Is Right to access CCTV as per DPDP Act allowed?

The recent case study highlighting the incomplete response to a subject access request for CCTV footage in an educational institution rings alarming bells in the context of India's newly implemented Digital Personal Data Protection Act (DPDP Act). This case throws light on the importance of data privacy and access rights, particularly for victims of crime seeking evidence through CCTV recordings.

Under the DPDP Act, complying with subject access requests is paramount. The right to access personal data, enshrined in Article 15, empowers individuals to know what information organizations hold about them and how it is processed. This right extends to CCTV footage capturing an individual's image, especially in situations involving alleged criminal activity.

The case study points to several crucial aspects impacted by the DPDP Act:

Timely Response: Article 13(3) of the DPDP Act stipulates a maximum response time of 30 days for data controllers (organisations) to respond to subject access requests. This case, where the response was incomplete and delayed, constitutes a violation of the Act.

Complete and Accurate Data: The Act mandates providing all personal data, not just excerpts deemed "significant" by the controller. In the case study, denying access to footage from two camera angles and offering incomplete stills violate this principle.

Data Storage and Retention: Organizations cannot claim their recording cycle automatically deletes footage as a reason for non-compliance. The DPDP Act requires data fiduciaries (individuals responsible for data processing) to retain personal data for as long as necessary for the designated purpose or until the data subject withdraws consent.

Consequences of Non-compliance: The DPDP Act empowers the Data Protection Board to impose significant penalties for non-compliance, including fines up to 50 crore rupees. Failure to provide complete and timely access to CCTV footage, as in this case, falls under this purview.

In light of these provisions, the DPDP Act has significant implications for CCTV usage:

Mandatory Functionality: Organizations cannot rely on malfunctioning CCTV as an excuse for non-compliance. Ensuring proper maintenance and functionality of CCTV systems becomes crucial for upholding data access rights.

Clear Data Retention Policies: Establishing and adhering to clear data retention policies for different types of CCTV footage becomes essential. This ensures timely availability of footage in case of access requests.

Streamlined Response Procedures: Organizations must develop clear internal procedures for handling subject access requests related to CCTV footage, ensuring timely and complete responses.

The DPDP Act provides a much-needed legal framework for data privacy and access in India. By understanding its application to CCTV footage, organizations can improve their data management practices and ensure compliance. This, in turn, empowers individuals, especially victims of crime, to exercise their right to access valuable evidence.

Remember, upholding data privacy and access rights is not just a legal obligation, but also a fundamental right under the DPDP Act. By ensuring proper procedures and compliance, organizations can foster trust and empower individuals in the data-driven era.