GDPR Implications for CCTV
Updated: Jan 29, 2019
With the advent of increased crime figures and more affordable CCTV systems (£300 buys you a four camera system), many businesses, large and small have invested in CCTV. In fact, the British Security Industry Association estimates that there are up to 5.9 million CCTV cameras in operation in the UK in 2015 alone. However, many people don't realise how this could impact them from a legal perspective. In a survey across Irish businesses, carried out on behalf of the Irish government in 2017, it was revealed that up to 66% of respondents were unaware that the GDPR had an impact on their use of CCTV.
In fact, CCTV use in the UK is governed by four different pieces of legislation:
The Data Protection Act & GDPR, which regulate how personal data can be processed and moved, and how it must be protected.
The Freedom of Information Act (FOI), which regulates access to information held by public authorities
The Protection of Freedoms Act (POFA), which regulates (among others) how surveillance and biometric data can be used, and how these types of data must be safeguarded.
The Human Rights Act (HRA), which includes provisions regarding the right to privacy
Getting it right is important. The ICO has recently toughened their regulatory posture by taking enforcement action to restrict the unwarranted and excessive use of increasingly powerful and affordable surveillance technologies such as CCTV. In an effort to simplify things, both the Information Commissioner’s Office (ICO) and the Surveillance Camera Commissioner’s Office (SCCO) have issued data protection codes of practice for surveillance cameras and personal information. While they’re not legal requirements, the chances are that, if you’re not following them, you are breaking the law.
So, what do you need to know and more importantly, do?
1. Does this Apply to You?
All businesses (and charities) that process personal data are bound by GDPR which means that even if you are a small business, you need to comply with the appropriate legislation. The only exception is for personal use e.g. your home. However, if you inadvertently record a public space (even partially), your footage may not be regarded as a 'personal or household' activity and so may not qualify for the exemption. Furthermore, a neighbour may object to images of her/his property being recorded and could take a civil legal action if their right to privacy is infringed by the placement of a CCTV camera which records their property. So what you record is very important.
2. Justify your Use
You need to be able to justify why you are collecting or using personal data (in this case CCTV footage) and define what is your lawful basis for the collection (Article 6). A system used to control the perimeter of a building for security purposes will usually be easy to justify, whereas a system to constantly monitor employees, customers, neighbours or passers-by can be more difficult to justify and could involve a breach of GDPR. If used for health and safety reasons, you would need to demonstrate that monitoring is proportionate in addressing health and safety issues that had arisen prior to the installation of the system, and that the same goal could not be achieved in a less invasive manner. Most importantly, all this needs to be documented, ideally in the form of a DPIA (Data Protection Impact Assessment). #DPIA
3. Transparency / Right to be Informed
4. Data Subject Access Requests (#DSAR)
You are legally responsible for disclosing data to those who have a legal right to access it (Article 15). Under GDPR, people (data subjects) have several rights including the right of access (i.e. your requirement to share the CCTV footage that they are included in), and to request deletion (provided the information is not needed for some other legitimate purpose e.g. insurance coverage). Like a lot of GDPR, it’s important to document your reasoning and your processes. We therefore recommend having a written policy in place for DSARs (data subject access requests) which explains how:
People request access (e.g. by sending an email to firstname.lastname@example.org)
You store your data, where you store it, how you can get access to it and how you will safely send it to your data subject (e.g. by secure email)
To establish data subjects’ identities (important so you make sure they are who they say they are and that you don’t inadvertently send them someone else’s data as this would technical be a data breach which could need to be reported)
You would redact information where necessary for example by blurring other people’s faces or vehicle registrations etc.
It’s important to have all this figured out in advance because under GDPR, once you have received a DSAR you only have 30 days to comply (this can be extended but needs justifying to the ICO).
5. Appropriate Security Measures #Encryption
You are legally responsible for guarding the personal data that you collect. Article 5 stipulates that data are ‘processed in a manner that ensures appropriate security of the personal data’ and Article 32 that ‘the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. Psydonomization (for example, where people’s information is replaced by numbers) and encryption are mentioned as examples. While the ICO does not require the use of encryption, it does state the ‘where data is lost or destroyed and it was not encrypted, regulatory action may be pursued’ – you have been warned!
This means that you should:
Ensure that data can only be accessed by authorized personnel and that it is stored securely, preferably using encryption and physical protections such as in a locked safe or cupboard
Keep an audit trail showing how the information is collected, what is collected and how it is used
Store the data only for as long as it is legitimately needed. For example, CCTV footage from a camera in a hotel’s restaurant can safely be removed after just a few hours since incidents in these areas come to light very quickly, whereas footage from a gym may need to be kept for months to comply with liability insurance requirements. Whichever it is, it’s important that subjects are notified of the duration and the reasons.
Dispose of data in a secure and responsible manner, which makes it impossible to recover.
Hopefully after reading this article you realise that safely and legally deploying a CCTV system is not as easy as clicking in Amazon. At the very least, we recommend that you make sure you:
Document your legal basis and justification for a system, ideally via a DPIA. If resources are tight, at the very least you should utilize the short-form checklist that the ICO posted in Appendix 2 of it’s CCTV Code of Practice
Have a publicly available CCTV policy and notices informing people of its use
Only store the data for the minimum time needed and that it is safe, ideally encrypted and locked away
Think about who you share the data with and where they are located to ensure that it remains safe and data subjects are adequately informed
Practice your response to a DSAR so that you know what to do
If you feel that you need help, Data Compliance Specialists offer a range of services from straight-forward advice through to completing all the necessary documentation and policies you need.