Is your CCTV system GDPR compliant?
If your CCTV system monitors or records the activities of individuals, this will constitute the processing of personal data under the General Data Protection Regulations (GDPR) and be caught by the data protection legislation.
If you are a homeowner using a CCTV system, the UK Data Protection Act 2018 (DPA), which implements the EU-wide GDPR, does not apply to CCTV installed on a person’s own home in order to protect it from crime such as vandalism or burglary. However, if the camera captures areas outside of the confines of the household, for example, a shared drive or car parking space, the data gathered will be subject to the DPA. The guidance for businesses below will then also be applicable to your home CCTV system and will need to be complied with in order to avoid penalties under the DPA.
Business owners can usually rely on their own legitimate interests or a legal requirement as the lawful basis for operating CCTV and processing the related data. However, they will need to demonstrate that lawful basis for the entire area covered by the camera. Individuals recorded by CCTV become “data subjects” when footage of them is recorded and stored. The data subject’s rights and freedoms cannot be overridden, especially where relying on legitimate interests as the lawful basis for processing their data. Even inside a work premises, employees have a right to privacy.
Data subjects are entitled to understand when their personal data is being recorded and stored. As a result, the recording and storage of CCTV images should be highlighted by clear signage indicating the areas monitored and who to contact for further information.
One of the core principles of the GDPR is that personal data should only be processed for as long as it is completely necessary. Each camera and its purpose will need to be assessed to determine how long footage can be stored for. There are no defined acceptable retention periods within the legislation; the relevant period is entirely dependant on its reasonableness in light of the purpose for which the footage is used. For example, a retail shop would not usually be expected to retain footage for any longer than 6 months - by that time any reported crimes are likely to have been investigated and relevant footage seized.
As with any other form of personal data, data subjects have a right to access their own data. If you are preparing data for disclosure arising from a data subject access request you will need to ensure that the requester is present in the footage and that by supplying the footage you do not disclose the personal data of any other third parties. This may require blurring parts of the footage such as faces and licence plates.
You should also note that under the new GDPR, the information must be provided to the data subject free of charge. A reasonable fee can only be charged if the request is ‘manifestly excessive or unfounded’ and can only cover the administrative costs involved. The footage must be supplied within 30 days of your receipt of the request.
Any act of storing or accessing CCTV footage is considered data processing and it is crucial that CCTV operators ensure the confidentiality and integrity of any footage. Screens displaying live or recorded footage should only ever be viewed by authorised individuals and not members of the public who walk past a CCTV operation room or security guard post.
The devices used to store CCTV images are a common target during a break-in (not only for their resale value but also to remove evidence of the crime). As a result, organisations need to consider the physical security of storage devices such as whether it is kept in a locked room. Newer systems may allow for recordings to be kept in an encrypted format which will prevent unauthorised access in the event of loss or theft.
CCTV systems which can transmit images over the internet, to allow viewing from a remote location, should ensure that these signals are encrypted to prevent interception and also require some form of authentication for access, such as a username and strong password. CCTV systems which make use of wireless communication links (e.g. transmitting images between cameras and a receiver) should ensure that these signals are encrypted to prevent interception.
The Information Commissioner’s Office recommends that any organisation using CCTV should carry out a data protection impact assessment (DPIA) on its use.