CCTV and GDPR
The General Data Protection Regulation (GDPR) came into affect on the 25 May 2018. These regulations drastically changed the way organisations approach data and the capture and handling of CCTV footage. It is important for businesses of all sizes to understand the regulatory requirements, and know what actions are needed to be prepared. The GDPR regulation came into force on 25 May 2018. The penalties facing businesses for non-compliance are fines of up to €20 million or 4% of global annual turnover. The regulations apply to all companies worldwide that process personal data of European Union citizens.
Businesses need to be aware of the affect the new GDPR regulations will have on them, and this includes reviewing the use of CCTV.
But don’t despair if you are not up-to-speed with all the information. A recent survey carried out on behalf of the Department of the Taoiseach and the Government Data Forum revealed that 66% of businesses are unaware of the specific enhancements in data protection obligations imposed by the GDPR.
CCTV regulations to date
Up until now anyone and everyone would install a CCTV system without really thinking about the consequence of this action. Once you are collecting recognisable images from your CCTV system, you are then managing ‘personal data’. So, the reality is you are now acting as a Data Controller, and with this comes responsibility. A Data Controller must be able to justify the obtaining and use of personal data by means of a CCTV system.
6 Steps and processes to help comply with GDPR
1. Reason
Is your CCTV system justified?
If you are placing cameras around the perimeter of your site to detect intruders, it should be easy to justify this. If you have installed a camera to monitor employees, then it is not straight forward. This is seen as an invasion of privacy. If you can prove that the cameras are there for Health & Safety reasons, highlighting incidences in the past, that may be acceptable.
What images will be captured and why?
When you are capturing images where someone would expect privacy, then you must justify the need. For example, in rest areas or just on a public walkway – if there has been an obvious level of security incidences, then this must be proven to allow for these cameras.
You need to carry out a risk assessment itemising each camera, the intended viewing area, and the reason for the camera.
2. Inform
You must inform people of CCTV presence
The purpose for the data being collected should be clear. This is especially important if the purpose is not obvious. If it is for employee monitoring or health & Safety, this needs to be highlighted to persons being captured by the cameras. A sign(s) highlighting CCTV use and contact number for anyone wishing to follow up is sufficient.
Netwatch can assist clients with signage design and templates.
3. Retain
A Data Controller needs to justify reasons for storing and retaining data.
It is generally about 30 days’ retention. If you feel you need to retain CCTV data for longer, then your risk assessment should state how long and why. A modern CCTV system will allow you to set retention limits per camera.
When setting up your system Netwatch will assist in ensuring that best practice in this area is achieved.
4. Permit
Access Requests for personal data
GDPR states ‘Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.’
So, anyone who is captured by your CCTV cameras has the right to request that footage, it is seen as personal data. They must follow a procedure, but are perfectly within their rights. If any other individuals are visible in the footage, there needs to a footage redaction service provided i.e. blur out the faces of other individuals.
Netwatch can provide our clients with a footage request form template, and perform the redaction service on the footage.
5. Assist
Supply of CCTV images to the Gardaí
The Gardaí may request footage from you and you may supply this, but always ensure it is followed up by a written request on Garda headed paper. Gardai will often just want to view the footage on the premises of the Data Controller or Processor, this action would not raise any concern for data protection.
As with general public requests, Netwatch can provide clients with templates for footage request forms from the Gardai.
6. Ensure
Responsibilities of security companies
Security companies act as Data Processors under GDPR. ‘Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.’
Ensure that any subcontractors working on your behalf, e.g. Security companies or CCTV Engineers, follow this procedure. You will be open to data breaches if a third party can distribute, or remove, personal data in the form of CCTV images without following the above procedures.
A reputable security service provider will automatically adhere to all GDPR regulations. Ask the system provider for their policies in relation to GDPR.
Conclusion
Taking the above into consideration many companies need to look at their security arrangements and ensure there are no likely breaches of regulations. An innocent oversight could result in a hefty penalty for your business. It is no longer acceptable to ‘not understand’ or ‘not be aware of’ the laws associated with CCTV systems. While it is quick and easy to purchase and install your own passive CCTV system, without the input of professional security service providers you may leave yourself open to prosecution and fines.
The Netwatch team are very clear on the necessary requirements under the new GDPR and will assist all clients in adhering to these regulations. If you have any doubts over your CCTV system and would like to discuss how Netwatch can help you meet your requirements under the GDPR legislation, contact a member of the Netwatch team.
Useful Links
Data Protection Commissioner – GDPR & You
Irish Government News Service – New data protection responsibilities
The EU General Data Protection Regulation – FAQ
PDF version of the General Data Protection Regulation (GDPR)
Consumer Data Protection – Enterprise service to control personal data