CCTV monitoring and the GDPR

News /

The use of CCTV will be covered by the GDPR from 25 May 2018 where the recordings contain information which identify an individual i.e. personal data. Most uses of CCTV by organisations are currently covered by the Data Protection Act so compliance now should provide a head start for GDPR compliance.

The CCTV Code of Practice for Surveillance Cameras and Personal Information (the Code) provides comprehensive content for organisations operating CCTV in the UK. It also covers the use of camera related surveillance equipment including automatic number plate recognition (ANPR), body worn video (BWV), unmanned aerial systems (UAS), and other systems that capture information of identifiable individuals or information relating to individuals.

The key GDPR issues for CCTV/surveillance equipment operators will be determining:

>  the lawful processing ground/s (likely to be legitimate interests on the basis of security measures/detection of crime).

>  who has access to CCTV data and for what reason.

>  how data is kept secure.

>  the applicable retention periods.

>  how personal data will be extracted and provided to an individual in the event of a subject access request.

Compliance with the Code would be demonstrated where a business:

>  has identified and documented the potential impact on individuals’ privacy and taken this into account when installing and operating the CCTV system.

>  regularly reviews whether CCTV is still the best security solution.

>  has a policy and/or procedure covering the use of CCTV and has nominated an individual who is responsible for the operation of the CCTV system.

>  has established a process to recognise and respond to individuals or organisations making requests for copies of the images on CCTV footage and to seek prompt advice from the Information Commissioner where there is uncertainty.

>  trains staff in how to operate the CCTV system and cameras (if applicable) and how to recognise requests for CCTV information/images.

>  only retains recorded CCTV images for long enough to allow for any incident to come to light (e.g. for a theft to be noticed) and to investigate it.

>  has ensured that the CCTV images are clear and of a high quality.

>  securely stores CCTV images, limits access to authorised individuals and regularly checks that the CCTV system is working properly.

>  clearly informs individuals of its use of CCTV.             

>  has paid the data protection fee to the ICO.

Where employees are monitored, employment terms should advise them and an employee privacy notice should be provided setting out the extent of the monitoring.

It is expected that the ICO will update the Code to take account of the GDPR. Accordingly, any businesses likely to be affected should pay particular attention to any CCTV-related updates from the ICO on or around 25 May 2018.

Related services:

Quick links

The Legal 500 2021

“Very available and responsive to company developments in real time. Frank, clear advice – not just the ‘easy’ answer.”

The Legal 500 2022

“The solicitors who have handled our employment related issues are of the highest quality in terms of their specialist area of expertise, their professionalism and their approach to us as clients and as people. Special mention has to be made of Laura Livingstone. Laura became a key member of our team and felt more like a colleague than an external adviser – a colleague you could rely upon. Laura’s attention to detail, professionalism and responsiveness was second to none. Laura has come to know and understand us as individuals and this has enabled her to personalise her advice and even sometimes to preempt our future requirements. We have a very special and extremely valuable relationship with her and the firm.”

- The Legal 500

The Legal 500 2022

“Ince are an excellent “fit” with our specific needs. The firm has consistently provided a broad range of personnel-related advice and in our experience that advice has been consistently of the very highest professional standard: it has been timely, comprehensive, accurate and at a cost which is commensurate with the budget of an organisation of our size.”

- The Legal 500

The Legal 500 2022

“The firm has an unusually high degree of insight into the practices and policies required by the Gambling Commission as regards compliance with its own requirements and conditions – particularly Andrew Tait, derived from his previous in-house experience.”

- The Legal 500