CCTV and GDRP: Are you compliant?

As experienced suppliers of a vast range of commercial and domestic CCTV installations, the Clearway team often deals with privacy queries. There are laws to be aware of whether you are:

• Installing a new CCTV surveillance system.
• Have an existing installation and aren’t sure if you are compliant.
• Wish to add new cameras or reposition your current ones.

To help you identify whether your CCTV is GDPR compliant, we have created this checklist to work through each of the essential factors.

If in any doubt about the legality of a surveillance installation, it remains strongly advisable to seek advice from our qualified team of professional CCTV installers.

What Laws Does my CCTV Need to Comply With?

GDPR (the General Data Protection Regulation) and the Data Protection Act stipulate the laws around collecting personal data.

The information doesn’t just have to be written documentation but includes videos and photos, hence the scope of data privacy regulations extending to CCTV captures.

In essence, any information – including an image – that allows an individual to be identified must be compliant. For example, if your workplace CCTV shows employees, visitors, delivery drivers or registration number plates, it is personal data.

Therefore, every CCTV system owner needs to follow the guidelines to ensure they are compliant and do not violate any data privacy rules.

Do You Have CCTV Surveillance Signs in Place?

You cannot record anybody without his or her knowledge. Signs must accompany every CCTV installation on any premise to ensure that everybody entering the site knows that they may be recorded.

That acts as a preventative measure, and indeed having signage around your property advising of the presence of CCTV surveillance is often a robust deterrent against crime.

However, it is also in place to ensure that everybody has the right to exercise control over the data collected about them.

You might receive a request for footage to be shared with the individual or for that information to be deleted, and so they need to know that the surveillance has taken place and how you will use it.

For workforces, it is recommended you:

• Erect signs advising that CCTV recording takes place.
  Create a CCTV policy or include it in your privacy policy.
• Have You Explained Why CCTV Recording is In Place?

GDPR requires you to explain why you have a CCTV system. There are six bases on which you can justifiably use personal data collected through a surveillance installation:

• These six categories are the lawful reasons for processing personal data, and each might apply to a different scenario:
• Individual contracts, where you supply services or goods to another party and require surveillance capture as part of the service contract.
• Legal compliance, when you are obligated to capture data.
• Vital interests, where the information collected is required to protect the subject’s well-being or that of another party.
• Public tasks, such as governmental security, school surveillance systems, or police CCTV captures.
• Legitimate interests apply to private organisations where they have a viable reason to collect information, including for commercial benefit.

The key factor is that CCTV data collection must have a stated purpose, and the benefit cannot be outweighed by the rights of each person to privacy.

In public spaces, CCTV signage can include a brief explanation of the purpose of the installation to meet this requirement – for example, because it is used for public safety reasons.

Do You Have Controls in Place to Restrict Access to CCTV Footage?

Businesses will need to appoint a Data Controller as the person (or named people) responsible for managing the storage and use of personal information captured through CCTV.

You need to ensure that:

• Data is only accessible to appropriate individuals, such as managers or security staff.
• CCTV must be secured and only viewed by people with permission.
• The information should be stored safely, with adequate security.

Some of the options include storing footage in locked cupboards, implementing access controls on digital files, or encrypting your CCTV footage.

Do You Delete CCTV Footage Regularly?

The next consideration is having a retention period, after which time you delete the CCTV files and the information contained.

Ideally, you should outline in your privacy policy or CCTV policy how often that takes place.

GDPR states that you should only keep information for ‘as long as necessary’, so this is discretionary. The best way to determine the appropriate retention period is to think about why you collect the data.

Most CCTV surveillance is deleted every 14 or 30 days.

Do You Have a Data Protection Impact Assessment in Place?

A DPIA acts as a risk assessment for data processing and ensures that you have mitigated any risks that could potentially impact the individuals being recorded.

Non-compliance can be serious business, and the fines can be extremely high. Therefore, it is essential to work through each of these checkpoints and seek a professional consultation if you have any concerns about whether your CCTV is GDPR compliant.