Video surveillance, also called Closed-Circuit Television (CCTV), is an essential part of the security concepts of many companies, as it allows them to detect incidents and to react accordingly. However, the use of CCTV also constitutes an interference with the privacy rights of the persons captured by CCTV cameras.
Therefore, in 2014 the ICO (Information Commissioner’s Office) issued a guidance on the use of CCTV. Moreover, in 2018 the General Data Protection Regulation (GDPR) was introduced (which was incorporated into UK law as UK General Data Protection Regulation (UK GDPR) on 31 January 2020, after Brexit). Both include important rules und guidance for the compliant use of CCTV by companies. In this article, we will show you when CCTV can be used and what rules you have to adhere to under data protection law.
Legal obligations under the UK GDPR and the CCTV code of practice
If CCTV is used to ensure security in and around the workplace, it will most likely capture individuals. CCTV footage of individuals can enable an identification of these individuals, either directly or indirectly (i.e. combined with other information) and is therefore personal data. Hence, CCTV footage is subject to the rules of the UK GDPR.
Further important guidance is provided by the CCTV code of practice, for which the latest version was issued in 2014 (before the GDPR was introduced in 2018). Even though the code of practice was introduced before the UK GDPR came into force, it can still provide relevant steps and measures to take to implement a data protection compliant CCTV system. The code explains the legal requirements CCTV operators have to comply with under data protection laws in the UK.
The following requirements must be complied with if you want to employ CCTV on your company premises:
If personal data is processed, you need to have a legal basis according to Art. 6 UK GDPR before any data is processed.
It should be noted that employee consent on the use of CCTV will often be invalid due to the imbalance of power between you as an employer and your employees.
A possible basis for the processing can be its necessity to comply with a legal obligation.
You may also process data to protect the physical integrity or life of the data subject or other individuals.
You may also process data on the basis of legitimate interest(s) (including commercial benefit), provided your company’s interest is not outweighed by the impact the CCTV monitoring has on individual rights and freedoms. If you want to process data on the basis of legitimate interests, you should perform a legitimate interest assessment. An example for a legitimate interest would be the interest to protect your company’s premises and property from criminal activity or damage, or to ensure the safety of your employees and the public.
Moreover, if you want to use CCTV, you may have to perform a data protection impact assessment (DPIA) before any data processing takes place. A DPIA aims at assessing the potential risks for rights and freedoms of individuals caused by the use of CCTV before it takes place. If your CCTV is likely to impose a high risk to the rights and freedoms of data subjects, a DPIA becomes necessary. There, you might find measures which decrease the risks and allows you to proceed with your CCTV as planned.
You must inform the data subjects according to Art. 13 UK GDPR and provide them with all relevant information on the use of CCTV cameras and the purposes of the monitoring, as well as of the retention period of the CCTV footage. There should be clear signs in place to inform data subjects that CCTV is in use and for which purposes. To enable data subjects to receive further information on the CCTV usage or to enable them to access their processed personal data, the signs should provide the contact details of the relevant data controller or a representative.
Data minimisation and retention period
You are only allowed to collect data that is strictly necessary for the purposes of the CCTV use. Moreover, all footage, images and information should only be stored for as long as they are strictly necessary to achieve the purpose. They have to be deleted afterwards. Your company should establish a retention schedule for the CCTV footage (and inform the data subjects about it).
Moreover, it might be useful to establish a secure deletion procedure that complies with national laws and policies. Most CCTV footage can be stored for 30 days. However, you should check retention periods for your purpose of CCTV to make sure you store the data according to national law.
First, the used CCTV system should comply with minimum security standards. Moreover, it is important that you put appropriate safeguards in place to secure the CCTV footage and information from unauthorised access and use. Finally, internal access to the retained footage and information should also be restricted and it should be clearly defined in company policies, who can gain access to the CCTV images and information and for which purposes. A disclosure of footage and information may only take place if it is necessary for the defined purpose or for law enforcement.
Implementation of policies and review mechanisms
Before using a CCTV system on your company premises, it is important that you put policies and procedures in place and ensure adherence by all employees involved with CCTV footage or information. Moreover, your company should implement effective review and audit mechanisms to ensure that you comply with all relevant legal requirements and standards and produce respective reports on a regular basis.
Ultimately, if your company wants to use CCTV on their premises, a number of legal requirements must be met. Make sure you have checked all the steps discussed above. Only if you can fulfil all of them, video surveillance is in compliance with UK data protection law.