If your organisation has a commercial CCTV system, or you are about to have a system installed, you need to be aware of data protection laws.
In the UK this means complying with the Data Protection Act 2018 (DPA 2018), which incorporated the General Data Protection Regulation (GDPR). The Information Commissioner’s Office (ICO) enforces the law upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Data Protection Impact Assessment Required
Before you install a CCTV system you should carry out a data protection impact assessment on the impact to people’s privacy. If you determine that CCTV will not be overly intrusive, you should then put a policy in place describing how you will use it. Companies should then regularly review whether CCTV is still the best security solution.
Issues to consider in respect of privacy include the siting of cameras. For example, if the cameras are likely to overlook any areas which people would regard as private such as a neighbour’s garden you would look to avoid this, or restrict their fields of view or movement to minimise intrusion.
Internally you also need to consider the placement of cameras in areas that people would expect more privacy such as locker rooms or social areas. Additionally, if your business is sited in a mixed or multiple-use location, consider the privacy concerns of the users of any common spaces.
The ICO says you also ought to consider the differing impacts of camera technologies. For example, a fixed camera might be more appropriate than a Pan-Tilt-Zoom. A system that records sound will be significantly more intrusive and harder to justify than one without that capability.
Importance of image quality
The ICO states that organisations should select a system which produces high quality, clear images which law enforcement bodies, usually the police, can use to investigate crime. Additionally, the cameras should be located so you can provide the clearest images. For example, be aware of tree and plant growth or other obstructions which might interfere with cameras’ views.
Going forward you should also carry out regular checks to ensure that the system is continuing to produce high quality images. Ensure that system settings do not compromise quality – for example on a modern digital system ensure the overwrite cycle is not too long and degrades footage as the system trades resolution for recording time.
Don’t forget to register with the ICO
If you hold or store any kind personal data you will have to register with the ICO so if you haven’t already you will definitely have to do so if you have a CCTV system. Additionally, while there are exemptions, if your business uses non-domestic CCTV systems you are likely to need to pay a data protection fee. The cost of the fee depends on your size and turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations the ICO says it will be £40 or £60. It is worth noting that charities, who are likely to be exempt from paying a fee for other data collection, must pay one if they operate a CCTV system.
Going forward there needs to be a policy governing the CCTV system management with a nominated individual who is responsible for the operation of the CCTV system. This individual should ensure that your business sets standards, has procedures and that the system complies with legal obligations including individuals’ rights of access. The ICO said this will help you to use CCTV consistently. The policy should cover the purposes you are using CCTV for and how you will handle this information, including guidance on disclosures and recording.
Deal with requests for access to images properly
Separately your business needs to have an established a process to recognise and respond to individuals or organisations making requests for copies of the images on your CCTV footage and to seek prompt advice from the Information Commissioner where there is uncertainty. Both staff and customers have the right to request a copy of their image.
Requests can be made verbally or in writing, so your policy should include how to record any requests you receive verbally. You must provide the information without delay and at the latest within one month of receipt of the request.
Providing information promptly is important, particularly if you have a set retention period which conflicts with the statutory response period. In such circumstances it is good practice to put a hold on the deletion of the information.
When dealing with individual’s requests for personal data you should carefully consider information about third parties, just as you would be if they were mentioned in a document or computer file that was the subject of a request. You will need to keep an accurate log of subject access requests you receive, and how you have handled them. This will help you manage requests and deal with any challenges to how you’ve handled them.
You should not provide images to third parties other than law enforcement bodies to assist them in the detection or prevention of a crime. You should have a process in place to enable you to do this as quickly as possible.
Data protection means retaining images for the shortest possible time
Data should also be retained for the minimum time necessary for its purpose and dispose of it appropriately when no longer required. In practice this means your business should only retain recorded CCTV images for long enough to allow for any incident to come to light, for example, for a theft to be noticed and to investigate it.
Any retention period should definitely not be based merely on the storage capacity of your system. All images should be should be deleted when it is not necessary to retain them, for example if it does not achieve the purpose for which you are collecting and retaining information.
However, you may need to retain information for a longer period, if a law enforcement body is investigating a crime and asks you to preserve it, to give them opportunity to view the information as part of an active investigation.
To ensure people’s images are being dealt with correctly the ICO says companies should:
- Document their information retention policy for CCTV information and ensure it is understood by those who operate the system
- Implement measures to ensure you permanently delete information through secure methods at the end of the retention period
- Undertake systematic checks to ensure that you are complying with the retention period in practice.
In addition, the ICO noted that long retention periods can affect the quality of the footage with modern cameras recording to hard disks.
Protect your CCTV system against criminals
Your CCTV images should be integrated into your cyber security strategy as poor security could lead to your cameras’ feeds being viewed by criminals or if your devices are infected by malware this could lead to a serious data breach with images being shared. Protecting your images is therefore part of your overall duty to protect all information to ensure that it does not fall into the wrong hands.
The ICO states that the security precautions should include technical, organisational and physical security. The actions it advises organisations to take are:
- Protect wireless transmission systems from interception.
- Restrict the ability to view or make copies of information to appropriate staff.
- Provide a secure space where footage is stored.
- Train staff in security procedures and sanctions against staff who misuse surveillance system information.
- Establish appropriate controls if the system is connected to, or made available across, a computer network. Internet-protocol (IP) cameras should be protected by firewall and router controls, and default passwords should be changed.
- Apply any software updates (particularly security updates) published by the equipment’s manufacturer to the system in a timely manner. Modern IP camera manufacturers issue security advisories and fixes to security problems, and users should keep these patched and up to date just as much as their other computer equipment.
- Protect the recorded footage from CCTV, whether tapes or hard disk, against access by any unauthorised person, whether an unauthorised staff member or an outsider.
- Store any data you have collected securely, for example by using encryption or another appropriate method of restricting access to the information.
Staff training on the CCTV system is essential
Organisations are also required to train relevant staff in all aspects of the CCTV system and the cameras which covers:
- The organisation’s CCTV policy and procedures;
- How to operate the CCTV system and cameras (if applicable)
- How to recognise requests for CCTV information/images. If they are authorised to access the cameras should be familiar with the system, and with the processes for reviewing footage and extracting it if required.
This means all staff should be familiar with procedures for recognising and dealing with requests for personal data and the likely disciplinary penalties for misuse of the cameras. Where a staff member’s role explicitly includes monitoring of CCTV, for example a security guard, you must ensure that you meet and record appropriate training standards.
Getting further data protection advice
To ensure that organisations are meeting their legal data protection requirements the ICO has produced an online guide to the GDPR, a self-assessment tool for those operating a CCTV system, information on data protection fees as well as detailed information and checklists for data controllers and processors.
If you want to be sure that you are making the best decisions about your CCTV system – such as the location of cameras – it is always best to bring in an expert. Ecl-ips can ensure that you are meeting your data protection requirements. We are NSI-Gold approved meaning we work to the highest standards there are for security installers. To give you peace of mind why not contact us.