Data Privacy Consultant
Khadijat is a skilled and passionate data privacy professional who has been working in compliance processes with data protection laws since 2018. At Bridewell, she has taken her extensive compliance knowledge and implemented it across data protection programmes for clients around the globe. Before her time at Bridewell, she spent 3 years working in the NHS as an Information Governance Officer where she gained extensive experience in Data Subject Rights and Information Request Management.
CCTV is regularly used by both large organisations and your average person alike. But how many of us actually know the rules and regulations that surround public surveillance? The General Data Protection Regulation (GDPR) has a few requirements that need to be complied with if you plan to deploy CCTV on your premises. These rules can differ depending on whether the use is domestic (for your home) or it is being using within the workplace or to protect a public place such as a park or a location within a city
CCTV footage often contains images of people. These images can be used to identify people and as such can be classified as personal data. This is particularly the case when the individual has distinguishable features such as a birth mark or tattoos which are visible in the images. As per Article 6 of the GDPR, in order to process personal data you need to have a lawful basis. The most common bases used for CCTV are legitimate interests and performing public tasks. The legal basis you use will be specific to your reasons for having video surveillance and collecting personal data. However, the rules aren’t the same if you’re using CCTV for domestic purposes to protect your home.
Domestic Use of CCTV
The UK GDPR does not apply if you have set up your home CCTV system to only capture images and /or audio within the confines of your property for purely personal or household activity. So everything from your front patio, to the house and back garden are not subject to the UK GDPR due to the ‘Domestic Purposes’ exemption.
However, if your cameras go beyond that and capture images of other people’s homes, local shared spaces or even the street, then you must follow the same regulations as those who deploy CCTV in the workplace (see below). A good example of this is the use of Ring Doorbells which have recently become very popular. The camera has a wide field view, meaning it may collect data outside the boundaries of your property. If you later chose to share this data, thinking that it would still be under the exemption, there could be repercussions.
Individuals should also be wary of using CCTV at their address if they run a business from home as they may also put you in the bracket on needing to comply with Data Protection Legislation.
This is because you are now a Controller (as defined by the UK GDPR) and therefore you must ensure that you are properly protecting the rights of the people (data subjects) whose images you have captured.
CCTV in the Workplace
Organisations may choose to install CCTV for a number of reasons. They can used as a deterrent for theft and vandalism as well as the detection of crime. Whatever your purpose for the installation, there are rules and regulations that must be adhered to in order to ensure compliance.
Transparency is a running theme throughout the GDPR which goes to show just how much importance it holds. Organisations are legally required to tell people that you are collecting their personal data. In this case, their images and/or audio. A clear sign showing that video surveillance is taking place with an explanation as to why will suffice. The sign should state the details of the Data Protection Officer and the organisation, allowing the data subject to make contact if they so choose or to access their Data Subject Rights. You must also provide an easy to understand policy that details the purpose and extent of the monitoring as well as defining a retention period. The policy itself does not have to be on the sign (as it probably won’t fit!), but a link to where it can be found should be included.
Data Subject Access Requests
One of the key aspects of the GDPR and generally Data Protection Legislation as a whole, is giving individuals more rights around their personal data including how it is used, how they obtain access to it and how to stop organisations using it. Data Subject Access Requests (DSARs) can be formal or informal requests made by data subjects to access their data. If your organisation receives a DSAR from an individual requesting any images that have been captured from CCTV cameras, you have one month to provide them with a copy of that data. Depending on the complexity of the request, you may be allocated more time to process the request but the data subject will need to be informed at the earliest point possible. You must ensure that the identities of other individuals appearing in the CCTV images are protected by blurring their faces or any distinguishable marks.
Data Minimisation and Retention
The only data that should be collected is data that is strictly necessary for the purpose you have determined. Alongside this, the collected data should only be stored for as long as it is necessary to achieve this purpose. For example: do you need CCTV footage past 2 weeks if you’re using it for crime prevention purposes, as it is highly likely that the CCTV will only be needed in the immediate aftermath of the crime taking place.
Minimising the data you collect by only placing cameras where they are necessary and setting retention periods (as mentioned above) will assist you in being compliant against the requirements of the UK GDPR. Having a process to ensure the secure deletion of the CCTV footage will also help.
Data Protection Impact Assessments (DPIAs)
DPIAs are a requirement for any processing of data that can be considered ‘high risk’ to the individuals involved. Carrying out a DPIA and regularly reviewing it when cameras are added or removed, new systems are installed or upgraded and when camera positions are changed will help to ensure compliance.
Deciding to deploy CCTV is a common choice for most businesses and for many people trying to protect their homes. However, there are couple things you must consider:
- Keep in mind that you have to provide full transparency to individuals whose images and/or audio is captured.
- You need procedures in place to process requests for access to the data that you hold
- Minimise data collection wherever possible and also carry out a risk assessments.
These are all legal requirements under the UK GDPR that must be met and ignoring these can lead to reprimands, legal action and fines for the companies and individuals involved.
Placement of Cameras
There needs to be a purpose behind every camera and every camera’s placement. CCTV should not be installed where it is not necessary. For example, it’s not unusual for there to be CCTV near a busy door such as by a nightclub or bank. Similarly, it is not uncommon to see CCTV in toilets facing the shared space near the sinks but it should not be in the individual toilet cubicles, as this is not necessary.
It is advisable to note where all your cameras are and ensure you have a reason for why it is there as well as why it is necessary.
If you require further information on Data Privacy services or would like to speak to one of our Data Privacy specialists, please contact us via phone on 0330 311 0940 or send us an email at firstname.lastname@example.org