You are being watched! The GDPR and the use of CCTV systems.
You are being watched! The GDPR and the use of CCTV systems.
Introduction.
At a time when technology, including smart cameras, allows companies to collect much more sensitive information about individuals, more stringent supervision of the protection of personal data is certainly needed. The General Data Protection Regulations (GDPR), which will apply throughout the European Union from May 2018, will therefore affect camera system operators.
A video recording of an identifiable person naturally forms part of an individual’s personal data. Moreover, any time an individual’s image is captures, whether it is static or moving data falls within the Regulation’s definition of biometric data.
Lawfulness of Processing.
A Data Controller must be able to justify the obtaining and use of personal data by means of a CCTV system. It is unlikely that a Data Controller will be able to rely on an individual’s consent as the legal basis for the use of CCTV, and do the lawfulness of processing may need to be legitimized on the basis of the legitimate interests pursued by the data controller or a third party. In that case, a balancing exercise will need to be carried out to verify that the CCTV’s use does not override the rights and freedoms of the individuals whose personal data may be captured by the CCTV.
Note that biometric data fall within the special categories of personal data, the basis of processing for which are specified in Article 9 of the GDPR. Processing can therefore only be carried out if one of the permitted conditions applies, and it will be up to the controller to determine this prior to carrying out the video surveillance.
Data Protection Impact Assessment.
In cases where the installation of CCTV may pose a high risk to the rights and freedoms of natural persons, an impact assessment must be carried out before processing, with a view to assessing the impact of the planned operations.
A Data Protection Impact Assessment (DPIA) will have to be completed:
- The video surveillance is considered to be high risk;
- It involves the systematic monitoring of a publicly accessible are on a large scale; or
- If video surveillance has been included by the relevant supervisory authority on a list of data processing operations that require a DPIA.
If the DPIA indicates that the high risk cannot be sufficiently mitigated, for example, by appropriate siting of the camera and setting the direction they point, then the data controller must consult with the supervisory authority prior to the use of the video surveillance.
Measures to Be Taken by The Data Controller.
Staff Training:
The authorized personnel operating the system and accessing the footage should receive adequate training and be made aware of the system operator’s compliance obligations. Personnel should be familiar with the operator’s relevant policies and aware of the disciplinary and legal sanctions for misuse of the CCTV system, including that it may constitute a criminal offence. Furthermore, authorized personnel should be able to handle footage securely and to deal with disclosure requests from law enforcement agencies and with subject access requests.
CCTV policy
This is a written document setting out the policy governing of the CCTV system. It should also address important privacy issues, such as the processing purposes of the CCTV recording; whether data will be retained data; disclosures to third parties; and responding access requests.
Regular reviews to ensure compliance
Proactive checks and audits should be carried out on a regular basis to ensure continuing compliance. In particular, this should include reconsidering whether the use of the CCTV remains justified and renewing any notifications with regulatory authorities.
What should data subjects expect?
The CCTV operator must let data subjects know they are using CCTV. Individuals should be informed by warning signs, which should be visible, sufficient in number and in a conspicuous place. The sign must indicate:
(a) that the video is being videograph,
(b) the Controller and
(c) The purpose of the video recording.
Conversations between members of the public should not be recorded on CCTV.
Data subject rights and CCTV
For overt video surveillance, the controller must comply with the transparency requirements of the Regulation to the extent that is possible in cases where the controller may not have a direct relationship with the affected data subjects, such as where the cameras cover a large, public space. Individuals will need to be provided with information to make them aware that CCTV is in operation and of the areas being monitored.
The information will need to be visible and placed within reasonable distance of the monitored area. The information should also include the purpose of the surveillance and identify the controller with contact details.
As the information that may be made available via a sign with a camera symbol is unlikely to contain all the details prescribed by Articles 13 and 14, the controller should be prepared to provide the full information necessary when a data subject makes contact.
The personal data that is captured through video surveillance will be subject to the Article 15 right of access by the data subject. Given that usually CCTV footage is only retained for short periods of time, the right of individuals to access the data held about them is normally of narrower scope compared to other contexts. Nevertheless, to the extent that data is retained, controllers must have the ability to effectively respond to subject access requests. Where CCTV footage also includes pictures of other people, measures should be taken to safeguard their privacy, for example, by blurring the images of the others.
Conclusion.
Taking the above into consideration many companies need to look at their security arrangements and ensure there no likely breaches of regulation. An innocent oversight could result in a hefty penalty for every business. It is no longer acceptable to not understand or not to be aware of the laws associated with the CCTV systems.