How Can My UK Company Avoid Invasions of Privacy Through CCTV Cameras?

As a UK business owner, you must protect your company property and staff, and most organisations choose to do so through a CCTV system. However, UK businesses must carefully act according to the General Data Protection Regulation (GDPR) and Data Protection Act. Any violation of the GDPR may result in a hefty fine from the Information Commissioner’s Office (ICO). This article will explain the GDPR rules for CCTV usage within UK businesses. This should help your company comply with the GDPR by deciding suitable locations for CCTV and helping implement the correct documentation.   

Why Does the GDPR Apply to CCTV Use?

The General Data Protection Regulation applies to CCTV systems because video cameras record ‘personal information’. The GDPR defines personal information as including all information that could identify a living individual, including visual images of their face.

Why Should My Company Be Aware of the ICO?

Many UK businesses are wary of the ICO because of their ability to fine UK organisations up to £17.5m for GDPR violations.

The ICO will impose fines for improper use of CCTV systems. This is because unreasonable CCTV use allows the potential for a gross invasion of privacy. Fortunately, the ICO website provides helpful information and guidance on complying with the GDPR.  

Now that we know the importance of having a fully-compliant CCTV system, let us explore some tips on avoiding invasions of privacy.

1. Avoid Inappropriate Camera Placement

Because of the detailed nature of CCTV footage, your business can only place cameras in areas that do not have a reasonable expectation of privacy.  

In practice, this means that (absent genuinely exceptional circumstances) you should not place cameras within the following areas:

• bathrooms; 
• shower rooms;
• changing areas; or
• any space designed for safeguarding or confidential conversations.

In addition, the actual placement of CCTV cameras can violate privacy. For example, a business can likely justify placing a CCTV camera on the ceiling of an open-plan office but not using the webcam within each computer monitor. In the same way, a camera on the kitchen roof may be fine, but one hidden at waist level on the kitchen counter could well be a violation of privacy.

The GDPR and ICO require a good reason for CCTV camera placement and usage, and the most common reasons are crime prevention and staff protection. So, for example, placing cameras in a room with valuable stock and the company safe or any area where staff interact with the general public is usually fine.

Privacy Notice

This Website Privacy Notice states how a business will deal with the personal information of its users.

Download Now

2. Carry Out Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is a process within which your organisation can review any risk of data protection violation. This includes a thorough review of whether any existing or planned CCTV system will result in privacy breaches.

A good DPIA should comment on the following:

• the purpose of the CCTV system;
• consideration of the main ways in which the system could violate the privacy of individuals;
• how your business aims to mitigate those invasions of privacy risks;
• confirmation that your company has intentionally avoided placing cameras in areas with a reasonable expectation of privacy.

The ICO value well-drafted DPIAs and having one in place is evidence of intention to comply with the GDPR.

3. Store CCTV Footage Safely

Every UK business must guard against the unauthorised use of personal data. In relation to CCTV, this involves your company taking active and reasonable steps to safeguard CCTV recordings. CCTV video surveillance footage is treated as confidential because it monitors the movement and activities of individuals. 

In this way, if an unauthorised person or cyber attacker gains access to those CCTV recordings, it would constitute a significant invasion of privacy. Any UK organisation guilty of enabling a significant invasion of privacy will likely face a hefty financial penalty from the ICO.

4. Implement a Reasonable CCTV Policy

Having a written record of the scope and nature of your CCTV system is essential. Many UK businesses do so through a CCTV Policy, which a lawyer often drafts.

Whilst CCTV policies should fit the relevant organisation, the majority will confirm the following points:

• the locations of the cameras;
• the primary purpose behind the camera locations (such as crime prevention for stock rooms and staff safety for public areas);
• the name and contact details of the individual in charge of the CCTV system;
• that your business will only store CCTV footage for as long as necessary and then safely delete outdated footage; and
• that your company will place appropriate CCTV warning signage near cameras.

Key Takeaways

The good news is that the GDPR and ICO do not seek to discourage UK companies from using CCTV. Instead, they simply want organisations to ensure that their use of CCTV is reasonable and GDPR-compliant. Accordingly, ensuring appropriate camera placement and appropriate warning signage can help protect your business from any ICO fines down the line.

If you need help ensuring your CCTV system is GDPR compliant, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions