CCTV and GDPR
Is Your CCTV System Justified?
If you are placing cameras around the perimeter of your site to detect
intruders, it should be easy to justify this. If you have installed a camera to
monitor employees, then it is not straight forward. This is seen as an invasion of privacy. If you can prove that the cameras are there for health and safety reasons, highlighting incidences in the past, that may be acceptable.
What Images Will Be Captured And Why?
When you are capturing images where someone would expect privacy, then you must justify the need. For example, in rest areas or just on a public walkway – if there has been an obvious level of security incidences, then this must be proven to allow for these cameras.
You Must Inform People Of CCTV Presence
The purpose for the data being collected should be clear. This is especially important if the purpose is not obvious. If it is for employee monitoring or health and safety, this needs to be highlighted to persons being captured by the cameras. A sign(s) highlighting CCTV use and contact number for anyone wishing to follow up is sufficient. You should add it to your privacy notice and be clear about how long the images are kept for.
Good advice: record a loop and only keep images for a couple of days they are then over written.
A Data Controller Needs To Justify Reasons For Storing And Retaining Data
Organisations should have a retention policy. They should only keep the images for as long as necessary to meet the purpose of recording them. It is generally about 30 days’ retention. If you feel you need to retain CCTV data for longer, then your risk assessment inside your data protection impact assessment (DPIA) should state how long and why.
Subject Access Requests For Personal Data
GDPR states ‘Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.’
So, anyone who is captured by your CCTV cameras has the right to request that footage, it is seen as personal data. They must follow a procedure, but are perfectly within their rights. If any other individuals are visible in the footage, there needs to a footage redaction service provided i.e. blur out the faces of other individuals.
Supply Of CCTV Images To The Police
The police may request footage from you and you may supply this, but always ensure it is followed up by a written request on police headed paper. Police will often just want to view the footage on the premises of the data controller or processor, this action would not raise any concern for data protection.
Responsibilities Of Security Companies
Security companies act as data processors under GDPR. ‘Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.’
Ensure that any subcontractors working on your behalf, e.g. security companies or CCTV engineers, follow this procedure. You will be open to data breaches if a third party can distribute, or remove, personal data in the form of CCTV images without following the above procedures.
What Must A CCTV Operator Do?
Make sure someone in the organisation has responsibility for the CCTV images, deciding what is recorded, how images should be used and who they should be disclosed to.
Have clear procedures on how to use the system and when to disclose information.
Make regular checks to ensure the procedures are followed.
A reputable security service provider will automatically adhere to all GDPR regulations. Ask the system provider for their policies in relation to GDPR.
Taking the above into consideration many companies need to look at their security arrangements and ensure there are no likely breaches of regulations. An innocent oversight could result in a penalty for your business. It is no longer acceptable to ‘not understand’ or‘not be aware of’ the laws associated with CCTV systems.