It should be no surprise to learn that CCTV footage is subject to the GDPR (General Data Protection Regulation).
What is CCTV?
CCTV (closed-circuit television) is a TV system in which signals are not publicly distributed but are monitored, primarily for surveillance and security purposes.
The GDPR protects more than just written details such as names and addresses. The GDPR applies to any personally identifiable information. This includes photos and videos, so be careful how you use CCTV.
Let’s take a look at the relationship between GDPR and CCTV footage and the steps you as a business owner and employer should follow to ensure your video surveillance methods are GDPR compliant.
1. Let people know they are being recorded
Transparency is a core principle of the GDPR. Employers need to let people know when they collect their personal information so they can exercise their data subject rights.
These rights allow individuals to access their personal data stored by organizations and to object to how their information is used.
Posting a sign that CCTV is in operation ensures that people know they are recording.
If you are using CCTV to monitor your employees, your privacy policy should also explain that your employees are being recorded.
What is the difference between a privacy policy and a privacy notice? Learn more. Subscribe to our newsletter.
2. State clearly why you are using CCTV
Under GDPR, it’s not enough to say you’re collecting personal data. Also, you should explain why you are using it.
This is where lawful grounds for processing rules come into play.
There are a total of six bases, each potentially suitable for different situations, except for consent.
Contract with an individual: For example, to provide you with goods or services. This may include provisions that those services be monitored.
Compliance with legal obligations: If it is a legal requirement to process the data for a specific purpose.
Significant benefit: For example, if the processing of the data protects the physical integrity or life of someone (the data subject or someone else).
Public task: For example, to complete official functions or tasks for the public good. This is typically intended for public institutions such as government agencies, schools, other educational institutions, hospitals, and police.
Legitimate interest: Private sector organizations have genuine and legitimate reasons (including commercial interests) to process personal data without consent.
If you’re shooting in public places, you can meet this requirement by including a short description of the posted sign.
For example, you may see “CCTV is operated for public safety.”
Many retailers sell signs like this with the purpose left blank so that an appropriate message can be filled in.
If you are monitoring your employees, your privacy policy should explain the basis for the processing.
Learn how to use templates to create CCTV policies. Go to our Academy website here.
3. Control who has access to the CCTV
Surveillance practices can be harmful if you don’t limit who can view your recorded footage.
The GDPR requires that personal information should be accessible only to those who need it to complete their job function. They are usually security officers and administrators.
Other staff may need access for the purposes of the processing, but it is important that every effort is made to ensure that CCTV is only viewable by authorized persons.
This means keeping your footage in a safe place. Physical tapes should be kept in locked cupboards, and digital files should be kept in folders with access control.
For additional protection, digitally recorded CCTV footage can also be encrypted. This is especially useful when a DSAR (Data Subject Access Request) is submitted as it ensures that information is protected in transit.
4. Delete footage you no longer need
Most organizations have a retention period for CCTV footage simply because it is not practical to retain the information indefinitely.
Physical tapes pile up quickly and digital files run out of memory. However, we need to be more systematic about how long we keep records.
The regulations stipulate that information can only be stored for as long as is necessary for the purposes for which it was collected, and that period must be outlined before processing begins.
Therefore, a system must be established to ensure that information is deleted once the data retention period has passed.
As for the “as long as necessary” period, it depends entirely on the reason for collecting the information. However, the data he rarely needs to keep for more than a week or two.
5. Do your research at DPIA
A DPIA (Data Protection Impact Assessment) must be completed before setting up a CCTV camera.
This process helps organizations identify and minimize risks arising from data processing activities that are “likely to pose a high risk” to individual rights and freedoms.
The GDPR makes it explicit that this includes public monitoring at scale, so this requirement cannot be circumvented.
But don’t think of it as cumbersome bureaucracy. DPIA helps determine solutions to the problems raised here and helps ensure that footage is suitable for its intended purpose.
6. Penalties for Violations
The GDPR has heightened the importance of effective data protection and privacy, and non-compliant organizations face hefty fines.
One of the first penalties issued under the GDPR was Austrian retailer imposed for CCTV use.
The organization failed to inform people that it had installed surveillance cameras outside its store and was fined €4,800 (approximately £4,250) as a result.
This is a relatively generous penalty given that GDPR violations can result in fines of up to €20m (approximately £17.75m) or 4% of an organization’s annual global turnover, whichever is greater. .
Such leniency in the UK has been limited, as the ICO (Information Commissioner’s Office) recently fined British Airways and Marriott International a total of £282m for GDPR violations. It seems unlikely.
We don’t expect GDPR fines of this magnitude for poor CCTV practices, but it shows that the ICO takes GDPR seriously.
7. Create a CCTV policy
If you need help meeting your surveillance requirements, consider our CCTV data protection policy template.
Developed by a team of data protection experts, this set includes comprehensive guidance to help you create and document a surveillance system that meets GDPR requirements.
It contains all the information you need to know.
- Why organizations need CCTV surveillance and how to properly use these systems.
- How should oversight be considered according to laws, regulations, codes of conduct and standards?
- What privacy factors should be considered before using CCTV surveillance?
- How to store and process CCTV recordings in accordance with the GDPR data processing principles.
- Advertisement and recording of CCTV system on the premises.
- Selection of monitoring systems and outsourcing partners; and
- Assignment of CCTV roles and responsibilities.
