If you are thinking of having a CCTV system installed, or you already have CCTV cameras, you need to think about keeping on the right side of the law which means you need to take data protection regulations seriously.
The Information Commissioners’ Office which regulates data protection law has the power to enforce the rules, including the power to issue fines. The CCTV footage that is recorded of people is classed as their personal data and so it gives them rights over it and obligations you must follow. Therefore, compliance is advised.
To be compliant you must adhere to the rules of the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018 (DPA 2018). In addition, for law enforcement processing, part 3 of the DPA 2018 needs to be complied with, which is separate from the UK GDPR regime. The ICO has produced a Guide to Law Enforcement Processing to aid compliance with this area of law. If your organisation has a commercial CCTV system you will need to register with the ICO if you have not already done so.
Article 5 of the UK GDPR sets out seven key principles that need to be part of your approach to processing personal data. One of these principles is “purpose limitation” which means you must:
- be clear from the outset why you are collecting personal data and what you intend to do with it;
- comply with your documentation obligations to specify your purposes.
As explained in the video when you outline the purpose of your CCTV there are a number of factors that need to be considered:
- When you consider the purpose is CCTV actually necessary. For example, if your purpose is security, have you exhausted all other options? This could be actions such as installing security lights, higher fencing or security shutters etc.
- If you do go ahead with CCTV, you should only place cameras in the locations where they will fulfil that purpose.
- You must also consider the potential impact of the CCTV on people. Therefore, you should consult with staff about why the system is being considered and locate cameras so they only capture footage of your property.
The CCTV system can fulfil more than one purpose, for example, crime prevention and control or supporting health and safety. However, this must be in writing within a CCTV policy. Once you have a CCTV system installed you need to keep this under review and ensure that the CCTV system continues to be used for that purpose and no other unless clearly stated within your CCTV policy.
The ICO provides guidance for organisations who use CCTV or are thinking of installing CCTV. Additionally, as covered in our blog last year, if you follow the 12 Guiding Principles of the Surveillance Camera Code of Practice this will enable you to be legally compliant with data protection law. This is why we offer our customers the cloud-based solution CCTV Logbook as its compliance package provides you with a systematic approach to support you to follow the Surveillance Camera Code of Practice.
This is the first in a series of blogs looking in detail at data protection law and CCTV. If you want to know more about how to stay compliant sign up to our newsletter on our blog page or subscribe to our YouTube channel so you see the accompanying videos as soon as they are published. If you are based in south-west England and would like more help to get data protection advice, please contact us.