What is GDPR
Up until now anyone and everyone would install a CCTV system without really thinking about the consequence of this action. Once someone is collecting recognisable images from your CCTV system, you are then managing ‘personal data’. So, the reality is they are now acting as a Data Controller, and with this comes responsibility.
A Data Controller must be able to justify the obtaining and use of personal data by means of a CCTV system. The steps and processes that need to be adhered to are:
Proportionality - Is your CCTV system justified?
If you are placing cameras around the perimeter of your site to detect intruders, it should be easy to justify this. If you have installed a camera to monitor employees, then it is not straight forward. This is seen as an invasion of privacy. If you can prove that the cameras are there for Health & Safety reasons, highlighting incidences in the past, that may be acceptable.
What images will be captured? When you are capturing images where someone would expect privacy, then you must justify the need. For example, in rest areas or just on a public walkway – if there has been an obvious level of security incidences, then this must be proven to allow for these cameras.
You need to carry out a risk assessment itemising each camera, the intended viewing area, and the reason for the camera.
Transparency - You must inform people of CCTV presence
The purpose for the data being collected should be clear. This is especially important if the purpose is not obvious. If it is for employee monitoring or health & Safety, this needs to be highlighted to persons being captured by the cameras. A sign(s) highlighting CCTV use and contact number for anyone wishing to follow up is sufficient.
Kreative Tech can assist clients with signage design and templates.
Storage & Retention - A Data Controller needs to justify reasons for retaining data.
It is generally about 30 days’ retention. If you feel you need to retain CCTV data for longer, then your risk assessment should state how long and why. A modern CCTV system will allow you to set retention limits per camera.
When setting up your system Kreative Tech will assist in ensuring that best practice in this area is achieved.
Access Requests - GDPR states ‘Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.’
So, anyone who is captured by your CCTV cameras has the right to request that footage, it is seen as personal data. They must follow a procedure, but are perfectly within their rights. If any other individuals are visible in the footage, there needs to a footage redaction service provided i.e. blur out the faces of other individuals.
Kreative Tech can provide you with footage request form template, and perform the redaction service on the footage.
Supply of CCTV images to the Police
The Police may request footage from you and you may supply this, but always ensure it is followed up by a written request on Police headed paper. Police will often just want to view the footage on the premises of the Data Controller or Processor, this action would not raise any concern for data protection.
As with general public requests, Kreative can provide clients with templates for footage request forms from the Police.
Responsibilities of security companies - Security companies act as Data Processors under GDPR. ‘Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.’
Ensure that any subcontractors working on your behalf, e.g. Security companies or CCTV Engineers, follow this procedure. You will be open to data breaches if a third party can distribute, or remove, personal data in the form of CCTV images without following the above procedures.
A reputable security service provider will automatically adhere to all GDPR regulations. Ask the system provider for their policies in relation to GDPR.
Taking the above into consideration many companies need to look at their security arrangements and ensure there are no likely breaches of regulations. An innocent oversight could result in a hefty penalty for your business. It is no longer acceptable to ‘not understand’ or ‘not be aware of’ the laws associated with CCTV systems. While it is quick and easy to purchase and install your own passive CCTV system, without the input of professional security service providers you may leave yourself open to prosecution and fines.
The Kreative team are very clear on the necessary requirements under the new GDPR and will assist all clients in adhering to these regulations. If you have any doubts over your CCTV system and would like to discuss how Kreative can help you meet your requirements under the GDPR legislation, contact a member of the Kreative team.