CCTV and GDPR – what you need to know to be GDPR compliant
Earlier this week, the ICO prosecuted a company operating CCTV in properties in Sheffield for failing to alert people to its use of CCTV, for failing to register with the ICO and for failing to comply with an Information Notice. This is likely to come as a shock to many organisations that aren’t aware that CCTV images are covered by the General Data Protection Regulation (GDPR). We take a look at what steps need to be taken for CCTV usage to be compliant with the new data protection legislation.
Pay your data protection fee to the ICO
CCTV images are considered to be personal data under the GDPR whether that CCTV just covers business premises or if it overlooks public areas.
Organisations and sole traders (with few exemptions) that process personal data must pay an annual data protection fee to the UK regulator, the Information Commissioners Office (ICO). If you haven’t paid your fee as a Data Controller (an organisation that processes data for their own means) then you don’t appear on the public register which as its name suggests can be readily searched by any member of the public.
Many companies are getting to grips with the need to have a new, clearer privacy notice on their websites. If you use CCTV this needs to appear on that privacy notice. You will need to ensure that you communicate clearly to employees in their separate privacy notice or terms of contract.
GDPR also requires you to inform people at the point of capturing their information. For CCTV images this means putting up clear notices explaining that you’re capturing images wherever you have cameras. You also need to explain why you are using CCTV which is generally for security purposes but there can be other reasons like keeping an eye on manufacturing processes.
Control access to CCTV images
Your CCTV images may contain some information that could harm or distress people for example if there’s an incident your CCTV captures and someone posts it on the Internet.
For this reason, you need to carefully control CCTV images that you capture. They should be kept on an encrypted system and only certain people in your business should be able to access them.
Train staff with access to CCTV images
Those individuals who have access to footage need to receive specific training on controlling CCTV images. You will need to keep a log of this training to provide evidence in the case of a data breach or a complaint made to the ICO.
Delete CCTV footage you no longer need
It’s likely that you won’t need to keep security footage for long, a few weeks is usually plenty of time to cover the possibility of someone needing to examine footage. Under GDPR you can only keep personal data for as long as it is needed for the purpose for which it was collected. After that, you must delete it.
Storing CCTV footage if there’s an incident
If there is an incident, public authorities (like the police) will tell you what you need to keep for longer. In that case, it’s essential that you keep that data - it’s a data breach if you delete it after being told to keep it!
If no-one asks you to keep footage for longer than your standard retention time, then you should delete it on schedule.
Domestic use of CCTV
The ICO also asks homeowners to notify their use of CCTV. The ICO is particularly sensitive to CCTV and security recordings that also have soundtracks as this can divulge even greater sensitive information.