'The devil is in the detail' is a phrase which comes to mind when speaking about the GDPR (General Data Protection Regulation). The obvious topics surrounding the application of the regulation's articles have been extensively discussed, leaving behind those tricky and often overlooked details.
One such area, is the usage of CCTV (Close Circuit Television) to capture images of data subjects, whether that be for security or health and safety purposes. Identifiable imagery is considered as personal data under the GDPR and therefore, at a data protection level, requires the same level of thought and care that is being paid to other affected areas of the business.
To help, we have collated the most important information relating to the GDPR and the use of CCTV.
1) Most are unaware that GDPR has an impact on CCTV
It is a chicken and egg scenario to attempt to find referenceable sources which prove the lack of understanding regarding a particular topic. However, a survey across Irish businesses, carried out on behalf of the Irish government in 2017, revealed that up to 66% of respondents were unaware that the GDPR had an impact on the use of CCTV. While there is a great deal of attention paid to areas such as email marketing and data transfers, there seems to be a gap of knowledge in practical areas such as this.
2) The use of CCTV is widespread
The UK is often cited as being one of the most surveillanced societies globally, with up to 5.9 million CCTV cameras in operation in 2015 alone. This figure probably comes as no surprise. Most businesses from small convenience stores to large office buildings will have a surveillance system in place, whether it be for security, monitoring or health and safety purposes.
3) Justifying use of CCTV is paramount for GDPR compliance
By now, most of us are aware that the GDPR requires the processing of personal data to be lawful, fair and transparent. As CCTV collects personal data in the form of image, it is in no way immune. In almost all cases, business owners can rely on legitimate interests or the need to comply with another legal requirement for the legality of operating CCTV. However, they will be required to justify this against the area of coverage. Data subject's rights and freedoms cannot be overridden, especially in the case of legitimate interests. Even inside a work premises, employees have a right to privacy.
4) Processing may be deemed lawful by public authorities & police forces
Although this blog post is not expressly aimed towards those in the public sector, it is worth mentioning that there are other circumstances where processing is deemed to be lawful which are most likely only accessible to specific controllers. For example, when protecting the vital interests of data subjects or when processing is carried out in the interests of the public. Body worn cameras used by police forces are likely to be a candidate in this case. Note that these lawful justifications are not reserved for public sector only.
5) Data subjects have the right to be informed
While not an expressive right, data subjects are entitled to understand when their personal data is being processed, covering the transparency aspect of processing. It is recommended that the use of CCTV is communicated via signage which indicates the areas covered and instructions for further information.
6) CCTV is covered by the DPA 1998
Data protection legislation and CCTV are not new concepts under the GPDR. It was indeed included under the DPA (Data Protection Act), with the ICO (Information Commissioners Office) producing guidelines on the topic. In particular, it is recommended to conduct a data privacy impact assessment to ensure you can justify processing and that you are not excessively reducing the privacy of data subjects.
7) Data retention cannot be indefinite
One of the core principles of the GDPR requires personal data to be processed for only as long as its purpose requires it to be. Each camera and its purpose will need to be assessed to determine how long footage can be retained for. For example, a retail store would not be expected to retain footage for any longer than 6 months as by that time, any reported crimes would have been detected and footage reviewed. There are no defined acceptable retention times as it is subjective to the purpose, however be aware that years later or until the footage overwrites it, is not a good demonstration towards consideration of the data subjects rights.
8) Data subjects access requests of CCTV footage
As with any other aspect of personal data, data subjects have a right to access, which could result in you disclosing footage to them. Business owners / CCTV operators will need to ensure that the requester is present in the footage and that by supplying the footage they do not disclose any personal data of another data subject. This may involve blurring parts of the footage such as figures or license plates. In addition, the ICO previously recommended that subject access request of CCTV could carry an administrative fee of up to £10, however this is no longer the case under the GDPR.
9) Security measures such as encryption are essential
Any act of storage or access is considered processing and it is imperative that business owners or CCTV operators uphold the confidentiality and integrity of any footage. Screens displaying live or recorded footage should only ever be viewed by authorised individuals and not members of the public who stray past a security guard post or CCTV operation room. Footage should be secured regardless of its format, for example in electronic format it should be encrypted and in physical format be locked away and tracked via a signing process.
CCTV and surveillance are often emotive issues. On one hand business owners and leaders use CCTV for protection and monitoring among other reasons. On the other hand data subjects view this with an air of suspicion due to an invasion of their privacy.
In either case, the GDPR does not discourage the use of CCTV but instead encourages a balance and an air clarity for all parties regarding its usage. While in the past, the concerns of data subjects may have been disregarded in favour of the overriding interests of the controller, this can no longer be the case and may prove to be the undoing of some. Whether it be scary administrative fines or embarrassment and shame, it will always be the small things which make the difference, as it is the devil in the detail.