Search our news, events & opinions

23 October 2018 2 Comments
Posted in Opinion, Technology & media

Is your CCTV system GDPR compliant?

Posted by , Trainee Solicitor

The UK is often cited as being one of the most video monitored societies globally, with up to 5.9 million CCTV cameras in operation in 2015 alone (one camera for every eleven people). Your organisation or business may use CCTV recording for a variety or reasons such as prevention of crime, health and safety or monitoring the workplace. Homeowners may also install domestic CCTV systems to protect their personal property.

CCTV

If your CCTV system monitors or records the activities of individuals, this will constitute the processing of personal data under the General Data Protection Regulations (GDPR) and be caught by the data protection legislation.

If you are a homeowner using a CCTV system, the UK Data Protection Act 2018 (DPA), which implements the EU-wide GDPR, does not apply to CCTV installed on a person’s own home in order to protect it from crime such as vandalism or burglary. However, if the camera captures areas outside of the confines of the household, for example, a shared drive or car parking space, the data gathered will be subject to the DPA. The guidance for businesses below will then also be applicable to your home CCTV system and will need to be complied with in order to avoid penalties under the DPA.

Business owners can usually rely on their own legitimate interests or a legal requirement as the lawful basis for operating CCTV and processing the related data. However, they will need to demonstrate that lawful basis for the entire area covered by the camera. Individuals recorded by CCTV become “data subjects” when footage of them is recorded and stored. The data subject’s rights and freedoms cannot be overridden, especially where relying on legitimate interests as the lawful basis for processing their data. Even inside a work premises, employees have a right to privacy.

Data subjects are entitled to understand when their personal data is being recorded and stored. As a result, the recording and storage of CCTV images should be highlighted by clear signage indicating the areas monitored and who to contact for further information.

One of the core principles of the GDPR is that personal data should only be processed for as long as it is completely necessary. Each camera and its purpose will need to be assessed to determine how long footage can be stored for. There are no defined acceptable retention periods within the legislation; the relevant period is entirely dependant on its reasonableness in light of the purpose for which the footage is used. For example, a retail shop would not usually be expected to retain footage for any longer than 6 months – by that time any reported crimes are likely to have been investigated and relevant footage seized.

As with any other form of personal data, data subjects have a right to access their own data. If you are preparing data for disclosure arising from a data subject access request you will need to ensure that the requester is present in the footage and that by supplying the footage you do not disclose the personal data of any other third parties. This may require blurring parts of the footage such as faces and licence plates.

You should also note that under the new GDPR, the information must be provided to the data subject free of charge. A reasonable fee can only be charged if the request is ‘manifestly excessive or unfounded’ and can only cover the administrative costs involved. The footage must be supplied within 30 days of your receipt of the request.

Any act of storing or accessing CCTV footage is considered data processing and it is crucial that CCTV operators ensure the confidentiality and integrity of any footage. Screens displaying live or recorded footage should only ever be viewed by authorised individuals and not members of the public who walk past a CCTV operation room or security guard post.

The devices used to store CCTV images are a common target during a break-in (not only for their resale value but also to remove evidence of the crime). As a result, organisations need to consider the physical security of storage devices such as whether it is kept in a locked room. Newer systems may allow for recordings to be kept in an encrypted format which will prevent unauthorised access in the event of loss or theft.

CCTV systems which can transmit images over the internet, to allow viewing from a remote location, should ensure that these signals are encrypted to prevent interception and also require some form of authentication for access, such as a username and strong password. CCTV systems which make use of wireless communication links (e.g. transmitting images between cameras and a receiver) should ensure that these signals are encrypted to prevent interception.

Conclusion

The Information Commissioner’s Office recommends that any organisation using CCTV should carry out a data protection impact assessment (DPIA) on its use.

If you would like further information on the GDPR implications for your business then please contact Emma Banister Dean on:

01865 268 370     Email usemma.banisterdean@roydswithyking.com

Leave a comment

Thank you for choosing to leave a comment. Please keep in mind that comments are moderated and please do not use a spammy keyword or a domain as your name or it will be deleted.

*required*

**required*

*optional*

2 comments on Is your CCTV system GDPR compliant?

  1. Posted by Nicola THOMPSON on February 13, 2019 at 1:03 pm

    Our neighbour has installed CCTV which monitors a shared drive which we and she alone have access over. The CCTV is activated as soon as we step out of our house and monitors our movements outside our property including our swimming pool, we have reported this to the police who aren’t interested. Is there anything we can do to protect our privacy?

    • Posted by Anna Arakcheeva on February 13, 2019 at 2:01 pm

      Dear Nicola,

      Thank you for your query. A member of our Privacy team will be in touch to provide further information.

      Kind regards,

      Andrew Kuemmerle

Opinion

Learn more

Trainee Solicitor

T: 01865 264 006 (DDI)
Email

Search our news, events & opinions