The UK population is one of the most surveilled in the world, with up to 5.9 million CCTV cameras in operation in (2015 estimate). This probably comes as no big surprise as most businesses from small convenience stores to large office buildings will have a CCTV system in place for security as well as health and safety.
Justifying use of CCTV
Most of us are aware that the GDPR requires that the processing of personal data be lawful, fair and transparent. CCTV collects personal data in the form of images, so is clearly in scope. In most cases, businesses can rely on legitimate interests or the need to comply with another legal requirement as the lawful purpose for operating CCTV. However, this must be justified against the area of coverage. Data subject’s rights and freedoms cannot be overridden, especially in the case of legitimate interests. Even inside office premises, employees have a right to privacy.
CCTV and the Right to be Informed
Transparency is key. Data subjects are entitled to know when their personal data is being processed. It is recommended that the use of CCTV is communicated via signage which indicates the areas covered and other relevant information.
Privacy Impact Assessment
Data protection legislation relating to CCTV is not new under the GPDR. It was included under the DPA (Data Protection Act) and the Information Commissioners Office (ICO) produced detailed guidelines on the subject. Under the guidelines it was recommended that operators conduct a data privacy impact assessment to ensure they can justify processing and that they are not excessively reducing the privacy of data subjects. This is still the case.
A core principle of the GDPR requires personal data to be processed for only as long as its purpose requires it to be. Each camera and its purpose should be assessed to determine how long footage should be retained for. There are no defined acceptable retention times as this will depend on the purpose. However, be aware that years later or until the footage overwrites it, is not a good demonstration of consideration of the data subject’s rights. A retail store, for example, should not reasonably expect to retain footage for any longer than 6 months as by that time, any reported crimes would have been detected and relevant images reviewed.
Data Subjects Access Requests
Data subjects have a right to access all types of personal data, including CCTV footage, which means you may need to disclose it to them. Companies and CCTV operators will need to ensure that the person requesting the data is present in the footage, also that by supplying the footage they do not disclose any personal data of another person. This may require blurring of parts of the footage such as figures or license plates.
Security and Encryption
Simply storing or accessing personal data is considered processing and it is imperative that business owners or CCTV operators uphold the confidentiality and integrity of data including CCTV footage. Screens displaying live or recorded footage should only be seem by authorised individuals. Footage should be secured, for example, by use of encryption.
The GDPR does not discourage the use of CCTV rather, it encourages balance and clarity for all parties regarding its usage. While in the past, the concerns of data subjects may have been disregarded in favour of the overriding interests of the controller, this can no longer be the case so be warned.