CategoriesBritish ChambersCharity SectorConstructionCyber SecurityEducationFinancial & LegalHealth Wellbeing & LeisureInternational TradeIT InsightsJob VacanciesManufacturingMarketingMember NewsPolicySales & Marketing InsightsSussex ShowcaseTransport & Logistics Sector
ArchiveMarch 2021February 2021January 2021December 2020November 2020October 2020September 2020August 2020July 2020June 2020May 2020April 2020March 2020February 2020January 2020December 2019November 2019October 2019September 2019August 2019July 2019June 2019May 2019April 2019March 2019February 2019January 2019December 2018November 2018October 2018September 2018August 2018May 2018
With the advent of increased crime figures and more affordable CCTV systems (£300 buys you a four camera system), many businesses, large and small have invested in CCTV. In fact, the British Security Industry Association estimates that there are up to 5.9 million CCTV cameras in operation in the UK in 2015 alone.
However, many people don't realise how this could impact them from a legal perspective. In a survey across Irish businesses, carried out on behalf of the Irish government in 2017, it was revealed that up to 66% of respondents were unaware that the GDPR had an impact on their use of CCTV.
In fact, CCTV use in the UK is governed by four different pieces of legislation:
Getting it right is important. The ICO has recently toughened their regulatory posture by taking enforcement action to restrict the unwarranted and excessive use of increasingly powerful and affordable surveillance technologies such as CCTV. In an effort to simplify things, both theInformation Commissioner’s Office (ICO) and the Surveillance Camera Commissioner’s Office (SCCO) have issued data protection codes of practice for surveillance cameras and personal information. While they’re not legal requirements, the chances are that, if you’re not following them, you are breaking the law.
So, what do you need to know and more importantly, do?
1. Does this Apply to You?
All businesses (and charities) that process personal data are bound by GDPR which means that even if you are a small business, you need to comply with the appropriate legislation. The only exception is for personal use e.g. your home. However, if you inadvertently record a public space (even partially), your footage may not be regarded as a 'personal or household' activity and so may not qualify for the exemption. Furthermore, a neighbour may object to images of her/his property being recorded and could take a civil legal action if their right to privacy is infringed by the placement of a CCTV camera which records their property. So what you record is very important.
2. Justify your Use
4. Data Subject Access Requests (#DSAR)
You are legally responsible for disclosing data to those who have a legal right to access it (Article 15). Under GDPR, people (data subjects) have several rights including the right of access (i.e. your requirement to share the CCTV footage that they are included in), and to request deletion (provided the information is not needed for some other legitimate purpose e.g. insurance coverage). Like a lot of GDPR, it’s important to document your reasoning and your processes. We therefore recommend having a written policy in place for DSARs (data subject access requests) which explains how:
People request access (e.g. by sending an email to email@example.com)
You store your data, where you store it, how you can get access to it and how you will safely send it to your data subject (e.g. by secure email)
To establish data subjects’ identities (important so you make sure they are who they say they are and that you don’t inadvertently send them someone else’s data as this would technical be a data breach which could need to be reported)
You would redact information where necessary for example by blurring other people’s faces or vehicle registrations etc.
It’s important to have all this figured out in advance because under GDPR, once you have received a DSAR you only have 30 days to comply (this can be extended but needs justifying to the ICO).
5. Appropriate Security Measures #Encryption
You are legally responsible for guarding the personal data that you collect. Article 5 stipulates that data are ‘processed in a manner that ensures appropriate security of the personal data’ and Article 32 that ‘the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’. Psydonomization (for example, where people’s information is replaced by numbers) and encryption are mentioned as examples. While the ICO does not require the use of encryption, it does state the ‘where data is lost or destroyed and it was not encrypted, regulatory action may be pursued’ – you have been warned!
This means that you should:
Ensure that data can only be accessed by authorized personnel and that it is stored securely, preferably using encryption and physical protections such as in a locked safe or cupboard
Keep an audit trail showing how the information is collected, what is collected and how it is used
Store the data only for as long as it is legitimately needed. For example, CCTV footage from a camera in a hotel’s restaurant can safely be removed after just a few hours since incidents in these areas come to light very quickly, whereas footage from a gym may need to be kept for months to comply with liability insurance requirements. Whichever it is, it’s important that subjects are notified of the duration and the reasons.
Dispose of data in a secure and responsible manner, which makes it impossible to recover.
Hopefully after reading this article you realise that safely and legally deploying a CCTV system is not as easy as clicking in Amazon. At the very least, we recommend that you make sure you:
Document your legal basis and justification for a system, ideally via a DPIA. If resources are tight, at the very least you should utilize the short-form checklist that the ICO posted in Appendix 2 of it’s CCTV Code of Practice
Have a publicly available CCTV policy and notices informing people of its use
Only store the data for the minimum time needed and that it is safe, ideally encrypted and locked away
Think about who you share the data with and where they are located to ensure that it remains safe and data subjects are adequately informed
Practice your response to a DSAR so that you know what to do
If you feel that you need help, Data Compliance Specialists offer a range of services from straight-forward advice through to completing all the necessary documentation and policies you need.