CCTV Data Protection: Are you GDPR Compliant?

Even though data protection is becoming a “big thing” in many people’s lives, most are surprised when they hear that their recorded CCTV data must adhere to the GDPR. And it all comes down to protecting the data of others. Most people mistakenly believe that it’s just the names, addresses and personal particulars of a person that cannot be shared or disclosed.

But GDPR regulates more than that – it also includes absolutely anything you can use to identify someone. That includes pictures and videos. Because of this, if you have CCTV surveillance cameras on your premises to deter unauthorised access, you have to use them correctly so that you aren’t in breach of the law.

Read on to learn more about the link between CCTV footage recording and the GDPR and what steps you need to take to ensure that your video recording is always compliant with the GDPR.

What does ‘GDPR’ stand for?

GDPR stands for the General Data Protection Regulation. The GDPR governs how businesses process, use, and store personal data.

In the past, one GDPR controlled the UK and EU. Since Brexit, there have been two GDPRs – one for the EU and one for the UK. The GDPR applies to all processors and data controllers handling personal data, including CCTV usage.

When implementing the DPA (data protection act), it is essential to note that it is not a standalone document and regulation. The UK GDPR is supplemented by the Data Protection Act 2018, which covers data processing that falls outside of the regulation’s scope, such as law enforcement and other public authorities.

To get the best understanding, the GDPR should be read together with the Data Protection Act 2018.

Why is it relevant to CCTV?

While many companies find CCTV surveillance essential to their security system, CCTV and certain video surveillance functionality still interfere with the privacy rights of anyone captured on the CCTV cameras. However, because of the increasing uptake of video surveillance in the corporate and private space, the Information Commissioner’s Office (ICO) issued a guide to use CCTV in 2014 correctly.

In addition, the General Data Protection Regulation (GDPR) was introduced in 2018 and later incorporated into UK law in January 2020.

The GDPR explains how one should correctly capture video surveillance and how to go about the legal data processing of video footage while defining data protection law.

Therefore, it is essential to familiarise yourself with CCTV data protection law to ensure that you don’t violate any laws and regulations unwittingly.

IP CCTV: Find the Best Solution for Your Business

To ensure that your CCTV surveillance system is compliant with the GDPR, work with an expert in the IP CCTV field. Internet Protocol CCTV systems are security surveillance camera systems that send video footage via an IP network.

They don’t work like analogue closed-circuit television cameras (regular CCTV) as they don’t require a recording device but need a local network. These are reliable units ideally suited to businesses of all sizes, from SMEs to FTSE 100 corporations.

Contact Satori Risk today for a free, no-obligation quotation on having GDPR-compliant IP CCTV systems installed within your business premises.

Steps to ensure your video surveillance is GDPR compliant

Ensuring that your CCTV footage is correctly captured by your surveillance system and your video surveillance is processed correctly requires you to follow a few basic steps. While the guidance on the use of CCTV surveillance cameras lays out all the rules and regulations here, you can also implement the steps below to ensure that you’re compliant with the data protection act at all times.

Be Transparent

Transparency when it comes to video surveillance means being upfront about recording people. Data protection legislation dictates that your data controller must advise members of the public that they are being recorded, how they are being recorded and why they are being recorded. Transparency should form part of your official CCTV policy.

To be transparent, display visible signs stating that CCTV operates on your premises. To explain why you are collecting CCTV data, you must include some information stating that.

Most CCTV signs will say something similar to “CCTV surveillance currently in operation to improve the public safety.” If you don’t tell people what you are collecting the data for, you cannot collect and process the CCTV footage. Your signage must include contact details for your data protection officer and for your business (you are the data controller).

