The DPC has released new CCTV Guidance to assist owners and occupiers of premises to understand their data protection obligations when using CCTV. Data controllers should already be aware that footage or images containing identifiable individuals captured by CCTV is personal data and therefore data protection laws apply.
Steps to follow
The Guidance provides the following guidance, which must be considered by data controllers as a minimum before installing a CCTV system. Best practice suggests that the controller documents its position on these issues in the form of a dedicated policy, which should be brought to the attention of those individuals who may be captured by the CCTV. A policy may be published on an official website to inform members of the public who attend the premises and answer questions about how the CCTV footage of their image is used. However, as discussed below, there will also need to be appropriate signage in place at your premises indicating the presence of CCTV.
Purpose of CCTV
The first step in implementing the use of CCTV is to clearly identify the purpose for doing so e.g. securing premises. Use of the system should be limited to that original purpose. CCTV policies should be reviewed on a regular basis to ensure they are being applied as intended, and adapted, where necessary, in light of any relevant change in circumstances.
Legal Basis for CCTV
Having identified a purpose(s), the owner/occupier of the premises which installs the CCTV must also identify an appropriate legal basis for the processing under data protection laws.
- Consent – Consent is unlikely to apply to most uses of CCTV as it will be difficult to obtain the consent of everyone likely to be recorded.
- Legitimate interests – CCTV may be used in pursuit of a data controller’s legitimate interests in protecting its property and maintaining the safety of individuals. This may provide a legal basis for the CCTV processing, provided that the controller’s interests are not overridden by those of the individuals whose images are being recorded. When relying on legitimate interests to implement CCTV, a controller should carry out a legitimate interests assessment which demonstrates that: (1) it is genuinely in its interests to do so; (2) it is necessary to achieve the identified purpose; and (3) it does not have a disproportionate impact on the individuals whose personal data will be processed. These requirements are expanded on below.
- Public interest – Public authorities may have a legal basis where CCTV is necessary to carry out a task in the public interest or in the exercise of official authority.
- Prevention of crime – Law enforcement agencies may have a legal basis to use CCTV for the prevention, investigation, detection or prosecution of criminal offences under the Law Enforcement Directive (EU) 2016/280.
Justification for using CCTV
A data controller must be able to justify the use of CCTV as both necessary to achieve the identified purpose and proportionate in its impact upon those who will be recorded.
Necessity requires the CCTV processing to be more than merely helpful to achieve a purpose. Assessing the necessity of CCTV should include consideration of the principle of data minimisation which requires that the least amount of personal data be processed to achieve a purpose. If other means e.g. the deployment of security staff, which do not involve recording individuals continuously have proven ineffective, this may indicate that the installation of CCTV is a proportionate response.
Any processing of personal data must be measured and reasonable in terms of its objectives. This may involve carrying out a Data Protection Impact Assessment (DPIA). The assessment should factor in the size of the area to be covered and the number of cameras to be installed. The extent to which monitoring of the public will take place should also be assessed, including whether young or vulnerable people may be affected. It is advisable to carry out a DPIA before CCTV is implemented in a school or youth club, which may benefit from engagement with parents.
Staff monitoring in the workplace is highly intrusive and would need to be justified by reference to special circumstances. CCTV is not generally considered to be an appropriate tool to monitor staff attendance or performance. If a situation arises where an employer needs to use CCTV footage for a purpose other than one identified at the outset, such as to investigate a disciplinary matter, this may be legitimate where it is carried out strictly on a case-by-case basis. Monitoring for health and safety reasons would require evidence that the CCTV is proportionate in light of health and safety issues that had previously arisen.
The proportionality assessment should include consideration of any mitigating factors. For example, not placing cameras in locations where people have greater expectations of privacy, such as break rooms.
Individuals have a right to be informed that their images are being recorded. Notification of CCTV usage should be provided by prominent signs which indicate the purpose of the CCTV system and how further information can be obtained. Individuals must also be provided with the following information, either directly or in a way which can be easily accessed:
- Identity and contact details of the data controller and Data Protection Officer, if applicable.
- Purpose and legal basis for which their personal data are processed.
- Any third parties with whom their data may be disclosed.
- Security arrangements and retention period for the CCTV footage.
- Existence of their rights, including the right to lodge a complaint to the Data Protection Commission.
Controllers must be able to demonstrate compliance with data protection principles. It is recommended that a record be kept of any use of CCTV systems, together with any assessment of data protection risks involved.
Data controllers are obliged to put technical and organisational measures in place to ensure that CCTV recordings are secure. For CCTV systems, this can include restricting access to footage, and the use of encryption and password protection for devices storing such footage. The storage medium should be maintained in a secure environment and be accessible to authorised personnel only.
The use of remote access to CCTV systems requires assessment of any additional risk of unauthorised disclosure. Use of remote access as a substitute for on-the-ground supervision is unlikely to be justifiable.
Data controllers must have clearly a defined retention policy, to ensure CCTV recordings are kept for no longer than is necessary for the original purpose. Retention periods should be justified and informed by reference to previous incidents giving rise to the necessity for access to CCTV footage.
The Guidance notes that it would difficult to justify retention beyond one month, except where the images identify an issue, such as theft, and the data is retained specifically in the context of that issue. In any such circumstances, the footage should be isolated from the general recordings and kept securely for the purposes of investigation.
Other relevant issues
The Guidance provides useful information in respect of the following practical matters, which should be considered in addition to the above, where relevant, before implementing any CCTV system.
- Data protection by default requires that measures are implemented to ensure that only personal data necessary for the specific purpose are processed. This will have a bearing on the placement of cameras and privacy masking features as well as determining the appropriate retention period.
- Data processors – CCTV systems are often managed and maintained by third party contractors. Controllers are required to have a contract in place with such contractors, which details the obligations on them in accordance with data protection law.
- Disclosure of CCTV to third parties, such as to comply with requests from An Garda Síochána should only be acceded to where a formal written request is provided to the data controller. Verbal requests may be sufficient in urgent situations, however, such requests should be followed up with a written request. Disclosure will need to be assessed on a case-by-case basis to determine whether the disclosure can be justified.
- Access to data subjects – data controllers should have a procedure in place to respond to any requests to CCTV footage without undue delay. Where images of parties other than the requesting data subject appear on the footage, the controller is required to pixelate or otherwise de-identify those individuals before supplying the copy footage to the requester. Alternatively, the controller may seek the individuals’ consent to release an unedited copy of the footage. Where it is not possible to copy the CCTV to another device, it may be acceptable to produce picture stills in order to comply with the access request.
- Facial recognition is classed as biometric processing and accordingly the data processed is special category data, subject to further conditions to be met in compliance with the GDPR, in order to be processed lawfully.