Since the introduction of the GDPR in May 2018, issues surrounding personal data and data breaches increasingly feature in the news. These high profile issues tend to relate to breaches involving contact details, passwords and financial information. What is often not realised is that images of a person captured on CCTV amount to personal data. Given the prevalence of CCTV, this is a potentially significant issue in the context of data protection.
The Information Commissioner (ICO) has recently highlighted concerns surrounding the use of CCTV cameras in taxis, usually installed and controlled by local authorities. A key concern for the ICO is that the cameras record at all times, meaning the taxi drivers are being recorded when using the vehicles for personal purposes, which is an invasion of their privacy and may be excessive. A further concern surrounds who controls processing of the data: this is usually the local authority if it has instructed the installation of CCTV rather than individual taxi drivers.
The use of CCTV may also be a key data protection issue for certain types of sector, those operating in the licensed trade being a prime example. It is a fairly common condition of licences that CCTV be installed on the premises, usually for the purposes of preventing crime. However, the use of such systems has always been subject to strict guidance, which might be under greater scrutiny in future since the introduction of the GDPR. The owner of the premises will generally be responsible for the data collected by surveillance cameras.
So what should those who use surveillance camera systems be aware of?
- Register with the ICO
Data controllers must register with the Information Commissioner and pay an annual fee, the amount of which depends on the size of the business. Any business which operates a surveillance camera system will likely need to be registered as they are processing personal data. For most small businesses the fee will be £40 or £60. The ICO website has a tool for calculating the relevant fee (found here)
- Be aware of available guidance
There is guidance available in relation to surveillance cameras and the use of the data they collect, which it is advisable for users of such systems to be aware of.
The ICO has a Code of Practice for Surveillance Cameras and personal information (read here ). This guidance has not yet been updated in light of the GDPR but remains relevant.
The guidance notes issues for different types of surveillance camera system – we refer to CCTV in this blog for ease of reference, but care should be taken to consider the particular implications of different types of system.
The Home Secretary has produced a Surveillance Camera Code of Practice (read here.) This was also in place before the GDPR came into force but the Code of Practice sets out 12 principles, which broadly reflect the principles of the GDPR and Data Protection Act 2018, including that:
- use of surveillance cameras should be for a specified purpose
- be necessary to meet a pressing need
- should be subject to security measures; and
- that information and images collected should be deleted when no longer required.
- Have a clear policy
One particular principle to note is that clear rules, policies and procedures must be in place before a surveillance camera system is used, and must be communicated to all who need to comply with them. Therefore, any organisation using CCTV should have a policy setting out the terms of its use, and staff who have access to the system must be aware of the policy.
- Inform customers that CCTV is in use
One of the principles set out in the Home Secretary’s Code of Practice is that there must be as much transparency in the use of a surveillance camera system as possible. Part of this is making the public aware that CCTV is in use and that they may be recorded. It is generally a requirement that organisations put up clear and visible signs that CCTV is in use on the premises. The notice should ideally refer to where further information can be obtained. It is advisable to have a policy which is available to customers to read should they ask for further information about how their personal data is being used.
- Conduct a risk assessment
In complying with the Code of Practice and the GDPR generally, showing that the use of surveillance cameras has been carefully considered and assessed will be useful. Points to consider include:
- Why is CCTV necessary and why is it proportionate for the purpose installed? (i.e. is it to discourage anti-social behaviour and crime?)
- Who has access to the images recorded by the CCTV?
- How is the CCTV system and the data it collects stored and secured?
- How long are recordings retained and why?
- In what circumstances might CCTV footage be disclosed to third parties?
Under the GDPR, the potential penalties for non-compliance are higher than ever before. While businesses will generally only come under scrutiny if there is a particular complaint, CCTV is an area which in practice it is surprisingly easy to be lax about, and which needs fairly strong justification for extensive use. Even if it is a condition of a premises licence, the business as the data controller is ultimately responsible for how the system and the data it collects is used. Taking time to consider compliance is therefore essential to ensure you don’t fall foul of the law.
Contact our expert GDPR Solicitors, Glasgow today
If you require assistance in ensuring compliance with the GDPR, whether in regards to the use of CCTV footage or otherwise, Miller Samuel Hill Brown can help. Get in touch with us today on 0141 221 1919 or fill in our online contact form to discuss how we can help you.
