CCTV (or ‘closed-circuit television’) comes in different forms. Whether it’s used in homes or commercial settings it can, understandably, raise concerns on privacy.
It is important to understand your responsibilities under data protection laws. This article aims to summarise the key compliance considerations associated with the use of CCTV.
CCTV for Domestic Purposes
Many households have CCTV installed, often in the form of a smart doorbell camera or a home security system. If personal data is processed purely for a personal or household activity (i.e. there is no connection to a professional or commercial activity) then this processing falls mostly outside of the scope of UK data protection law. This isn’t an exemption but works like one in practice.
If the footage captures images beyond the private boundary, such as a public footpath or a neighbour’s entrance, then data protection legislations apply to an extent. Homeowners should take appropriate steps to minimise the risk of privacy intrusion to other individuals, such as utilising the privacy settings offered within many popular systems to limit the field of vision and regularly reviewing and deleting any unnecessary footage.
CCTV for Commercial Purposes: Key Compliance Considerations
Any organisation that processes individuals’ personal data is subject to data protection law: footage captured by CCTV is classified as personal data.
Whether you are already using CCTV or thinking of using it in the future, we recommend businesses consider the points below to ensure data protection compliance and minimise regulatory risks.
1. Complete a Data Protection Impact Assessment (DPIA)
Organisations must carry out a data protection impact assessment (or ‘DPIA’) for any processing activity that is likely to result in a high risk to individuals. A DPIA will help you to identify, analyse and minimise the privacy and data protection risks associated with the activity.
Article 35 (3) sets out the three types of processing which will always require a DPIA: systematic and extensive profiling with significant effects; large scale use of sensitive data; and public monitoring. CCTV, therefore, does require a DPIA. This should be the first step you take before implementing CCTV or other surveillance systems.
2. ICO Registration
Under the Data Protection (Charges and Information) Regulations 2018, organisations (including sole traders) that use personal information need to pay a data protection fee to the Information Commission, unless they are exempt. You can determine if your business meets this threshold by completing a self-assessment on the Information Commission’s website.
3. Signage and Transparency
If CCTV is in operation, you must inform individuals that they are being monitored. Signage should be visible before someone enters a CCTV zone. They should clearly indicate the responsible organisation and the purpose of surveillance.
To keep individuals informed of your data processing, you should update your privacy policy to reflect that you are using CCTV. A robust CCTV Policy is also essential, as it acts as guidance for employees when using surveillance systems or handling camera footage in practice.
4. Camera Placement
CCTV should be positioned to capture what is necessary for the stated purpose. To illustrate, if CCTV is used for security, then it will be justifiable to place a camera in communal spaces or entrances. However, monitoring in private spaces, such as staff break out rooms or toilets will not be justifiable.
5. Data Retention
The “storage limitation” principle requires personal data to be kept for no longer than is necessary for the purpose it was obtained. This means that organisations cannot keep footage indefinitely. Organisations should determine retention periods weighing up legal obligations with commercial needs.
6. Data Subject Rights
Individuals whose image are captured have several rights under the UK GDPR. Most notably in terms of CCTV:
- Right to access: to request for a copy of the footage in which they appear.
- Right to object: to object to being recorded.
- Right to erasure: to request deletion of their footage.
Organisations should put in place a procedure for handling such requests and ensure that the CCTV systems allow for access to the camera footage to facilitate timely responses.
Complaints
In addition to the above rights, individuals have the right to lodge a complaint with the Information Commission if they believe their personal data has not been processed lawfully.
The Data (Use and Access) Act has recently come into force, and introduces a new right for individuals to submit their complaints directly to the organisation processing their data. All complaints must be acknowledged within 30 days and responded to without undue delay.
If your organisation has not already done so, we recommend establishing a complaints procedure to provide individuals with a channel for raising their complaints. This will demonstrate your commitment in helping individuals exercise their data subject rights.
Conclusion
CCTV is a valuable tool for ensuring personal safety and security, but it must be used in accordance with data protection legislations and in a manner that respects individual privacy rights. Without careful considerations, you may find yourselves in breach of the laws, which can cause significant reputational and financial risks. It is therefore crucial to take proactive steps to ensure lawful processing.
This article was written by Cherry Wong, paralegal, and Max Miliffe, data protection specialist, in our Intellectual Property, Data Protection and Technology team, if you wish to discuss further please reach out them, or call us direct on 0345 540 5558.