CCTV Systems: Embedding Data Protection by Design and Default

Understanding your data protection obligations is important

Data Protection BillData Protection Bill

The UK GDPR made the concept of data protection by design and default a legal requirement. This is about considering data protection and privacy issues from the earliest stages of any project planning. Therefore, they must be part of your thinking when you are planning to install a new CCTV system or when you are making upgrades to an existing surveillance system.

Considering data protection in a consistent manner, in everything you do, where you are processing personal data, will help you comply with the UK GDPR’s fundamental principles and requirements. Data protection by design and default also forms part of the focus on accountability, one of the GDPR’s seven key principles.

The other key principles are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)

Accountability, in respect of the UK GDPR, means organisations, and the individuals within them, taking responsibility for what you do with personal data and how you comply with the other principles.

In practical terms when you are designing, purchasing, installing and thinking about the ongoing operation of your CCTV system you must:

  • Make CCTV purchasing decisions based on the ability to provide a data protection compliant solution to a problem. For example, you need to define a purpose for your CCTV system as explained in a previous blog.
  • Establish criteria for procuring systems and the decisions you make about deployment and configuration in line with data protection law.
  • Consider the data protection implications of more intrusive surveillance systems such as automatic number plate solutions, body-worn cameras and facial recognition technology.
  • Ensure that the design of your surveillance system allows you to easily locate and extract personal data in response to individuals exercising their rights. For example, in response to subject access requests or for disclosures to authorised third parties such as law enforcement. For more about the rights individuals and law enforcement have in respect of accessing CCTV footage see our previous blog on Redaction.

 To be compliant with the law you must adhere to the rules of the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018 (DPA 2018). In addition, for law enforcement processing, part 3 of the DPA 2018 needs to be complied with, which is separate from the UK GDPR regime. The Information Commissioners’ Office (ICO) regulates data protection law and has the power to enforce the rules, including the power to issue fines. If you have a commercial CCTV system you must be registered with the ICO.

The Biometrics and Surveillance Camera Commissioner’s Buyers’ Toolkit has been developed to help organisations meet the data protection by design and default requirement. The Toolkit also outlines the requirements for manufacturers of surveillance camera systems and components so that you can have more confidence that their CCTV systems are compliant with data protection law.

This blog is part of a series of articles and videos that provides information on data protection law in relation to CCTV. If you want to know more about how to stay compliant sign up to our newsletter on our blog page or subscribe to our YouTube channel so you see the accompanying videos as soon as they are published. If you would like more help to obtain data protection information, please contact us.