aspects, that is the associated laws still apply, and would have to be rigourously tested to demonstrate the requirements for CCTV in some of the selected areas, to prove the necessity of CCTV over other means of security, or protection.

National Protective Security Authority | CCTV within the workplace

Cheers Jim, this looks like a useful guide though unfortunately it does increase the amount of documents I have to type up!

What are your thoughts on the CCTV over other means of security bit? Given i’m proposing the CCTV for three reasons:

• Prevention of theft/crime
• Health & Safety
• Assault/Harassment

I can’t really see any other solutions for the Assault/harassment claus, and I think we’d struggle to justify much else for the other two without there being a significant constant effort on the board’s part.

Unfortunately there’s an enormous amount of admin to do as both pre-assessment and policy documentation.

The space has proposed CCTV for the points you’ve listed, you will, as part of the pre-assessment checklist/documentation, have to state all “reasonable” alternatives, their impact, and if CCTV is the proposed solution, why it specifically is needed over the other options.

This of course applies to areas such as entrance ways, corridors, walkways, etc, anywhere a person is not usually permanently based, or seen to either rest or work.

With respect to designated communal areas, work areas, and/or break areas, CCTV would fall under scrutiny of article 8 of the HRA, as stated in the aforementioned guide, in which case, direct consultation with the ICO would become relevant.

I’ve just taken part in a similar project with one of the companies I’m currently working with, the limitations of applicable areas is/was severe, the company wanted cameras in work areas, but was instructed specifically not to by the ICO on the grounds of those in the guide.

I’m not against the policy by any means, however, the space must be absolutely certain in its correct application, ignorance of the law is no excuse, neither is attempting to hide anything acceptable.

The ICO punishes companies regularly upto approximately 4% of annual turnover on a per case basis, that is, each individual person affected would be a single case.
As we have a significant number of members, any who have or could access the space following implementation would make a large multiple that the space is unlikely able to afford, so best to get it right from the start

You may well be able to install CCTV over the machinery in metalworking, however, it would likely have to be positioned above the machines, narrow field of view, and not be able to identify the individual directly, that is, their face masked out.

To overcome the limitations of identity, that is, establishment of someone causing damage to a machine, this could be done with RFID access to the machine, therefore, you’d be both compliant with respect to law in respect of CCTV, and still be able to identify the operator.

Thanks Jim. Any chance you’d like to assist us with the documentation?

Unfortunately, having just finished completing one lot for a rather large global plc, I’m not really in a position to start another lot, I simply have neither the resource, nor the time, it’s several weeks worth of work, and the space has far more to do before the CCTV policy can be assessed and implemented.

For starters, a Data Protection Officer needs appointing, this isn’t a trivial matter, following appointment, they will need to both register themselves with the ICO as the space’s DPO, register the space, and provide copies, signed, of all the space’s statutory data protection policy documents.

Following successful acceptance, they will then need to make a pre-application request regarding CCTV implementation, with signed copies of the proposal, and the aforementioned assessments, potentially at cost.

If the ICO agrees with progression, then the formal documents will need to be submitted, accepted, and the corresponding fees paid.

This could take days or weeks, and until signed off by the ICO, no changes could be made in respect of CCTV, they will likely provide a list of acceptable hardware, or specifications for the space too, due to the nature of the business.

To add, regarding theft for example, walkway, or door cameras could clearly show an individual entering the premises, with or without property, and likewise, leaving with additional items.

If those items carried on egress were not present on the individual during ingress, and of a similar size or shape to subsequently missing items, that would procure the required burden of proof for the police to be able to undertake an investigation.
They would also welcome CCTV as a minimum to begin an investigation of theft, and would use the above tests to establish the need.

Bearing in mind both damage to equipment, or theft of items not owned by the respective individual, or for which the space, or another member, can provide evidence of purchase, and ownership in their own right, would constitute a criminal matter.

In light of which, the matter would meet the necessity of being reportable to the police, and the space would need to do so promptly, and cooperate fully.

If the space failed to do so, then the individual could be in a position of citing harassment, defamation of character, and/or violations of human rights, whereby having the correct documentation and registrations would be of significant benefit, in terms of demonstrating the presence of CCTV for those purposes, and showing the cooperation with the police for the purpose of legal investigation.

Having cameras on the exits would seem most sensible to me in order to deter against theft. If we have a DVR that has an input, we could connect it to the doorbot and a door sensor, which would mean entries and exits would be flagged on the DVR which might make it easier to review if the footage does need reviewing.

It’s quite common to have cameras on exits, and it would mean we would only need 5 cameras (4 if we don’t include the black door to the staircase which is currently obstructed by large projects)

I’m not across the legal side, but I like the idea of CCTV in work areas to cover assault/harassment . I think this would make people feel safer using the space during quiet times.

As I mentioned at the last AGM (and we voted in favour of the principle installing one outward facing camera at the time) I am strongly in favour of CCTV too. This was initially in response to concerns of crime occurring immediately outside the Hackspace, and whilst I would have privacy concerns about installing cameras inside the premises I do understand why others would want them there. Few points I’d like to add:

• When I looked into this after the last AGM, it was clear that this was a complex legal situation (and the conversation here has made it clear too). I am planning to raise this at the AGM, but the best thing to do would be to contact a consultant who can advise/do the paper work for us. For example: https://www.bridgetechnicalconsultants.com
• With regards to patent protection/copyright and other forms of intellectual property from those who have access to CCTV. The best way to solve this problem would be to formally include a clause in the Hackspace membership that explicitly states that the Hackspace does not have the right to claim ownership over any member’s intellectual property. I know that some universities do this for their makerspaces for example.

As I wrote previously, there are legal requirements we must undertake before proceeding with either purchasing or installing CCTV.
The following is clearly published information regarding this, and based on the intended use, we have no choice as an organisation:

https://www.gov.uk/data-protection-your-business/using-cctv

Screenshot_20230920_103249_Chrome1440×3200 174 KB

Just got off a very useful call with the ICO. They had a chuckle at some of the things on here, which is a good sign for us.

They said they have lots and lots of free guidance for small organisations like ours and that they’d be really suprised if we needed to employ a data protection consultant. They were stressing that the chances of us getting fined are essentially zero, we’re too small, and we would literally have to be trying our best to breach everything to get a fine. E.g. Selling members data on eBay.

We essentially need to just have a data protection statement explaining what we have, why we have it, what we do with it and when we delete it. On top of that we also need to keep the data secure, which has been discussed here - airgap and locked in a box, with a record and reasoning for who has access.

Yes, it is a legal document, but using simple English is fine. We’re not a large organisation and we’re not going to be in big data protection legal battles, so we don’t need a bombproof document, just one that lays out what I said in the last paragraph.

Some other good news is that as a small organisation we don’t need a data protection officer, we just pay a licensing fee of £35 a year via direct debit. We then just have a contact, which can be ‘the board’ who people can contact with any issues. It does not need to be a named person.

If this all gets approved at the AGM we can put together the documents and book a free 2 hour audit of our documentation with the ICO where they can review and advise if we’re doing stuff correctly. But the advice line said even that would be overkill for our organisation.

To summarise the phone call, yes data protection is important, but it’s not that hard to do it right. The expectations of us as a small organisation are very very different to the expectations of a large organisation monitoring their employees etc.