General Data Protection Regulation [GDPR] came in to force on Friday 25th May 2018 and will be applicable in all member states in the EU. In relation to CCTV Security Systems, GDPR applies to both ‘data controllers’ and ‘data processors’.
A ‘data controller’ is a person / company / other body who either alone or with others controls the contents and use of personal data. A ‘data processor’ is a person / company / other body, who processes personal data on behalf of a data controller but does not include an employee of the data controller who processes such data in the course of his / her employment. As Coleman Electronics Ltd has installed, maintains or services your CCTV System we are therefore considered a data processor of your CCTV data.
Recognisable images captured by CCTV Systems are considered personal data and can give rise to concern that an individual’s “private space” is being unreasonably invaded therefore are subject to the provisions of the Data Protection Acts. As data is captured on your CCTV System, your company needs to be fully aware of your obligations pertaining to GDPR and CCTV Security Systems.
In this document, we have detailed key areas to note relating to the use of CCTV Security Systems and Genera Data Protection Regulation. These general notes are by no means an exhaustive list of your responsibilities as a CCTV systems data controller but simply act as a guide to compliance within GDPR requirements. The key steps that need to be adhered to in order to comply with the correct use of a CCTV System and GDPR are:
- Proportionality
- Transparency
- Storage & Retention
- Supply of CCTV Images to An Garda Síochána
- Covert Surveillance
- Access Requests
- Responsibility of Security Companies
A1. Proportionality – Is a CCTV system justified?
GDPR requires that data is “adequate, relevant and not excessive” for the purpose for which it is collected. As the data controller, your organisation must be able to demonstrate that the reasoning behind installing a system that collects personal data on a continuous basis is justified with such a system. It should also be certain before proceeding that it can meet its obligations to provide data subjects, on request, with copies of images captured by the system.
Example: A system used to control the perimeter of a building for security purposes, intended to capture images of intruders or of individuals damaging property or removing goods without authorisation will usually be easy to justify whereas a system to constantly monitor employees, customers or students – can be more difficult to justify and could involve a breach of the Data Protection Acts. Such systems would need to be justified by reference to special circumstances.
*Customer Action Required: Compile / Review CCTV Policy & Update Data Controller
A2. Proportionality – What images will be captured?
The actual location of cameras is a key consideration where an individual’s reasonable expectation of privacy must be adhered to when determining camera locations. Toilets and Rest Rooms are obvious examples. In such cases a data controller must demonstrate that a pattern of security breaches had occurred in the area prior to the installation of the system such as would warrant constant electronic surveillance. Position cameras that record external areas in ways to prevent or minimise the recording of passers-by or other people’s private property.
*Customer Action Required: Review Camera Locations & Update Policy
A3. Proportionality – Recommendations?
Data Controllers should carry out detailed assessments as to how their CCTV System meets with GDPR compliance. The following steps should therefore be carried out and documented:
- A risk assessment.
- Privacy Impact Assessment.
- Specific Data Protection Policy drawn up for devices use in a limited and defined set of circumstances only. Include documented data retention and disposal for footage in this policy.
- Evidence of previous incidents giving rise to security / health and safety concerns.
- Clear signage indicating image recording in operation.
*Customer Action Required: Review Recommendations
B. Transparency
Best practice recommends a written CCTV policy should be in place and should include the following information:
- identity of the data controller
- purposes for which data are processed
- third parties to whom the data may be supplied
- how to make an access request for data
- retention period for CCTV
- security arrangements for CCTV
Notification of CCTV usage can be achieved by placing easily-read and well-lit signs in prominent positions. Place on the sign a statement that CCTV is in operation as well as a contact (such as a phone number) for persons wishing to discuss this processing. Contact details should be owner / data controller of the premises.
A CCTV camera used for monitoring staff performance or conduct is not an obvious purpose and staff must be informed before any data is recorded for this purpose. If the purpose of CCTV is for health and safety reasons, this should be clearly stated.
*Customer Action Required: Review Transparency
C. Storage & Retention – Justified reasons for retention
A guiding principle of GDPR states that data “shall not be kept for longer than is necessary for” the purposes for which they were obtained. A data controller needs to be able to justify this retention period. It would be difficult to justify retention beyond a month for a normal security system, except where the images identify an issue – such as a break-in or theft and is retained specifically in the context of an investigation of that issue.
