I am sure you are aware by now of the imminent introduction of the General Data Protection Regulations and the impact they are likely to have across a wide spectrum of data collection, control and protection.
One important area that has been identified is surveillance by CCTV. As this involves recording personal data, the images of identifiable individuals captured on its footage, it falls within the remit of GDPR.
Our security colleagues, the Allcooper Group, have looked closely at this and the information I am presenting here is based primarily on their findings and is published with their permission.
At the moment, the Information Commissioner’s Office (ICO) has yet to publish their official guidance and update the Data Protection Code of Practice for Surveillance Cameras and Personal Information. The direction that is currently available is therefore a ‘best estimate’, until more concrete advice from an authoritative source is issued.
Common action points within the articles* we read on the topic suggest that you should:
1. Document the extent to which CCTV is required, where it is required and at what times. It also needs to confirm that you regularly review whether CCTV is still the best security solution.
2. Ensure that you have paid the data protection fee to the ICO.
3. Have a policy and/or procedure covering the use of CCTV and nominate an individual who is responsible for the operation of the CCTV. The policy should cover the purposes you are using CCTV for and how you will handle this information, including guidance on disclosures and recording.
4. Establish a process to respond to individuals or organisations making requests for copies of the images on your CCTV footage, and to seek prompt advice from the Information Commissioner where there is uncertainty.
5. Make all relevant staff aware of your CCTV policy and procedures and train them where necessary.
6. Have an information retention policy which is documented and understood by those who operate the CCTV system. Only retain data for the minimum time necessary for its purpose and dispose of it appropriately when no longer required. Your retention period should not be based merely on the storage capacity of your system, but reflect how long you need the data for the purpose. It is widely accepted that 30 days is appropriate. Any longer than that would need special justification.
7. Ensure that CCTV images are clear and of a high quality, so they can be used by law enforcement bodies to investigate crime.
8. Securely store CCTV images for example by using encryption, limit access to authorised individuals and regularly check that the CCTV system is working properly. Security precautions should include technical, organisational and physical security.
9. Clearly inform individuals that CCTV is in operation via the display of appropriate signage within the vicinity.
10. Consider whether the data you are capturing could be considered a ‘high risk’ activity. This is information which could be used for profiling (employees or customers), or on which other individuals could draw conclusions which might negatively impact the person in the footage, for example patients attending medical clinics, union meetings, polling offices, etc, or any footage relating to children. In these circumstances, you will need to conduct and document a Data Protection or Privacy Impact Assessment.
Information correct as at 9 May 2018.
*Sources include:
https://www.wrighthassall.co.uk/knowledge/legal-articles/2016/06/03/cctv-data-protection-compliance
https://oprema.co.uk/News/February-2018/CCTV—GDPR—Big-brother-to-watch-the-watchers.aspx
Important Note: The content of this article is intended to provide a general guide to the subject matter and is not to be regarded as a substitute for consultation with a legal specialist who can advise you with a focus on your specific circumstance. Specialist advice should be sought about your specific circumstances.