CCTV and video surveillance is more common than ever. It’s no longer just used for security and traffic cameras, but with advances in technology such as smart phones and even doorbells, we’re being monitored more than ever before.
This, like most areas of technology, has huge benefits. But how do we balance the use of surveillance against the intrusion of individual’s rights and privacy?
This article explores some of the key considerations for organisations when using CCTV.
Video footage that can identify an individual constitutes their personal data, and is therefore subject to data protection law. The use of video surveillance should meet the principles underpinning the UK data protection regime, including being lawful, fair and transparent.
Organisations looking to introduce CCTV and surveillance systems must take a ‘data protection by design’ approach. This means considering the data protection aspects at the earliest stages before implementing any surveillance systems, and designing a system that is underpinned by the data protection principles.
Each of the seven data protection principles should be carefully considered, and be at the forefront of how your system operates.
As with other processing activities, you must identify and document your lawful basis for processing personal data in this way, and carry out a legitimate interests assessment if applicable.
Consider whether your use of the CCTV or surveillance is appropriate and proportionate in the context of your business, and ask the following questions:
The type of surveillance you choose and its location are particularly relevant. Surveillance systems can be extremely sophisticated, but this also means that they can be intrusive, and potentially impede on individuals’ rights to privacy. You must adopt a system that achieves the specific purposes for which you are using it.
You should also try to limit the personal data captured to ensure that only the minimum amount is obtained to meet your specific purpose.
Many of the documents that you need to implement should already be familiar to you as part of your wider data protection compliance. For example:
In addition, it is key to undertake a Data Protection Impact Assessment (DPIA) for any processing that is likely to result in a high risk to individuals. This includes:
When undertaking a DPIA, it must be completed before you start using the surveillance systems, and it should set out how you are mitigating any risks identified. If there are high risks that cannot be mitigated, the guidance is clear that prior consultation with the ICO is required. You can find further information about this on the ICO’s website.
One of the key principles underpinning the data protection framework is transparency. Individuals should be informed about how and why their personal data is being used.
Often this information is set out in a privacy notice, which is still good practice in this context, but the data subject is unlikely to be able to review a privacy notice before the CCTV footage is captured. Signage is therefore an important tool that can be used to meet your transparency obligations.
Signs should be clearly visible, readable and an appropriate size based on the context and location of the surveillance system. Think about how the individuals will see the signs, eg will they most likely be on foot or in a vehicle? How long are they likely to have before they’ve passed the sign? Is the sign readable from a reasonable distance?
Generally, the ICO guidance provides that signage should be more obvious in areas where the individuals are less likely to expect CCTV.
The UK data protection regime doesn’t dictate how long you can retain personal data, including CCTV footage, so there is no maximum or minimum period prescribed by law.
The reason for capturing the CCTV footage and the purposes of the processing should be considered and will determine the period for which you should keep the personal data. As with other types of processing, this should be proportionate and necessary to meet your purpose.
An individual is entitled to request a copy of CCTV footage containing images of them, and organisations must provide a copy of the footage if it contains their personal data, unless an exemption applies.
There are two main exemptions to providing copies of CCTV footage:
Providing unredacted footage which other people feature in is rarely appropriate, as you would be disclosing third party personal data without the consent of the relevant third parties.
In order to avoid this you should redact the footage to remove other people’s personal data, eg edit or blur faces, and any other personal data that may be visible, such as car registrations or address information. You may need to use a third party tool or service to support with redaction.
If redaction isn’t possible, consider seeking the third parties’ consent before releasing the footage. Obtaining third party consent is often difficult though, especially where the identity of third parties is unknown. Where this isn’t possible or appropriate, the organisation must balance the data subject’s right of access against the third-parties’ rights to privacy, and decide if it is reasonable to share the footage without the third parties’ consent. This is a balancing act and is very much dependent on the nature and circumstances surrounding the CCTV. Importantly, businesses should ensure they document the rationale behind their decision.
This should be assessed on a case by case basis and there is no ‘one size fits all’ approach.
In addition, organisations will need to ensure that where they share the redacted footage with the data subject, they do so in a secure manner. If the data subject agrees, you can arrange for them to view the footage, for example at your offices, rather than receiving a copy. However if they reject this option, you must provide a redacted copy in a secure manner.
If there is a criminal investigation ongoing relating to the footage, it may be possible to apply the second exemption and withhold the CCTV footage, but in that case, the organisation would need to justify and document its reasons for relying on this exemption.
If you need further advice on this area, please get in touch with our data protection team.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up