Is your company using CCTV? Are you considering installing cameras but unsure of the regulations? If so, read this article from Stephen France, Change Architect and GDPR Practitioner from Marbral Advisory
I was recently contacted by the Police in connection with a minor incident involving a vehicle registered to me. The driver had reversed into a parking bollard and the event had been recorded on CCTV. Since I was unaware that CCTV was in operation at the property concerned, I checked, and discovered that, apart from a tiny sticker, there were no signs warning the public that CCTV had been recently installed.
The use of CCTV for security and safety purposes is widespread but under the General Data Protection Regulation (GDPR), introduced on May 25, 2018, operators of CCTV systems must comply with the regulations. GDPR isn’t just about written information, it also applies to any information that can be used to identify someone, and this includes images captured by CCTV.
Operators must tell people that their personal information is being collected and allow them to exercise their data subject rights. This may include making a subject access request to the operator, asking them for details of all information that has been recorded about them. Clear signage needs to be installed, warning people that CCTV is in operation.
Under the GDPR, operators also need to explain why data is being collected. In the above case, the images are likely being collected for safety and security purposes, and this would fall under the GDPR lawful basis of Legitimate interests. A brief explanation of why the data is being collected should be included on any signage installed.
Having collected the information, the operator needs to ensure that it is kept securely and can only be accessed by those authorised to do so such as security personnel or management. Storage media such as tapes must be stored in a secure location and any images captured digitally should be saved in a location that has the appropriate access control rights.
Having saved the information, thought needs to be given as to how long it will need to be retained and a data retention policy should be in place before any equipment is installed. The GDPR states that information must only be kept for as long as it’s necessary for the purpose for which it was intended. Whilst the term is open to interpretation, media storage constraints may determine how much information can be retained and many commercial CCTV systems will have an in-built data retention function.
Some organisations may consider themselves outside the scope of the GDPR, but non-compliance can lead to hefty fines. There have been several high-profile cases in the UK news involving well-known companies such as British Airways, but what may not be widely known is that within four months of the introduction of GDPR in 2018, the Austrian Data Protection Authority fined a shopkeeper €4,800 for installing a CCTV system covering a public area without installing the appropriate signage.
Planning is everything and before installing a CCTV system, a data protection impact assessment (DPIA) needs to be carried out. This will help an identify and minimise risks from data processing activities that may impact the rights and freedoms of individuals.
Marbral Advisory trains companies on the correct use of the GDPR and helps teams to ensure their processes, procedures and policies are up to date. For further guidance or business support, get in touch with the team: hello@marbraladvisory.com or visit their website: www.marbraladvisory.com