Smile, you’re on camera: data protection considerations for organisations when using CCTV

CCTV and video surveillance is more common than ever. It’s no longer just used for security and traffic cameras, but with advances in technology such as smart phones and even doorbells, we’re being monitored more than ever before.

This, like most areas of technology, has huge benefits. But how do we balance the use of surveillance against the intrusion of individual’s rights and privacy?

This article explores some of the key considerations for organisations when using CCTV.

Does CCTV footage constitute personal data? 

Video footage that can identify an individual constitutes their personal data, and is therefore subject to data protection law. The use of video surveillance should meet the principles underpinning the UK data protection regime, including being lawful, fair and transparent.

My organisation is thinking about implementing a surveillance system – what do we need to think about? 

Organisations looking to introduce CCTV and surveillance systems must take a ‘data protection by design’ approach. This means considering the data protection aspects at the earliest stages before implementing any surveillance systems, and designing a system that is underpinned by the data protection principles.

Each of the seven data protection principles should be carefully considered, and be at the forefront of how your system operates. 

As with other processing activities, you must identify and document your lawful basis for processing personal data in this way, and carry out a legitimate interests assessment if applicable. 

Consider whether your use of the CCTV or surveillance is appropriate and proportionate in the context of your business, and ask the following questions:

• What is the purpose of capturing the CCTV footage?
• What groups of individuals will be captured, ie whose personal data will you be processing?
• What area is the surveillance system capturing? Think about whether this is public or private property, and whether the individual would reasonably expect to be recorded in that space.  
• How will the personal data be processed and stored? 
• What security and technical measures do you have in place to protect it? 
• What are the reasonable expectations of the individuals that you are capturing? 
• What impact will this have, or likely have, on those individuals rights and freedoms?
• Who within the business has access to the footage? 
• Who decides what footage is captured and how long it is kept? 
• Are you relying on third parties to implement surveillance systems?

The type of surveillance you choose and its location are particularly relevant. Surveillance systems can be extremely sophisticated, but this also means that they can be intrusive, and potentially impede on individuals’ rights to privacy. You must adopt a system that achieves the specific purposes for which you are using it. 

You should also try to limit the personal data captured to ensure that only the minimum amount is obtained to meet your specific purpose. 

Do we need any specific documentation in place?

Many of the documents that you need to implement should already be familiar to you as part of your wider data protection compliance. For example:

• Updating privacy notices to explain your use of surveillance footage.
• Internal policies regarding the use and access of such footage.
• Legitimate impact assessments - where you are seeking to rely on legitimate interests as your lawful basis.
• Third party contracts where you relying on a third party to provide the relevant technology or deliver services as part of your operating systems, or similar.

In addition, it is key to undertake a Data Protection Impact Assessment (DPIA) for any processing that is likely to result in a high risk to individuals. This includes:

• Processing special category data.
• Monitoring publicly accessible places on a large scale.
• Monitoring individuals at a workplace.

When undertaking a DPIA, it must be completed before you start using the surveillance systems, and it should set out how you are mitigating any risks identified. If there are high risks that cannot be mitigated, the guidance is clear that prior consultation with the ICO is required. You can find further information about this on the ICO’s website.

Do we need to put up signs?

One of the key principles underpinning the data protection framework is transparency. Individuals should be informed about how and why their personal data is being used.

Often this information is set out in a privacy notice, which is still good practice in this context, but the data subject is unlikely to be able to review a privacy notice before the CCTV footage is captured. Signage is therefore an important tool that can be used to meet your transparency obligations. 

Signs should be clearly visible, readable and an appropriate size based on the context and location of the surveillance system. Think about how the individuals will see the signs, eg will they most likely be on foot or in a vehicle? How long are they likely to have before they’ve passed the sign? Is the sign readable from a reasonable distance? 

Generally, the ICO guidance provides that signage should be more obvious in areas where the individuals are less likely to expect CCTV.  

How long can we keep CCTV footage?

The UK data protection regime doesn’t dictate how long you can retain personal data, including CCTV footage, so there is no maximum or minimum period prescribed by law.

The reason for capturing the CCTV footage and the purposes of the processing should be considered and will determine the period for which you should keep the personal data. As with other types of processing, this should be proportionate and necessary to meet your purpose.

What do we do if an individual requests a copy of our CCTV footage? 

An individual is entitled to request a copy of CCTV footage containing images of them, and organisations must provide a copy of the footage if it contains their personal data, unless an exemption applies. 

There are two main exemptions to providing copies of CCTV footage:

1. If it contains other people’s personal data.
2. If disclosing it may prejudice a criminal or tax investigation. 

Providing unredacted footage which other people feature in is rarely appropriate, as you would be disclosing third party personal data without the consent of the relevant third parties. 

In order to avoid this you should redact the footage to remove other people’s personal data, eg edit or blur faces, and any other personal data that may be visible, such as car registrations or address information. You may need to use a third party tool or service to support with redaction. 

If redaction isn’t possible, consider seeking the third parties’ consent before releasing the footage. Obtaining third party consent is often difficult though, especially where the identity of third parties is unknown. Where this isn’t possible or appropriate, the organisation must balance the data subject’s right of access against the third-parties’ rights to privacy, and decide if it is reasonable to share the footage without the third parties’ consent. This is a balancing act and is very much dependent on the nature and circumstances surrounding the CCTV. Importantly, businesses should ensure they document the rationale behind their decision. 

This should be assessed on a case by case basis and there is no ‘one size fits all’ approach.

In addition, organisations will need to ensure that where they share the redacted footage with the data subject, they do so in a secure manner. If the data subject agrees, you can arrange for them to view the footage, for example at your offices, rather than receiving a copy. However if they reject this option, you must provide a redacted copy in a secure manner.

If there is a criminal investigation ongoing relating to the footage, it may be possible to apply the second exemption and withhold the CCTV footage, but in that case, the organisation would need to justify and document its reasons for relying on this exemption.

If you need further advice on this area, please get in touch with our data protection team.