GDPR: How GDPR regulations impact the usage of CCTV

With the GDPR Regulations a hot topic for all UK businesses right now, many people are getting in a panic about the implications of the new regulations for their day-to-day business. The obvious topics surrounding the application of GDPR have been extensively discussed, and while businesses must look closely at how they collect, store and manage personal data, some areas such as the usage of CCTV are often getting overlooked.

Data protection legislation and CCTV are not new concepts under GPDR, with both being included in the 1998 Data Protection Act. Since October 2001 there has been a requirement for businesses using CCTV to register with the Information Commissioner’s Office (ICO). Many organisations and businesses where CCTV is installed and there is public access are within the scope of the requirement to register with the ICO, unless exempt. With approximately 5.7 million SMEs in the UK and some 465,000 businesses registered on the ICO’s database, it is likely that there are many businesses that are in breach of the existing regulations and therefore need to work towards meeting the deadlines for the GDPR.

Much of the focus on the GDPR regulations is on understanding online data, risk management and the implementation of appropriate and effective controls. However, the GDPR regulations don’t just cover online security but physical security too. Because compliance, and being able to demonstrate it, isn’t optional, if you use CCTV as part of your security control it is important to understand how the GDPR will affect you.

CCTV (Close Circuit Television) is used to capture images of data subjects (a.k.a people!), whether that be for security or health and safety purposes. Identifiable imagery is considered ‘personal data’ under the new GDPR regulations and therefore requires the person who is handling it (the ‘Data Controller’) to act in a responsible manner. All Data Controllers must be able to justify how their business obtains and uses personal data by means of a CCTV system.

 

Justification

If you are placing cameras around the perimeter of your business to detect intruders, then this is easy to justify. However, if you want to place cameras inside a building, say for monitoring the movements of employees, then this is not so straightforward. For each camera, you use you should carry out a Privacy Impact Assessment (PIA) itemising the intended viewing area and the reason for the camera.

 

Informing others

You must always inform people of the presence of CCTV cameras and the purpose for collecting data must be made clear. This is especially important if the purpose is not obvious. If you are monitoring employees or health & safety, then this needs to be highlighted clearly. Signage is mandatory.

Recording

CCTV systems should be controllable so that the recording of the footage is not continuous. Systems must have the ability to stop capturing either footage and/or sound recordings, independently of each other. Capturing both could be deemed excessive and you would need to demonstrate clearly the reasons for recording both, and what legitimate grounds you are relying on to justify this. CCTV surveillance systems should not normally be used to record conversations between members of the public or members of staff as part of a working environment. Recording conversations is highly intrusive and would need detailed, documented justification as to why it is deemed reasonable. Regular checks are needed to ensure date and time stamps recorded on images are accurate.

Retaining Data

Best practice with regards to retaining data is only to hold CCTV recordings for 30 days. If you wish to hold data for longer, then your Privacy Impact Assessment (PIA) or data protection audit should state how long and why you need the data.

Store and Access

Data collected from CCTV systems must be securely stored with sufficient security safeguards in place to prohibit interception and unauthorised access. It is important to have a written information retention policy which is documented and understood by those who operate the CCTV system.

Permit

The GDPR regulations state that: ‘Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.’ Anyone who is captured by your CCTV cameras, therefore, has the right to request that footage, because under GDPR is classified as personal data. They must follow a procedure to request the data (a ‘subject access request’, with which you have 40 days to comply and may make a charge of £10. If any other individuals are visible in the footage, there needs to be a footage redaction service provided to blur out the faces of other individuals. Staff who handle data should be trained in how to respond to requests from individuals for access to CCTV recordings.

Assist

Are you able to access recordings easily at particular locations or times in order to comply with a subject access request or police investigations?

Any truly effective approach to security when preparing for GDPR compliance must cover three aspects – prevention/ technology, people and process. With the right guidance and help, meeting the GDPR’s data security requirements can lead not just to compliance but also to an enhanced security posture and business benefits. The most important thing to remember is not to panic, you have time, but only a finite amount of time, to get your data protection and physical access to that data in order. Don’t wait until it’s too late. Audit now. If you’d like a free GDPR security checklist, please get in touch.

As installers of CCTV systems, Almas Industries are well placed to help businesses with the physical security aspect of GDPR compliance. You can arrange your free, no obligation security survey by calling us on 0333 567 6677. If you prefer, you can always send a confidential email via [email protected].