CCTV monitoring and the GDPR
The use of CCTV will be covered by the GDPR from 25 May 2018 where the recordings contain information which identify an individual i.e. personal data. Most uses of CCTV by organisations are currently covered by the Data Protection Act so compliance now should provide a head start for GDPR compliance.
The CCTV Code of Practice for Surveillance Cameras and Personal Information (the Code) provides comprehensive content for organisations operating CCTV in the UK. It also covers the use of camera related surveillance equipment including automatic number plate recognition (ANPR), body worn video (BWV), unmanned aerial systems (UAS), and other systems that capture information of identifiable individuals or information relating to individuals.
The key GDPR issues for CCTV/surveillance equipment operators will be determining:
> the lawful processing ground/s (likely to be legitimate interests on the basis of security measures/detection of crime).
> who has access to CCTV data and for what reason.
> how data is kept secure.
> the applicable retention periods.
> how personal data will be extracted and provided to an individual in the event of a subject access request.
Compliance with the Code would be demonstrated where a business:
> has identified and documented the potential impact on individuals’ privacy and taken this into account when installing and operating the CCTV system.
> regularly reviews whether CCTV is still the best security solution.
> has a policy and/or procedure covering the use of CCTV and has nominated an individual who is responsible for the operation of the CCTV system.
> has established a process to recognise and respond to individuals or organisations making requests for copies of the images on CCTV footage and to seek prompt advice from the Information Commissioner where there is uncertainty.
> trains staff in how to operate the CCTV system and cameras (if applicable) and how to recognise requests for CCTV information/images.
> only retains recorded CCTV images for long enough to allow for any incident to come to light (e.g. for a theft to be noticed) and to investigate it.
> has ensured that the CCTV images are clear and of a high quality.
> securely stores CCTV images, limits access to authorised individuals and regularly checks that the CCTV system is working properly.
> clearly informs individuals of its use of CCTV.
> has paid the data protection fee to the ICO.
Where employees are monitored, employment terms should advise them and an employee privacy notice should be provided setting out the extent of the monitoring.
It is expected that the ICO will update the Code to take account of the GDPR. Accordingly, any businesses likely to be affected should pay particular attention to any CCTV-related updates from the ICO on or around 25 May 2018.