Explain your use of CCTV

Letting members of the public know that they’re being recorded for “public safety” is only the first part of the GDPR legal requirements for CCTV data collection. You also need to explain further why you’re using the personal data collected. The GDPR provides a lawful basis for processing data that incorporates six bases to be covered. The six legal factors that should affect your code of practice include:

  • Consent – if you record an individual because they have given consent, you will need to be able to demonstrate that consent was given according to the GDPR’s definition of consent.
  • Contraction obligation – if you are providing a service that requires monitoring as part of the contract. This could be the supply of services or goods.
  • To comply with legal obligations – if it is legally required to process data for a particular purpose.
  • Vital interests – this is when processing the data may help protect someone else (this could be a member of the public or the subject being recorded).
  • To carry out public tasks – this is when surveillance is used at official events where there will be public interest. This is the case in schools, hospitals, law enforcement offices, and government departments.
  • Legitimate interests – this is the case when a private company has a legitimate reason to capture personal data without express consent. This is acceptable if the freedoms and individual’s rights are not negatively impacted and your efforts still adhere to the main points of the GDPR CCTV code of practice.

Minimise Data Collection

Article 5(1)(c) of the GDPR states that you should minimise the amount of data your surveillance system collects. The legislation states verbatim that the personal data you process from members of the public should be “adequate, relevant, and limited to what is necessary” according to the purpose you have advertised for your data collection.

In general, this means you need to collect enough data to achieve that objective. Still, you cannot collect more than what is required or other data types that are not relevant to the advertised purpose (this is data minimisation).

While there is no hard and fast rule on how much data must be collected by your CCTV system and how long retention should be, it is advised to check the CCTV recordings regularly. You should delete data that you no longer require to safeguard both you and your business. The data retention period should be “no longer than necessary”, as stated in the GDPR.

Restrict Access to CCTV Images

Just because your business collects CCTV images, it doesn’t mean that you should allow anyone and everyone to access it – you should restrict access to CCTV images only to those who require it. This requirement means that you have to keep the CCTV data secure and ensure that only management and security officials have access to it for professional purposes only.

Cloud storage CCTV systems can ensure that authorised individuals only access your CCTV surveillance. Using a reliable CCTV service provider will ensure that you are provided with a CCTV system that adheres to the regulations in place.

Data Protection Impact Assessments

If you are processing data that poses a risk to individual rights and collecting CCTV data in a public space, you will need to ensure that you carry out a data protection impact assessment (DPIA). In fact, this is a requirement for all new CCTV system installations, system upgrades, system modifications, and if you move any of the CCTV cameras to a new location within the business.

The entire point of a DPIA is to help your business minimise the risk it may pose to others due to its data processing tasks. The whole point of implementing this rule is that a data protection impact assessment will help you ensure that you collect enough surveillance footage for the required purpose.

Data Subject Access Request

The GDPR aims to provide individuals with the right to control how their personal data is used and processed. One way that the GDPR enables this is to make it possible for members of the public to make a subject access request, including CCTV images and video surveillance. If you don’t want to contravene the rules and regulations in place, your business must be equipped to handle such requests.

If a member of the public requests access, you must respond within 30 days unless the request is complicated, in which case the response time may be extended.

The Freedom of Information Act 2000 also comes into play here where public authorities must provide public access to information.

It is your legal obligation to perform a “reasonable search” for the requested data. Once found, you must provide it to the individual or entity (law enforcement, for example) requesting it in a secure and accessible way. Of course, you cannot just hand over video surveillance to someone and consider your job done. You also need to do whatever you can (such as blurring the image) to protect other people’s identities in the video footage.

The Value of CCTV Maintenance

Maintaining your CCTV system is vital if you want to remain compliant with the UK GDPR. A system that malfunctions won’t be able to provide sufficient video footage for the intended purpose.

Much the same, CCTV maintenance ensures that the video surveillance system is up to date with software, that your video footage is always of the highest quality, and that data is kept as safe as possible.

Regular maintenance should include ensuring that any personnel changes are implemented regarding CCTV access and rights, too – for instance, if a staff member has left your employ, they should no longer have access to your surveillance system and the data that it records and processes.

So make CCTV system maintenance a regular task carried out meticulously within the business each month.