As of 25 May 2018, organisations that use CCTV to capture images of individuals are processing personal data as defined by the GDPR (General Data Protection Regulation) and must comply with the Regulation’s requirements.
If your business uses CCTV – whether for security or employee monitoring purposes – and you’re unsure about your obligations under the new law and how they differ from those of the DPA (Data Protection Act) 1998, this blog outlines some of the areas you need to consider.
Data processing principles (Article 5)
Whether you operate a surveillance system yourself or contract a third-party CCTV company to do it on your behalf, you are a data controller under the GDPR and, in accordance with Article 5, must ensure that personal data is:
- Processed lawfully, fairly and transparently.
- Collected for specified, explicit and legitimate purposes, and not further processed for other purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and, where necessary, kept up to date.
- Kept in a form that allows data subjects to be identified for no longer than is necessary.
- Processed securely.
Meeting these six data processing principles will require you to implement a number of technical and organisational measures, as will meeting data subjects’ rights:
- To be informed.
- Of access.
- To rectification.
- To erasure.
- To restrict processing.
- To data portability.
- To object.
- In relation to automated decision-making and profiling.
Third-party organisations that process data for you, such as CCTV companies, are data processors. It is your responsibility as a data controller to ensure that you use only data processors that provide sufficient guarantees that they meet the GDPR’s requirements, including for the security of processing.
Determining a lawful basis for processing (Article 6)
Before operating a surveillance system, you should determine and document your lawful basis for processing personal data, as set out in Article 6 of the GDPR.
If you can’t, you could be subject to the Regulation’s higher level of administrative fines (up to €20 million (currently about £17.8 million) or 4% of annual global turnover – whichever is greater).
Except for special categories of personal data, whose processing is prohibited except under certain circumstances, personal data can be processed under the GDPR only if the data subject gives their explicit consent or if it’s necessary:
- To meet contractual obligations entered into by the data subject.
- To comply with the data controller’s legal obligations.
- To protect the data subject’s vital interests.
- For tasks carried out in the public interest or exercise of authority vested in the data controller.
- For the purposes of legitimate interests pursued by the data controller.
The GDPR’s stringent requirements for consent and, more significantly, its withdrawal mean you should rely on another lawful basis when using CCTV:
- In the case of staff monitoring for, say, health and safety purposes, consent cannot be a lawful basis for processing because of the imbalance of power between employers and employees.
- If you’re using CCTV for security purposes, ‘legitimate interests’ will apply, as clarified in Recital 50:
“Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller.”
Note that when you disclose CCTV footage to the police (or other competent authority as defined by Schedule 7 of the DPA 2018), it will be processed for a law enforcement process as defined by Part 3 of the DPA 2018, and not processed under the GDPR. How the police (or other competent authority) process it is no longer your concern.
In both cases, you must weigh your lawful basis against the data subjects’ privacy rights.
You should also carry out a DPIA (data protection impact assessment) to ensure you take account of all possible risks.
Privacy notices (Article 13)
When you as a data controller collect personal data direct from data subjects, including by capturing their image via CCTV, you must provide a privacy notice, which should include:
- Your identity and contact details.
- The identity and contact details of your representative, where applicable.
- The contact details of your data protection officer, where applicable.
- The purposes of the processing for which the personal data is intended.
- The lawful basis for the processing.
- The legitimate interests pursued by you or a third party if you are processing personal data on that basis.
- Any recipients or categories of recipients of the personal data.
- Information about transferring the personal data to a third country or international organisation.
- The period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period.
- The existence of data subjects’ rights.
- Where the processing is based on consent, the existence of the right to withdraw consent at any time.
- The right to lodge a complaint with the supervisory authority.
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Moreover, if you intend to further process the personal data for another purpose, you must provide information about that other purpose, and any relevant further information, before you start that processing.
The GDPR makes no provision for how this information should be disseminated, leaving it to data controllers to decide how data subjects will be informed. Notices can be issued in stages.
You can meet the GDPR’s requirements for privacy notices via prominently displayed signs that provide brief and comprehensible information explaining that CCTV is being used, and stating who manages the surveillance system and how to contact them, as was acceptable under the DPA 1998.
It’s advisable to include the URL of a website on which you can publish the full set of information listed above, although you can also provide this information by other means.
Data subject access requests (Article 15)
As a data controller, you’re obliged to confirm to data subjects whether you’re processing their personal data and, where you are, provide them with a copy of it as well as the following information:
- The purposes of the processing.
- The categories of personal data involved.
- The recipients (or categories of recipients) to whom the personal data has been or will be disclosed.
- The envisaged period for which the personal data will be stored (or, if this is not possible, the criteria used to determine that period).
- The existence of the right to request that the controller rectifies or erases the personal data or restrict processing, or to object to processing.
- The right to lodge a complaint with a supervisory authority.
- Where the personal data has not been collected direct from the data subject, any available information about its source.
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject of such processing.
Data subjects’ right to obtain a copy of their personal data cannot adversely affect the rights and freedoms of others. In the case of CCTV, this means you cannot give them access to footage if doing so means sharing the personal data of others.
In practical terms, you will therefore have to pixelate others’ faces before giving access or, if this is “manifestly unfounded or excessive”, either refuse the request and document your reasons, or charge a reasonable admin fee (Article 12.5).
As ever with the GDPR, the processes you have in place and how you document them are essential. To comply with individuals’ requests to access footage of themselves, you must:
- Have a process in place for DSARs (data subject access requests).
- Understand which data you store and where you store it.
- Be able to establish data subjects’ identities.
- Redact information where necessary.
You have a month to respond to DSARs, so it’s essential that all staff know how to identify and handle them. (This period may be extended by two months, depending on the complexity and number of requests.)
This limit will also influence your data retention period. Although the GDPR does not stipulate how long personal data may be kept, it does say it should be kept for no longer than necessary.
Data protection fee
As a data controller, you must also register with the ICO (Information Commissioner’s Office) and, unless exempt, pay a data protection fee.
Technical and organisational measures
The GDPR requires data controllers and processors to implement “appropriate technical and organisational measures” to protect personal data. This entails an approach based on regular assessments to ensure that all risks are appropriately addressed.
For instance, access to CCTV systems must be limited to authorised personnel, which is especially important where systems are connected to the Internet or footage is stored in the Cloud, and there is a greater risk of unauthorised access.
Surveillance systems should also incorporate privacy-by-design features, including the ability to be switched on or off, and the option to switch off image or sound recordings independently where it would be excessive to capture both. CCTV equipment must also be of a sufficient quality and standard to achieve its stated purpose.
The international standard for information security management, ISO 27001, is an excellent starting point for implementing the technical and organisational measures necessary under the GDPR.
Using CCTV in compliance with the GDPR is a complex issue and this blog obviously cannot cover all issues.
The ICO’s code of practice for surveillance cameras and personal information was created under the DPA 1998, but its guidance is still useful. Further information about the use of CCTV and the GDPR is apparently forthcoming.