Data Protection is centred around ensuring you have a strong approach to protecting and processing personal data. CCTV footage of people is classed as their personal data and so it gives them rights over it and obligations you must follow.
This means any organisation that operates a CCTV system must be registered with the Information Commissioner’s Office (ICO), which governs and regulates data protection law in the UK. Article 5 of the UK General Data Protection Regulation (GDPR), which forms part of the Data Protection Act 2018 (DPA 2018), sets out seven key principles which, the ICO states “should lie at the heart of your approach to processing personal data”:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Protecting people’s privacy
While there are circumstances that may mean you need to provide the video surveillance to others, you need to take action to protect people’s privacy, if they are not involved in the incident within the CCTV footage.
Therefore, as this video explains, you may need to gain consent from third parties to disclose the footage or alternatively remove or you may choose to blur, mask, or use a solid fill to obscure parts of the footage. This is called redaction.
As long as you use redaction or other methods to protect innocent people’s right to privacy, you can give access to third parties under the GDPR. although the ICO states that this should be “consistent with the purpose(s) for which you set up the system.” For more about considering the purpose of your CCTV system please read our earlier blog.
Law enforcement and individual rights to access CCTV footage
Even if this is not your purpose it is still acceptable to disclose information to law enforcement agencies, if relevant as failure to do so could prejudice an ongoing investigation, the ICO states. Law enforcement processing is governed by part 3 of the DPA 2018, and is separate from the UK GDPR regime. The ICO has produced a Guide to Law Enforcement Processing to aid compliance with this area of law.
However, individuals also have a right to request access to footage under Article 15 of the UK GDPR, for the purposes of protecting their personal data. In order to deal with these requests properly, and to ensure you use redaction where appropriate, you need to train members of staff so these requests are recognised and processed when they are received. To comply properly with data protection law, you will need internal procedures for the handling of requests and to help locate the requester’s information.
You must ensure, if you are allowing access to CCTV footage for law enforcement purposes or following the request of an individual, that you do not compromise the general right of privacy to others. Use of redaction, allows you to balance the need or right to access information with another individuals right to privacy.
This is part of a series of articles and videos that provides information on data protection law in relation to CCTV. If you want to know more, and to see the blogs and videos when they are published subscribe to our newsletter and to our Youtube channel. You can also contact us.