CCTV: Practical Data Protection Guidance from Ireland DPC

Data Protection Commission Ireland Issues #CCTV Guidance for Data Controllers - What do you need to know:

It's personal data

• Data controllers should be aware that footage or images containing identifiable individuals captured by CCTV systems are personal data for the purposes of data protection law.
• Where processes are used to obscure or de-identify individuals from CCTV footage, the footage or images are still considered personal data if it is possible to re-identify the individuals.
• If footage or images are initially captured in an identifiable form and then irreversibly de-identified, data protection law will still cover the processing up to the point of anonymization.

Transparency

• Set out your position on the issues surrounding the use of CCTV in the form of a CCTV Data Protection Policy and review it regularly. This can be helpful in demonstrating that the processing was necessary/ proportionate
• Any CCTV policy that relates to a place of work should be brought to the attention of employees so that they are fully informed about the processing of their personal data by this means. A policy re customers can be published on an official website.
• Notification of CCTV usage can usually be achieved by placing easily-read and well-lit signs in prominent positions. A sign at all entrances will normally suffice indicating the purpose of the CCTV system and the identity and contact details of the data controller

Purpose - clearly identify your purpose. Just in case is not good enough.

Lawful

• You need a legal basis.
• When relying on legitimate interests as a legal basis to utilize CCTV, the data controller should be able to demonstrate that it is genuinely in their interests to do so, that it is necessary to achieve their identified purpose(s), and that it does not have a disproportionate impact on the individuals whose personal data will be processed.

Necessary and proportionate

• You must able to justify the use of a CCTV system as both necessary to achieve their given purposes and proportionate in its impact upon those who will be recorded
• Necessary: the least amount of personal data should be processed to achieve a purpose, and that if possible the processing of personal data should be avoided. E.g. can you should that other actions such as supervision or the deployment of security staff, which do not involve the processing of personal data, have proven ineffective.
• Proportionate: any processing of personal data must be measured and reasonable in terms of its objectives. Consider: how many people will be affected, will public areas be affected, will young and vulnerable people be affected. If recording: consider people's reasonable expectations.
• Consider mitigating factors: only operational outside business hours; not operational in restrooms etc
• Consider alternatives: consider alternative measures, or a combination of alternative measures, to CCTV that would assist in achieving the same purposes. For example, improving perimeter fencing and the installation of alarm systems would aid in securing the facility out of hours. With regard to health and safety, monitoring via CCTV should not be considered an alternative to employee training and the provision of personal protective equipment

DPIA

• To adequately assess the use of a large-scale CCTV system will likely require a data protection impact assessment (DPIA), particularly if the system provides, “systematic monitoring of a publicly accessible area on a large scale".
• Consult with the relevant union or trade representative; if children are surveilled, consult with the parents

Adequate Security

Examples include:

• Restricting access to footage and the use of encryption
• Password protection for devices storing CCTV footage.
• Avoiding generic or shared passwords.
• Maintaining the storage medium in a secure environment
• Using and regularly reviewing an access log
• If using remote access: consider any additional risk of unauthorized disclosure which may arise from such functionality
• The implementation of both technical and organizational security measures should be accompanied by robust policies and protocols to ensure their ongoing effectiveness.
• Access controls should be frequently reviewed and tested, and security measures should be enhanced or upgraded where necessary.

Data retention

• You must be able to justify a defined retention period, and data may not be kept on a ‘just-in-case’ basis.
• You may wish to consider any previous incidents or situations giving rise to the necessity for access to CCTV footage to achieve a purpose that may have a bearing on the appropriate retention period
• A 30-day retention period may thus be deemed reasonable, proportionate and balanced for CCTV footage for the purpose of defending a potential personal injury action. For a normal security system, it would be difficult to justify retention beyond one month, except where the images identify an issue – such as a break-in or theft – and is retained specifically in the context of the investigation of that issue
• The retention period should be the shortest period necessary to achieve the purpose for which the system was installed and should allow the controller enough time to review any footage as necessary before deleting the data.
• Where footage has been identified that relates to a specific incident a longer period may be justifiable for the particular section of footage concerned, such as in the investigation of a workplace accident or where footage may be used as evidence in criminal proceedings. This footage should be isolated from the general recordings and kept securely for the purposes that has arisen.

CCTV in the workplace

• Employees should be given a clear notification that CCTV monitoring is taking place and informed as to where and why it is being carried out. If the use of CCTV has been justified for a specific purpose such as security or health and safety, it should not be used for a further purpose such as monitoring staff attendance or performance.
• The use of CCTV in the workplace can be contentious and it is not generally considered to be an appropriate tool to monitor staff attendance or performance. However, situations can arise where an employer needs to use CCTV footage for a purpose other than one identified at the outset such as to investigate an allegation of gross misconduct or other disciplinary matter. This may be legitimate where it is carried out strictly on a case-by-case basis, and is justified based on necessity and proportionality to achieve the given purpose.

Responding to access requests

• To facilitate the processing of the request, the controller may ask the individual to give a reasonable indication of the date and time of the footage they are looking for.
• If the recording has already been deleted on the date on which the request is received, the defined retention period having expired, the individual should be informed that the footage no longer exists.
• If an access request has been received, the footage should not be deleted until the request has been fulfilled.
• Responding to an access request usually involves providing a copy of the footage in video format, as well as providing detailed information on the legal basis and purpose for the filming, and any disclosures that may have been made
• Where the footage technically incapable of being copied to another device, or in other exceptional circumstances, it may be acceptable to provide picture stills as an alternative to video footage.
• Where picture stills are supplied, it would be necessary to supply sufficient stills for the duration of the recording in which the requester's image appears in order to comply with the obligation to supply a copy of all personal data held.
• You may need to redact /pixellate if other people are in the photos

Covert Surveillance / sensitive areas

• The use of recording mechanisms to obtain data without an individual's knowledge is generally unlawful.
• Covert surveillance is normally only permitted on an exceptional case-by-case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders.
• Deploying CCTV in places where there is a reasonable expectation of individual privacy should only occur when there is a particularly serious and documented problem

Things a regulator may ask you to present if you are investigated in connection with CCTV Surveillance:

• A copy of the assessments carried out by the data controller.
• Documentary evidence of the serious issue/concern.
• Documentary evidence of all other less intrusive measures considered/exhausted prior to the placement of CCTV.
• Documentary evidence of consultations with relevant stakeholders, including staff and customers, prior to the placement of CCTV.
• A copy of the Privacy Policy, in particular as it relates to the use of CCTV.
• A copy of the Data Retention Policy as it relates to use of CCTV.
• A copy of the Risk Management Policy.
• A balanced legitimate interest assessment if the controller is relying on a legitimate business interest as its lawful basis to process its customer’s data by CCTV.
• Evidence of clear transparent signage in place prior to entering the areas in question.
• Evidence of a policy for dealing with a customer wishing to enforce their data subject rights.
• Evidence of consultation with a Data Protection Officer (or other relevant individual).
• pdf