CCTV Everywhere
The UK is often
cited as being one of the most surveillanced societies in the world. And that’s
because CCTV has proven to be very popular amongst UK homeowners, businesses,
local authorities and police forces. As a result, the country’s citizens are
amongst the most watched in the world. According to the British Security
Industry Association (BSIA) there are between 4-5.9
million CCTV cameras in the country. There are 500,000
cameras in London alone!
Your Image and GDPR
For many years, UK
regulation over image data was relatively light touch. But all that changed in
May via the introduction of the European Union General Data Protection
Regulation (GDPR for short). The regulation strengthens the privacy laws
governing the data of EU citizens. And this includes any image data which may
allow individuals to be personally identified.
Brexit Won’t Matter
But before you
think ‘hang on, surely Brexit will change things?’, think again. The UK
Government has declared its intent to write GDPR into UK law.
One of the reasons
for this is to remove any potential barriers to security post-Brexit that might
arise if the UK had an alternative data protection framework. Considering that
‘security’ issues are one of the few areas where it is fervently hoped that
close cooperation with the country’s former EU partners will continue, it’s
extremely likely this regulation is here to stay.
Employers, CCTV and GDPR
There are many
reasons why employers use CCTV, such as to protect assets and to monitor
employees. Lawful bases of employee monitoring include crime prevention,
preventing employee misconduct and ensuring health and safety compliance.
To comply with GDPR
an employer must have a strong, ‘fair use’ reason for the use of CCTV
placement. This means putting together a business case to explain why the
images are being collected, one that must also illustrate how the information
will be stored and when it will be disposed of.
If CCTV is being
installed for any purpose by employers then GDPR requirements must now be at
forefront of all considerations. The rights of employees, customers and other
parties should be addressed, keeping in mind that monitoring is only
permissible if there is a lawful basis for doing so.
Data Storage
Any personal data collected by employers must be used and
kept only to fulfil its original purpose. For instance, if an employee has been filmed
because of suspected criminal activity, the footage should reflect this.
Any data captured
on CCTV can be retained for 30 days in total (although this can be kept longer
if needed, following a risk assessment). One justifiable reason for an
extension in the example above, would be because the police wanted to use the
footage.
Encryption And
Safety
CCTV recordings and
other logs must be stored securely and encrypted wherever possible. When
connected to the Internet or the cloud, CCTV systems are open to cyber-attacks.
The security of the data held can be improved by limiting direct access and
having systems in place to prevent online attacks.
Access to Data
Any individuals
that have been identifiably caught on film have the right to request a copy of
the employers CCTV footage. If the request is valid, the business involved must
supply that footage within 30 days.
Show Them What You’re Doing
‘As
part of a business's’ obligation under the legislation you must tell people
that you are taking their personal data. The most effective way of doing this
is by using prominently placed signs in any area covered by CCTV. This should
be at the entrance to the area, as well as within’ Danny Adamson, Managing
Director of signage makers, Stocksigns
Group, recently told Facilities Management Journal.
Signs
Checklist
- All
signs need to be clear and legible. There can be no confusion
- Signs
should explain why the cameras are there
- They
should also contain information about who is operating them and who to
contact with a query
- Equally,
those responsible for the CCTV operation should be aware of what to do in
the event of a query
- Signs
should be an appropriate in size. If a sign is deemed deliberately small
(i.e. it was meant to viewed from a road but was tiny) then you could be
seen as being in breach of your responsibilities
Penalties
For Breaking the Rules
Failure to do any
of the the above could result in investigation and fines. The GDPR rules have
introduced, new, strict penalties where the personal data protection standards
are not met. Businesses can now be fined up to €20 million or 4 per cent of
turnover (whichever is the highest) if proven to have breached the rules.