Do you utilise CCTV recordings on your premises? Does this capture your employees or other members of the public?
Installing CCTV, no matter the reason why, should not be done without prior thought around how you are going to ensure you comply with the UK-GDPR and the Data Protection Act 2018.
Here are a few things we would recommend you do BEFORE installing CCTV and using it for any purpose…
Undertake a DPIA
A DPIA (data protection impact assessment) is a tool you should use at the very outset of any project, such as installing CCTV cameras, so that you can decide whether you will “treat, tolerate, transfer or terminate” any risks to individual’s personal data by your use of it. This should be your first step when considering whether to install CCTV cameras and should be undertaken at the very outset of any new installation or use of CCTV recording. It covers everything you need to think about before deciding whether you can lawfully use CCTV. Speak to one of our GDPR advisers who can assist you with one of our DPIA toolkits.
Lawful Basis
You need to establish your lawful basis for installing the CCTV cameras. There are the 6 grounds you can rely on;
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
A Wirehouse GDPR adviser can help you determine what your lawful basis is, depending on the reasons why you are installing and utilising CCTV.
If you cannot justify your use of CCTV through one of the above lawful bases then it would be unlawful to do so.
Some Things to be Mindful of:
Data minimisation
You need only collect or process personal data (i.e. anything that identifies a living individual) that is relevant and necessary to fulfil your purpose. Therefore, it might be that you don’t need audio and only need to record images therefore you should not collect audio via the CCTV if it is not needed for the purpose in which you are using CCTV.
Is it necessary?
Decide on the purpose for processing CCTV recordings. Are there any reasonable and less intrusive ways of meeting the purpose? If there are then your use of CCTV is unlawful.
Privacy Notice
You need to inform those who may be captured on CCTV, in your privacy notice. Your privacy notice information should be easily accessible to anyone whose personal data could be captured on the CCTV. A common way to display this is signage in the relevant areas. You must ensure you are transparent about exactly how the CCTV is operating and how you are protecting the data you are capturing.
Change to the ‘purpose’ for processing
If you change the purpose you are going to use the recordings for then you need to conduct another DPIA, choose another lawful basis and update your privacy notice with the changes.
Retention
Don’t retain the recordings for longer than necessary. Document your thought process when deciding what any retention periods should be.
Security and organisational measures
It’s the organisation’s responsibility to protect the data captured on the CCTV. Try to limit the people with access, provide relevant training for those with access and if sharing the data with any other third party, you need to be specific in your privacy notice and ensure you have a lawful basis for doing so. This is a minimum. You should think about how else you are going to protect the data captured.
Accountability
GDPR places obligations on organisations to outline in writing, their processing activities of personal data therefore before you implement CCTV operation, you need to make sure you have your paperwork in place. If you need further advice around your legal obligations when installing CCTV, including assistance with any of the above documentation, or any aspect of the UK-GDPR or The Data Protection Act 2018 then get in touch with us today on gdpradvice@wirehouse-es.com and we can look at the ways in which we can assist in helping your organisation become data compliant.