First published March 2017
CCTV used to be considered a solution to security issues. But in recent years, data protection legislation in both the UK and Ireland has reflected concerns over privacy and personal rights. Storing recorded security footage is now considered the same as storing personal data.
For business owners, security is always high on the priority list – and for obvious reasons. According to the Home Office’s 2013 Commercial Victimisation Survey, commercial operations in the UK continue to deal with high rates of shoplifting and burglary. In a 12-month period between 2012 and 2013, retail supermarkets had suffered a rate of 87,890 shoplifting incidents per 1,000 premises, while London-based wholesale and retail businesses recorded almost three times theft and burglary rates as those in rural areas – 11,425 incidents per 1,000 premises compared to 3,811.
The advantage of CCTV systems, of course, is that a company’s property can be watched over constantly. But it becomes a more complex issue when installed cameras watch employees, students, or customers. And as ‘personal data’, the responsibilities of data controllers in managing it are made a little more intricate.
In Ireland, the Data Protection Commission clarified changes that were made to the Data Protection Act in December 2015, confirming data captured on camera subject to the terms of the act.
In the UK, the Information Commissioner’s Office (ICO) confirmed that surveillance cameras must only be used when it is absolutely necessary. It has also stated that surveillance must be a ‘proportionate response to a real and pressing problem’.
In brief, using CCTV in a way that satisfies the terms of data protection legislation depends on 4 key conditions:
Because recorded footage is ‘personal data’, capturing any footage must be proven ‘justified’ and a ‘proportionate response’.
For general security purposes, justifying the use of CCTV for surveillance is pretty straightforward; it’s basically all about guarding against theft.
With employees at work, there can be a very thin line between justifiable surveillance and a breach of personal rights, especially when staff is being recorded while carrying out their everyday duties. Staff members are usually satisfied when they are made aware they are being recorded as part of a general security policy.
Employers must be aware that monitoring staff without proper justification can end up at the employment tribunal. But surveillance without providing prior warning is possible in only a few situations:
Clearly, recording footage is a proportional response to crime, which tends to happen at night or when no-one is around. So, a CCTV system can be considered an example of vigilance. When monitoring employees, security cameras can be seen as necessary for health and safety reasons, but it is important to point to specific examples where a camera would be useful.
The key issue, however, is where the cameras will be located. It is extremely difficult to accept CCTV cameras in staff toilets or changing rooms as being proportional. Even if it can be, images cannot be captured at urinals, in cubicles or in shower areas.
In Ireland, the Data Protection Acts leaves the issue of data retention open to interpretation, saying that data should not be stored ‘for longer than is necessary’ and only for the purposes for which they were obtained. Storage needs to be fully secure, with restricted access and a clear access log kept.
People who are captured in CCTV images have a right access to that data. A data subject (as they are called) must make an application in writing, and a data controller must respond within 40 days.
In the UK, everyone is entitled to access to any data gathered about them. All they need to do is make a written request, and can be:
Nobody likes the idea of a Big Brother scenario, so the major investment in high street and public transport CCTV systems is being counter-balanced with strict legislation. New regulations are expected to be introduced in Ireland in 2018 which will include heavier fines for data controllers who fail to adhere to data protection guidelines.
So, it’s important to get procedures in order. To do so, follow these 2 steps:
The General Data Protection Regulation (GDPR) will be one of the most far-reaching data protection regulations in recent times, unifying data protection for residents of the European Union (EU) and the export of data outside of the EU.
Does your business understand how CCTV footage will be classified under the GDPR?