The storage medium should be stored in a secure environment with a log of access kept. Access should be restricted to authorised personnel only.
* Customer Action Required: Review your Storage & Retention Procedures and document in a CCTV Policy. Retention period recommendation = 30 Days. Additional storage may be required on your DVR.
D. Supply of CCTV Images to An Garda Síochána
The Office of the Data Protection Commissioner [ODPC] recommends that requests for copies of CCTV footage should only be acceded to where:
- a formal written (or fax) request is provided to the data controller stating that An Garda Síochána is investigating a criminal matter
- such requests should be on An Garda Síochána headed paper
- should quote the details of the CCTV footage required
- should cite the legal basis for the request i.e. Section 8(b) of the Acts
In urgent cases, a verbal request may be sufficient to allow for the release of the footage sought but must be followed up with a formal written request. ODPC also advises that a log of all An Garda Síochána requests are maintained by data controllers and processors.
* Customer Action Required: When completing Downloads for Gardaí use CCTV Download Form for Records.
NOTE: There is a distinction between a request by An Garda Síochána to view CCTV footage and to download copies of CCTV footage. In general, An Garda Síochána making a request to simply view footage on the premises of a data controller or processor would not raise any specific concerns from a data protection perspective.
E. Covert Surveillance
The use of recording mechanisms to obtain data without an individual’s knowledge is generally unlawful and is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders.
This provision automatically implies that a written specific policy be put in place detailing the purpose, justification, procedure, measures and safeguards that will be implemented with the final objective being, an actual involvement of An Garda Síochána or other prosecution authorities for potential criminal investigation or civil legal proceedings being issued, arising as a consequence of an alleged committal of a criminal offence(s).
* Customer Action Required: Where Covert Surveillance is required, Document a Policy to include Installation Time, Location, Duration Period and reasons for installation.
F. Access Requests – The right to seek and be supplied data
Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage. A person must make an application in writing. The data controller must respond within 40 days.
When making an access request for CCTV footage, the requester should provide the data controller with a reasonable indication of the timeframe of the recording being sought i.e. approximate time and the specific date(s) on which their image was recorded. It is necessary to specify that they are seeking a copy of all CCTV footage in relation to them which was recorded on a specific date between certain hours at a named location.
If the recording no longer exists on the date on which the data controller receives the access request, it will not be possible to get access to a copy. The onus is on the requester to be aware that CCTV footage is usually deleted within one month of being recorded or is dependent on the storage retention period as set out in your CCTV Policy.
Where applicable, the data controller’s obligation to the fulfill an access request is to provide a copy of the requester’s personal information i.e. CCTV footage in video format. If the footage is technically incapable of being copied to another device, or in other circumstances, where it is acceptable to provide stills as an alternative to video footage the stills should be supplied. It would be necessary to supply a still for every second of the recording in which the requester’s image appears in order to comply with the obligation to supply a copy of all personal data held.
Where images of parties other than the requesting data subject appear on the CCTV footage the onus lies on the data controller to pixelate, redact or darken out the images of those other parties [unless consent of those other parties is received] before supplying a copy of the footage or stills from the footage to the requestor.
Under GDPR, Data controllers are obliged to comply fully with access requests for CCTV footage requests. Claims they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. A data controller who uses a CCTV system to process personal data takes on and is obliged to comply with all associated data protection obligations.
G. Responsibility of Security Companies
Security companies that place and operate cameras on behalf of clients are considered to be “Data Processors”. As data processors, they operate under the instruction of data controllers (their clients) and have a number of obligations.
This obligation is met by having appropriate access controls to image storage or having robust encryption where remote access to live recording is permitted. Staff of the security company must be made aware of their obligations relating to the security of data.
Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.
Summary
Coleman Electronics Ltd is available to assist customers in all industries with the following key requirements in order to ensure compliance with GDPR & CCTV Systems as outlined in Sections A – G above, in particular 1 – 6 below:
- Detailed Assessments
- Data Protection Policy Documentation
- Correct Documentation
- Clear Signage
- Pixelation, Redaction & Darken Out Image services
- CCTV Policy Documentation [Also includes where applicable, an updated Service Contract to include a GDPR Agreement]
If you have any queries relating to GDPR and your CCTV System please do not hesitate to contact us.