CCTV and GDPR



CCTV Everywhere
The UK is often cited as being one of the most surveillanced societies in the world. And that’s because CCTV has proven to be very popular amongst UK homeowners, businesses, local authorities and police forces. As a result, the country’s citizens are amongst the most watched in the world. According to the British Security Industry Association (BSIA) there are between 4-5.9 million CCTV cameras in the country. There are 500,000 cameras in London alone!

Your Image and GDPR

For many years, UK regulation over image data was relatively light touch. But all that changed in May via the introduction of the European Union General Data Protection Regulation (GDPR for short). The regulation strengthens the privacy laws governing the data of EU citizens. And this includes any image data which may allow individuals to be personally identified.

Brexit Won’t Matter

But before you think ‘hang on, surely Brexit will change things?’, think again. The UK Government has declared its intent to write GDPR into UK law.

One of the reasons for this is to remove any potential barriers to security post-Brexit that might arise if the UK had an alternative data protection framework. Considering that ‘security’ issues are one of the few areas where it is fervently hoped that close cooperation with the country’s former EU partners will continue, it’s extremely likely this regulation is here to stay.

Employers, CCTV and GDPR

There are many reasons why employers use CCTV, such as to protect assets and to monitor employees. Lawful bases of employee monitoring include crime prevention, preventing employee misconduct and ensuring health and safety compliance.

To comply with GDPR an employer must have a strong, ‘fair use’ reason for the use of CCTV placement. This means putting together a business case to explain why the images are being collected, one that must also illustrate how the information will be stored and when it will be disposed of.

If CCTV is being installed for any purpose by employers then GDPR requirements must now be at forefront of all considerations. The rights of employees, customers and other parties should be addressed, keeping in mind that monitoring is only permissible if there is a lawful basis for doing so.

Data Storage
Any personal data collected by employers must be used and kept only to fulfil its original purpose. For instance, if an employee has been filmed because of suspected criminal activity, the footage should reflect this.
Any data captured on CCTV can be retained for 30 days in total (although this can be kept longer if needed, following a risk assessment). One justifiable reason for an extension in the example above, would be because the police wanted to use the footage.

Encryption And Safety

CCTV recordings and other logs must be stored securely and encrypted wherever possible. When connected to the Internet or the cloud, CCTV systems are open to cyber-attacks. The security of the data held can be improved by limiting direct access and having systems in place to prevent online attacks.

Access to Data

Any individuals that have been identifiably caught on film have the right to request a copy of the employers CCTV footage. If the request is valid, the business involved must supply that footage within 30 days.

Show Them What You’re Doing


‘As part of a business's’ obligation under the legislation you must tell people that you are taking their personal data. The most effective way of doing this is by using prominently placed signs in any area covered by CCTV. This should be at the entrance to the area, as well as within’ Danny Adamson, Managing Director of signage makers, Stocksigns Group, recently told  Facilities Management Journal.

Signs Checklist

  1. All signs need to be clear and legible. There can be no confusion
  2. Signs should explain why the cameras are there
  3. They should also contain information about who is operating them and who to contact with a query
  4. Equally, those responsible for the CCTV operation should be aware of what to do in the event of a query
  5. Signs should be an appropriate in size. If a sign is deemed deliberately small (i.e. it was meant to viewed from a road but was tiny) then you could be seen as being in breach of your responsibilities

Penalties For Breaking the Rules

Failure to do any of the the above could result in investigation and fines. The GDPR rules have introduced, new, strict penalties where the personal data protection standards are not met. Businesses can now be fined up to €20 million or 4 per cent of turnover (whichever is the highest) if proven to have breached the rules.

No comments:

Post a Comment