What Do CCTV Users Need to Know About Privacy and Data Protection?
The UK is recognised as one of the leading users of CCTV globally, and we are installing CCTV on more and more sites. It has great benefits both in terms of ensuring site security and for monitoring Health and Safety, but there are some considerations to be aware of. In light of current Data Protection Laws and the new requirements coming in under the GDPR changes on 25 May 2018, we thought we would run you through our top 10 considerations for CCTV and Data Protection.
Regardless of how many cameras you have, if you are using any kind of camera surveillance in the UK, if it can recognise individuals, you will need to be aware of Data Protection and Privacy regulations. If you capture personal data other than just someone’s image, for example their car registration number using ANPR, then that information will be covered too.
Our Top 10 Considerations for Operating CCTV Within Privacy Laws
- Consider whether CCTV surveillance is justified. Is it the best, proportionate response to your problem? For example, if you are putting CCTV up to monitor Health and Safety, would improved signage and training be a more effective solution?
- Conduct a privacy impact assessment before you put the cameras up. Whose privacy will be impacted? Will that be limited to your workers or will your cameras also capture private individuals who are not associated with your business? If so, can you reposition the cameras to avoid that intrusion into their privacy? Make sure your cameras only view areas that are of interest to you and do not cover any particularly sensitive areas e.g. changing rooms, entrances to clinics or advice centres.
- Choose your camera specifications and set up carefully. Do your cameras need to record all the time? Or should they be motion activated? Do they need to record all day when people are on site or only at night time? Make sure your cameras have the correct specifications to ensure that you do not view or record unnecessary images, and that those you do record are of the quality you need. Make sure any date and time stamps recorded by the camera are accurate. If your camera can record audio but you don’t need audio, have you turned it off?
- Have a clear, documented procedure for handling the data you record. Identify who has control of any recordings, how that information is used, make a plan to store it securely and be clear about to whom it may be disclosed. If you are the organisation making these decisions, you should probably be registered as a Data Controller with the Information Commissioner’s Office. https://ico.org.uk/for-organisations/register/ If other organisations will have access to your recordings, for example to monitor a site for intruders, then put a written contract in place with clearly defined responsibilities as to how that data will be handled.
- Let people know that they are in an area where CCTV is in operation. This will usually mean putting up signs at the entrance to the area and can be backed up by other methods, such as tannoy announcements or social media notices for events. Signs should be clear and easy to read, include information on who is operating the system, if it is not obvious, and basic contact details e.g. phone number or email address.
- Regularly review whether your use of CCTV is still justified. For example, if your site is temporary, for a festival or event, make sure the CCTV is removed as soon as the event is over.
- Viewing of live images on monitors should usually be restricted to the operator and any authorised person who needs to see it. This might mean that if you have screens up with your live footage showing, for example in your reception area, that they need to be positioned so that the public cannot see them.
- If you operate a live camera designed for public use, such as a live feed showing site progress on a website or a webcam showing the weather outside your location, this should be positioned so individuals cannot be recognised.
- If you record someone’s image in such a way that they could be recognised and hold that information, they have a right to access the recording. You must provide the footage promptly if requested. This might mean putting a hold on deletion of files if you normally overwrite footage after a set amount of time. You can offer this in various ways, for example, they could come in and view the footage if sending it to them would be difficult.
- How long you retain footage should be a decision based on how you will use it, rather than whatever the manufacturer has set as the default or how much storage capacity you have. No data should be kept for longer than necessary
Read the full ICO Code of Practice for CCTV here on the ICO Website
If you would like to discuss whether CCTV is right for your site, and how to go about installing it, do get in touch.