CCTV and GDPR – What You Really Need to Know
By Data Installations & Supplies ltd
Under the General Data Protection Regulation which came into effect in May 2018, personal data refers to anything that can be used to identify an individual. Many companies aren’t aware that when it comes to CCTV and GDPR, images are also considered personal data. Already in July, the Information Commissioner’s Office (ICO) prosecuted a company in Sheffield for violations of the regulations applying to usage and registration of CCTV, resulting in fines of over £4,500.
To make sure you aren’t left in the dark (or facing heavy fines), we’ve compiled the key facts you must know about CCTV and GDPR.
GDPR legislation applies to CCTV images
It may seem simple, but many businesses and individuals are actually still unaware that CCTV images are personal data under the GDPR. Whether covering business properties or public areas, CCTV systems must be registered with the ICO. You must pay a small fee, but failing to do so could cost hundreds of pounds and cause damage to your well-earned reputation.
Remember – there’s no defence for ignorance of the law. The best way to play it safe is to ensure your registration with the ICO is in order before you even turn on your CCTV system.
GDPR compliance requires analysis and justification
You must have a valid reason for operating CCTV on your premises, which requires a clear and reasonable justification. In most cases, you should be able to rely on legitimate interests or the need to comply with another legal requirement as justification for operating CCTV.
The GDPR requires you to take this one step further – you also need to explain the reason for the specific CCTV placement and area covered. We recommend that you undertake an analysis of CCTV usage and monitoring to ensure that your positioning is reasonable and proportionate to its purpose. (And no, monitoring staff doesn’t count.)
Inform people who could be captured on CCTV
If you use CCTV, you should communicate this clearly to your employees as well as others whose images may be captured. You may include notices in your privacy notice or terms of contract. The GDPR additionally requires you to inform people at the point of capturing information. You should put up clear signage which explains that you are capturing images, why you are capturing images (i.e. for security purposes) and contact details.
We have standard signage which we can display for you along with any CCTV instalment. We can also create custom signage to meet your requirements using our in-house designers to ensure you meet requirements.
Control who has access to CCTV images
Because CCTV images contain sensitive information, you must keep careful control of images through processing. (Processing includes acts of storage and/or access.) Establish firm procedures for securing footage, whether that be encryption of digital format or lock and key for physical footage. Keep logs detailing where, what, when and by whom data is accessed to ensure accountability and confidentiality. You should make sure that all staff who have access to footage receive proper training on CCTV and GDPR requirements.
Retain data only as long as you need
The GDPR states that you can keep personal data only for as long as it is needed for its purpose. After this time, all personal data should be destroyed or deleted. Carry out an assessment of each camera and its purpose to determine how long you should keep footage. There are no defined retention times – however, these must be reasonable in view of purpose. Around a month of video retention is fairly common. We also highly recommend that businesses record and store to a VMS rather than rely on risky SD cards.
Remember, exceptions apply if public authorities request access to your CCTV footage or request that you keep it for longer. It’s considered a data breach if you delete it after receiving a request to keep it.
Consider subject access requests
Just like other forms of data covered by the GDPR, subjects have a right to access their data. Because video footage could contain personal data of other subjects, you must take necessary steps to respect others’ confidentiality. For instance, you can use software to blur certain figures or number plates as necessary. Make sure you have procedures in place now before subject access requests take place.
Domestic CCTV footage
The ICO also requests homeowners to register their use of CCTV, especially those that record audio. There are a few things you should always consider regarding your domestic CCTV system. For instance, if your cameras have an impact on the privacy of your neighbour’s property or public pavements or roads. Any monitoring of people beyond your property is effectively collecting data, and so the requirements for clear signage apply. Ensure that footage is only used for security purposes, and never pass footage on to third parties except for police or other authorities.
In conclusion, it is your duty to ensure your CCTV system is GDPR compliant to avoid breaching the regulations. Failure to understand or know the laws could result in a sizable fine. We hope these tips help you to understand the steps and to understand the risks involved. Remember – the input of professional security service installers is the best way to avoid prosecution and fines. Contact us if you have any questions or concerns about your current CCTV and GDPR guidelines.