Data protection regulator reminds retailers about CCTV rules

Choosing the right suppliers can help with compliance

Retail crime data protectionRetail crime data protection

With retail bosses demanding the government do more to tackle crime in stores, and turning to surveillance technology to tackle it, the Information Commissioner’s Office (ICO), UK’s data protection regulator, has reminded retailers of their responsibility to protect the privacy of law-abiding people.

Retail leaders, the British Retail Consortium (BRC) and the shopworkers’ union, Usdaw, wrote to the Home Secretary, Suella Braverman, in September calling for the government to create a standalone offence of assaulting or abusing a retail worker, with tougher sentences for offenders and demanding greater prioritisation of retail crime by police forces across the UK.

This echoed earlier interventions by the bosses of Tesco and John Lewis demanding more government action to support retailers and reports that they, along with eight other retailers would be funding a police operation that would run CCTV pictures of shoplifting incidents provided by them via the Police National Database.

This comes as surveys show that retail crime is on the increase. The 2023 BRC Crime Survey showed that incidents of violence and abuse towards retail colleagues had almost doubled on pre-pandemic levels to 867 incidents every day in 2021/22. It also put the scale of retail theft at £953m, despite over £700m in crime prevention spending by retailers.

Data protection compliance: Essential when deploying surveillance systems

A blog written last month by Melissa Mathieson, Director of Regulatory Policy Projects at the ICO, reminded retailers that they are able to share criminal offence data such as images to prevent or detect crime as long as it is necessary and proportionate.

She said, “We want businesses to be able to take action to prevent crime, but we want people who aren’t breaking the law to be able to go about their day without unjustified intrusion.”

The blog outlined when sharing images of a suspected shoplifter would be justified and appropriate and when it would not be. It also reminded retailers that sharing images would bring responsibilities around the key data protection principles, such as accuracy and retention.

How to share images of a suspect appropriately

Melissa wrote that sharing details of a suspect with the police, another manager of a store within the same shopping centre and sharing with security guards within that centre would all be appropriate use of an image. In these cases, you would be providing information to people that could help prevent, detect or investigate crime.

However, sharing images to another retailer via a messaging app may not be appropriate because of cybersecurity concerns. Additionally, sharing in a social media group that is open to the public, putting images in the local area or in a staff room would also be inappropriate because it would mean they would be seen by people without the authority to take action or could be shared more widely and therefore would not be proportionate.

When they are considering installing or expanding surveillance systems, Melissa added that retailers must adopt a data protection by design and default approach, considering data protection and privacy issues at the beginning of the project and throughout installation.

How we can help tackle retail crime

We can offer a range of security solutions to retailers that will meet data protection laws and have a high level of cybersecurity. These include:

If you would like to know more about how we can help keep your retail park or shopping centre safe and secure, while meeting your data protection obligations, please contact us.