If you are operating a surveillance or CCTV camera system, or you are considering installing a system, you need to be aware that any footage of people is classed as their personal data and you have a duty of lawfulness, fairness and transparency. People have rights over their data and you have obligations to follow.
The data protection regulations in the UK are enforced by the Information Commissioners’ Office (ICO) which also has the power to issue fines if you fail to meet your obligations. Therefore, compliance is advised. Additionally, if your organisation has a commercial CCTV system you will need to register with the ICO if you have not already done so.
To be compliant you must adhere to the rules of the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018 (DPA 2018). In addition, for law enforcement processing, part 3 of the DPA 2018 needs to be complied with, which is separate from the UK GDPR regime. The ICO has produced a Guide to Law Enforcement Processing to aid compliance with this area of law.
Lawfulness
Article 5 of the UK GDPR sets out seven key principles that need to be part of your approach to processing personal data. The first of these principles is the need to process personal data in a manner that is lawful, fair and transparent in relation to individuals, described by the ICO as the lawfulness, fairness and transparency principle. Under Article 6 of the GDPR you need to identify and document a lawful basis for the use of any surveillance system.
When you operate a CCTV system in areas where a large number of people are likely to be captured by the cameras, such as in large retail parks, entertainment or hospitality venues obtaining individual consent from members of the public for the processing of their data would be difficult. Therefore, the lawful basis for the cameras would be achieved be identifying a legitimate interest for the surveillance. This can be done by carrying out a legitimate interest assessment (LIA). The ICO has created a template for organisations to carry this out. It advised organisations to carry out the assessments in three parts:
- The purpose test (identify the legitimate interest); this would be covered within your CCTV policy when you identify the purpose of the surveillance system
- The necessity test (consider if the processing is necessary, which again would need to be specified when you outline the purpose of your CCTV
- The balancing test (consider the individual’s interests).
If your surveillance camera system will be using biometrics, such as facial recognition for the identification of individuals, you will need to document this and take particular care with the processing of footage to ensure you are continuing to work under the lawfulness principle.
Fairness and transparency
Acting with fairness, in respect of CCTV, means ensuring that people are aware that any recording is taking place and that the location of any cameras is appropriate and would not adversely impact on their right to privacy.
For example, within a retail park, shoppers are likely to expect to see cameras as part of crime prevention, including within shops, but it would not be fair to have a CCTV camera installed within fitting rooms or washrooms as people would expect to have more privacy.
Providing signs for the public when a surveillance system is in place is also important for transparency. The ICO says signs need to be the right size for the system’s use, for example visible to pedestrians or drivers, if that is required. The signs need to include details of the organisation operating the camera system, their contact details and the purpose of the surveillance system.
The ICO says the signs should be more prominent and frequent in areas where people are less likely to expect that they will be monitored by a surveillance system. For example, this is particularly important when you are using a system to cover a large public area and capture a large amount of personal data.
Meeting your data protection obligations
We design and install CCTV systems in south-west England and are keen to ensure customers understand their data protection obligations. A new law, the Data Protection and Digital Information Bill, is close to being passed by parliament which does make some changes to the UK GDPR but following current requirements will ensure you remain compliant. If you want some support you could sign up to CCTV Logbook, which will give you a handy checklist to help you with compliance. In addition, we have produced a series of blogs and videos looking in detail at data protection law and how it relates to CCTV. If you would like to know more you are welcome to contact us.