You might be surprised to learn that CCTV footage is subject to the GDPR (General Data Protection Regulation).
The Regulation isn’t just about written details, like names and addresses; it applies to any information that can identify someone. That includes pictures and videos, which is why you should be careful about the way you use CCTV.
Let’s take a look at the steps you should follow to ensure your video surveillance methods are GDPR-compliant.
1. Make sure people know they’re being recorded
Transparency is a core principle of the GDPR. You must tell people when you’re collecting their personal information to give them the opportunity to exercise their data subject rights.
These rights enable individuals to access the personal data organisations store on them and to challenge the way their information is used.
You can make sure people are aware you’re recording them by posting signs that say CCTV is in operation. If you’re using CCTV to monitor employees, you should also explain in your privacy policy that they are being recorded.
2. Clearly state why you are using CCTV
Under the GDPR, it’s not enough to simply say that you’re collecting personal data; you also need to explain why you’re using it. This is where the Regulation’s lawful bases for processing come in.
There are six bases in total and, with the exception of consent, each one might be suitable in different circumstances:
A contract with the individual: for example, to supply goods or services, which may include a provision that those services are monitored.
Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions, hospitals and the police.
Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
If you’re recording a public area, you can meet this requirement by including a brief explanation on the signs you’ve posted. For example, it might say, “CCTV is in operation for the purpose of public safety”.
Many retailers sell signs like this, leaving the purpose blank so that you can fill it in with the appropriate message.
If you’re monitoring employees, you should explain the basis for processing in your privacy policy.
3. Control who has access to CCTV
Your monitoring practices could do more harm than good if you don’t limit who can view the footage you’ve recorded. The GDPR requires that personal information should only be accessible to those who need to it complete a function of their job.
That will generally be security personnel and management. Other staff may need access depending on the purpose for processing, but the key point is that you should make every effort to ensure CCTV can only be viewed by those with permission.
This means keeping the footage in a secure location. Physical tapes should be stored in a locked cupboard and digital files should be saved in a folder that’s subject to access controls.
You might also decide to encrypt digitally recorded CCTV footage to further protect it. This will be particularly useful when DSARs (data subject access requests) are submitted, as it ensures the information is protected when in transit.
4. Delete footage when it’s no longer necessary
Most organisations have a retention period for CCTV footage, simply because it’s too impractical to keep the information indefinitely. Physical tapes will soon stack up and digital files will eat up memory.
However, you must now be more systematic about how long you keep recordings.
The Regulation states that you can only store information for as long as it’s necessary for the purpose for which it was collected, and you must outline that time frame before you start processing.
You should therefore establish a system to make sure you delete information once the data retention deadline passes.
As for how long ‘as long as necessary’ is, that depends entirely on why you are collecting the information. However, it’s unlikely that you will need to keep the data for more than a week or two.
Do your research with a DPIA
Before you set up CCTV cameras, you must complete a DPIA (data protection impact assessment). This process helps organisations identify and minimise risks that result from data processing activities that are ‘likely to result in a high risk’ to the rights and freedoms of individuals.
The GDPR explicitly states that this includes large-scale public monitoring, so there’s no getting around this requirement.
Don’t think of it as burdensome bureaucracy, though. A DPIA will help you determine solutions to the issues we’ve addressed here, and help you ensure that the footage is adequate for its intended purpose.
The penalties for non-compliance
The GDPR has raised the stakes for effective data protection and privacy, with non-compliant organisations facing hefty fines. One of the first penalties issued under the GDPR was levied against an Austrian retailer for its use of CCTV.
The organisation failed to inform people that it had set up surveillance cameras outside its shop, and as a result it was fined €4,800 (about £4,250).
That represents a relatively lenient penalty, given that GDPR violations can attract fines of up to €20 million (about £17.75 million) or 4% of an organisation’s annual global turnover – whichever is greater.
Such clemency seems unlikely in the UK, with the ICO (Information Commissioner’s Office) recently issuing fines totalling £282 million against British Airways and Marriott International for GDPR violations.
We obviously don’t expect GDPR fines on that scale for poor CCTV practices, but it shows that the ICO takes the GDPR seriously – and it expects you to do so too.
You can check whether your processes comply with the GDPR with our Privacy Audit Service.
Our Certified Information Security Lead Implementer (CIS LI) will come to your organisation and assess your data privacy and information security practices, checking them against the requirements of the GDPR, ICO guidance and IT governance best practice.
As part of this process, we’ll:
Review documentation (policies, procedures, records, etc.);
Check that required controls are in place (e.g. CCTV, access controls, and other security measures); and
Conduct interviews with key members of staff.
After the audit, you’ll receive a report that records the consultant’s observations and findings, as well as a separate audit tool workbook that contains the detailed audit results.
If you wish to discuss your information security requirements, you can contact our ISMS Lead Implementer Scott Naisbett - https://www.isosystems.org.uk/contact
Comments