Table of Contents
As a business owner, you are likely familiar with the benefits of a CCTV system. The better-known advantages include CCTV cameras aiding crime prevention, record keeping and safeguarding staff. However, our data protection law empowers the Information Commissioner’s Office (ICO) to fine organisations that fail to operate data protection-compliant CCTV systems. This article will explore the ICO’s expectations so your business can avoid breaching the General Data Protection Regulation (GDPR) while using your CCTV system.
What Are the Risks of Having a Non-Compliant CCTV System?
The UK GDPR and ICO do not make it too risky to use video surveillance systems. However, your organisation can greatly reduce the risk of breaching data protection regulations by implementing appropriate measures.
Let us explore several measures below.
1. Only Use CCTV if No Other Method is Available
The GDPR treats CCTV footage as ‘personal data’. Furthermore, the GDPR and ICO extend greater protection of personal data over other data. CCTV footage is no exception, as organisations can record an individual’s movements and actions without their prior express consent.
Accordingly, the ICO expects your organisation to consider whether a less intrusive method is sufficient for your goals. Failure to do so increases the risk that your CCTV system is for an unlawful purpose.
Suppose you run a small clothing business with three branches. In recent weeks, you have suffered several instances of shoplifting and believe it may be due to customers hiding clothes in their bags when going into changing rooms. Accordingly, you may consider whether CCTV may help determine if customers steal clothes in the changing rooms.
However, this is unlikely to be GDPR-compliant. There is an expectation of privacy within changing rooms (and bathrooms) due to the nature of the room. However, the clothing business may consider an alternative, less intrusive method. For example, placing electronic tags on clothes. This avoids using a non-compliant CCTV system and means concealed clothing will beep at the exit (with tags being a deterrent).
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
2. Only Use Audio if Truly Necessary
Audio is relatively rare within CCTV systems in England, with most CCTV set-ups only recording visual data.
The GDPR lists several fundamental data protection principles, including transparency, proportionality and fairness. To justify audio recordings within a CCTV system, you should consider the following:
- whether you are transparent about the use of audio recordings, such as using appropriate signage;
- whether using audio is proportional to the purpose of the CCTV. For example, monitoring a staff car park to guard against car theft and trespassers does not require audio recording; and
- whether it is fair in all circumstances to record audio in that setting.
3. Provide Written Reasoning for CCTV and Provide Signage
Your business should carry out a data protection impact assessment (DPIA). This document confirms how your organisation has considered the privacy of individuals on your premises when setting up and using the CCTV system. For example, if you run a shop that has recently suffered criminal damage and vandalism, you should record this in an updated DPIA.
Naturally, one of the primary purposes of a CCTV system is to act as a deterrent. Many businesses plaster CCTV warning signs all over their premises to deter wrongdoing. Moreover, placing CCTV signage near cameras is also a GDPR requirement (to warn individuals of personal data recording).
4. Keep CCTV Footage Safe and for a Short Period
The ICO expects businesses to keep the footage in a secure location (preferably a locked room) and under password protection. The new online guidelines set out by the ICO details the importance of protecting people’s privacy when processing video images.
The ICO and GDPR also require businesses in England to delete CCTV footage when it is no longer reasonably needed (for example, three months after the date in question). Naturally, if there is an ongoing disciplinary process, a company can keep the data relating to the incident in question for longer because it remains functional.
Key Takeaways
In summary, the legal requirements set out by the GDPR do not make it too risky to operate a CCTV system. Rather, your business must follow its data protection principles as per ICO guidelines. Businesses that follow GDPR rules can safely continue to use CCTV systems without risking a fine.
If you need help complying with the GDPR, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The usual legitimate interests include safeguarding company property, protecting employees, preventing crime and protecting sensitive data (such as computers and hard drives). So, if a business wishes to protect vehicles in its car park from theft, it may consider using an automatic number plate recognition system.
You should place CCTV signage in the direct eye line of individuals on your premises. For example, many businesses will place signs near the entrance and the cameras themselves. Companies can only record CCTV footage without appropriate signage in exceptional circumstances, whether within publicly accessible places or on private property.
We appreciate your feedback – your submission has been successfully received.