CCTV and Data Governance

One question we are often asked, is what are the data protection requirements for CCTV? Well, as an ISO auditor across the UK public sector, our very own Tracey Hannan-Jones, Lead Governance, Risk and Compliance Consultant at Phoenix, takes a look.

Photo of Tracey Hannan-Jones

“CCTV surveillance is increasingly being used for the safety of organisations to protect property and persons within your organisation, and those who share your physical and digital space. Given that CCTV images can be used to identify people, the GDPR demands that organisations are transparent with the footage captured and held.

It’s about data protection, and protecting the legal requirements for CCTV, to protect your data subjects and your organisation. It’s about ensuring you understand the structure for managing CCTV effectively and supporting your surveillance for legitimate purposes.

CCTV footage is subject to the GDPR and while many think that the regulation is just around written details, like names, addresses, dates of birth etc, it applies to ANY INFORMATION that can identify someone. This includes pictures and videos and it is therefore important to understand how to use CCTV, whether directly yourselves, or using a third-party surveillance partner.

Key things to consider

It’s not essential to have a CCTV policy within your organisation, but it’s a recommendation to have one that contains, as a simple guide, the following areas:

  • Why your organisation uses CCTV (i.e. its purpose) and how you use these systems accordingly.
  • How you address and consider relevant laws, regulations and codes of practice and standards around surveillance.
  • The elements around privacy considerations before implementing CCTV surveillance.
  • Secure storing and processes for CCTV images and records, in accordance with GDPR data processing principles.
  • Aligning CCTV signage on your premises.
  • Assignment of roles and responsibilities within your organisation around CCTV data.
  • Outsourcing controls and supplier reviews in line with the GDPR and DPA.
  • Chain of Custody handling in the event of third-party requirements (such as third- party insurers, police, and other interested parties).

What should be covered?

Your People:  Making sure they know they are being recorded.

One of the core principles of the GDPR is ‘TRANSPARENCY’ – this means telling people (staff, students, citizens, visitors, etc) that you are collecting personal information, to allow them to exercise their ‘data subject rights’:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights related to automated decision making, including profiling.

These rights enable individuals to access the personal data you store on them and to challenge you on the way that their data in used – even CCTV images.

It is therefore important that you make people aware that you are recording them, by appropriate CCTV signage and if you are using CCTV to monitor employees, then you should explain this in your privacy policy that they are being recorded.

If your organisation uses CCTV, you must register your details with the Information Commissioner’s Office (ICO) and pay a data protection fee (unless you are exempt). In doing so, you must tell people that they may be recorded, display signs (read more below).  But also, control who can see the recordings and ensure that the system is only used for the purposes it was intended for.

State clearly WHY you are using CCTV

Under the GDPR, it is simply not enough to say that you are collating ‘personal data’ – you must also explain WHY you are doing so, and how you are using it. This is where the GDPR’s Regulations around ‘lawful bases of processing’ come in.

There are six bases in total and except for ‘consent’, each one below may be suitable for different circumstances:

  • A contract with an individual – for example, the supply of goods or services, whereby you include a provision that those services are monitored.
  • Compliance with legal obligation – where you are processing data for a particular purpose as a legal requirement.
  • Vital Interests – where for example, you need to process data that will protect a person’s physical integrity or life (either that of the data subject, or another person).
  • Public Task – where, for example, the need to complete official functions or tasks in the public interest – this is an important one in the public sector, as it covers public authorities, such as government departments, schools and other educational settings, hospitals and the Police.
  • Legitimate Interests – whereby a private sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent – if it is not outweighed by negative effects to the individual’s rights and freedoms.

So, if you are recording in a public area, you can meet this requirement by including a brief explanation on the signs you have posted, so for example, you might state:

“CCTV in operation for the purpose of public safety”.

These signs are readily available to buy and you can fill in your ‘statement’ where the purpose is left blank.

Finally, if you have the need to monitor your employees, then you should explain the basis for processing in your privacy policy.

What about ‘Body Worn’ videos?

Body Worn Videos (BWV) are often worn as part of a uniform, and are increasingly being used in the workplace, especially in the Emergency Services/Blue Light services. However, also coming into this category are sports action cameras in local council and educational settings – all used by data controllers.

The sensitivity of the footage (both audio and video) differs by situation and the extent of the damage and stress if the information were accessed by an unauthorised person, must also be considered by the data controller. This includes aspects such as the increased likelihood of theft or loss because some BWV devices store data directly onto the device itself, while others store on removable memory cards – the loss of such a card or device, due to accident, theft or technical issue, may be perceived as a greater risk than the physical device itself.

Encryption, Access Controls and Asset Management controls therefore plays in important aspect to protect data as well as protection of data logs – if you have not captured these types of devices in your policies, we highly recommend a review.

Who can see the recordings?

Anyone can ask to see the images that you’ve recorded of them. You usually must provide the footage as requested, free of charge and within one calendar month.

Additional sources:

For any support around data governance, risk and compliance, feel free to contact the team [email protected] and request a copy of our services catalogue or simply fire a question over to us.”