CCTV is part of everyone’s lives, but a climate of unease has grown up around surveillance at work. In this article, we will explore the effects of GDPR on the use of CCTV in the workplace.
What is CCTV?
CCTV means closed-circuit television, also known as video surveillance. Video surveillance systems monitor the behaviour or activities of people from a distance with electronic equipment. Video surveillance can include anything from closed-circuit television or automatic number-plate recognition systems to any other system for recording, storing, receiving or viewing visual images for surveillance purposes.
What is Workplace Surveillance?
Under GDPR, employers can monitor employee activity if they have a lawful basis and it clearly communicates the purpose of their monitoring to their employees.
There are many legitimate business reasons employers monitor employees using CCTV and other surveillance methods such as sound recording. Lawful bases of monitoring include preventing crime and employee misconduct; compliance with health and safety procedures; improving productivity; and sometimes (such as the financial services sector), complying with regulatory requirements. Employers must:
- Have written policies and procedures in place regarding monitoring.
- Monitoring shouldn’t be excessive and should be justified.
- It should tell staff what information is recorded by the CCTV and how long their employer will keep it.
- If employers monitor workers by collecting or using information, the Data Protection Act will apply.
- Information collected through monitoring should be kept secure.
Under the Data Protection Act, if an employer gives a reason for the cameras, for example, to prevent theft, the employer cannot then use the footage for another reason such as recording entry and exit of workers from the workplace.
Legitimate interests vs workers’ rights
Businesses must make sure they balance their legitimate interests with the interests, rights and freedoms of their employees. Employers also need to apply safeguards to ensure that employees’ rights are not prejudiced. Should an employee object to the use of CCTV cameras in a particular area, GDPR regulations place the burden on the employer to show that it has “compelling legitimate grounds” for processing that override the employees’ rights, or for the establishment, exercise or defence of legal claims.
It should confine CCTV surveillance to areas where the risk of infringing employees’ privacy rights is low. For example, monitoring employees’ movements in a general entrance area. Cameras cannot be installed in areas such as changing rooms or toilets without an extremely compelling reason and strong justification (ie bathrooms being used for habitual drug use) and may never be used to target a particular group of employees.
The purpose of any CCTV must be clearly communicated to employees by way of a Privacy Notice. GDPR requires that employers make this clear and unambiguous. CCTV is generally installed for security purposes, but it could be used to monitor employee performance or conduct as well as health and safety. Adequate notice must be provided to employees prior to having their personal data recorded.
What’s the risk of CCTV ‘profiling’ under the GDPR?
Under Article 35 of the GDPR, any excessive use of CCTV monitoring to profile employees is “high risk”. The impact of any envisaged processing of personal data must be undertaken before installation of any surveillance system. In some situations that always requires a DPIA (Data Protection Impact Assessment):
- a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; for example, credit checks, fraud prevention, insurance underwriting.
- processing on a large scale of special categories of data, e.g. data which reveals ethnic origin, race, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or sexual orientation. Or data which relates to criminal convictions and offences.
- a systematic monitoring of a publicly accessible area on a large scale, e.g. automatic number plate recognition, intelligent transport systems, surveillance of public areas, application of AI.
A DPIA considers whether the surveillance is necessary and proportionate considering the risks to the rights of data subjects, including consideration of any safeguards or security measures that the data controller will put into place.
The case of López Ribalda
A recent judicial decision of the European Court of Human Rights has reinforced the importance of applying the proportionality principle when assessing the lawfulness of using CCTV surveillance to monitor employees.
Five supermarket workers including Ms Lopez Ribalda works are cashiers at MSA, a Spanish supermarket chain. Their employer monitored them to investigate a possible series of thefts. The employer installed visible and hidden cameras but communicated to its workers about the visible cameras only. Thus unaware of the covert cameras, they showed all the workers suspected of theft video footage capturing their involvement in the theft of goods. The five employees admitted the thefts and were then dismissed on disciplinary grounds.
The employees argued that the use of the covert video had infringed both their privacy rights and their right to a fair trial. The court rejected the fair trial claim but upheld the employees’ privacy claim finding that the Spanish courts had failed to strike a fair balance between the employees’ right to respect for their private life and the employer’s interest in protecting its property. Most of the bench found that the employer’s rights could have been safeguarded if they had notified their employees in advance of the covert cameras.
What do you need to consider?
Businesses must consider GDPR requirements if they already have or plan to install CCTV cameras for any purpose. They must address the rights of employees, potential customers and other parties. Monitoring may only be undertaken if there is a lawful basis. Any personal data collected must be used and kept only to fulfil its original purpose, and GDPR-compliant signs must be prominently displayed.
It is advisable for businesses to draft a series of data protection policies relating to the use of CCTV cameras. These policies should address:
- the purposes for which CCTV surveillance is being carried out
- the conditions in which monitoring will take place
- the nature of the monitoring
- how individuals’ personal data obtained will be used
- how long the footage will be retained; the impact of this on individuals’ rights.
It is also very important to ensure that there is adequate signage in areas where CCTV cameras are installed. Businesses need to put in place appropriate technical and organisational measures to mitigate any risk posed to an employee’s privacy rights in the event of a data breach.
How Almas Industries can help
As installers of CCTV surveillance systems, Almas Industries are ready to help you with all aspects of GDPR compliance including Data Protection Impact Assessments. You can arrange your free, no obligation security survey by calling us on 0333 567 6677. If you prefer, you can always send a confidential email via [email protected]