CCTV & GDPR - Big brother to watch the watchers

Key Facts about the GDPR

CCTV systems have somehow escaped significant regulation until now, and recent surveys have shown that people using them might not realise that there is new legislation coming into effect this year, so there is a real potential that users will fall foul of the rules and incur notifications or even large fines.

We spoke to David Woolley, Country Manager (UK) at Sytorus Ltd - a leading provider of a range of data protection services for organisations that wish to achieve and maintain GDPR compliance – who confirmed that many organisations currently overlook CCTV when reviewing their data protection processes…

“CCTV is one area which - from our vast experience - many organisations do not consider when looking at Data Protection and Privacy across their business. The forthcoming GDPR is clear that CCTV is in scope, hence companies needing to fully understand their current position. If approached correctly and proactively, the GDPR will deliver a number of benefits that will enhance business practices, deliver greater customer satisfaction and also business growth.”

As a distributor of CCTV systems including Dahua, Olix and Redvision - to name a few - we are taking this opportunity to help our installer and integrator partners better advise customers about the best way to collect, store and dispose of data gathered. Additionally, we want to make people aware that the introduction of this legislation creates an opportunity to enhance the perception of CCTV and ensure that it is capturing valuable images which can be used to protect employees, improve operations and reduce security risks.

First up, what is the GDPR?
New EU legislation — named the General Data Protection Regulation (GDPR) — is set to become enforced on the 25 May 2018. Despite plans to leave the European Union, it seems that the UK is going to adopt these as a way of improving companies’ commitments to protecting the personal data of individual citizens. Included in this will be the way that we capture and handle CCTV footage.

One of the major implications of the new legislation is the increased level of fine that the Information Commissioner’s Office (ICO) can levy – up to £17m or 4% of global turnover, whichever is the greater. And whilst it is more likely that they will issue warnings and enforcement notices, a fine of that magnitude is best avoided, not to mention the potential reputational damage to any companies exposed as not abiding by best practice.

Businesses and CCTV
Many businesses have CCTV within their premises, whether this is to protect assets and/or protect their staff. However, if you are using CCTV, you’re collecting personal data of anyone who is visible within the frame and you need to ensure that they are protected as well.

To stay the right side of GDPR you must have a strong, ‘fair use’ reason for its placement. A business case must be put together to justify the collection of the images, and it must also document how the information will be stored and when it will be disposed of. Additionally, you must consider who will be able to have access, and in what case will others be granted access.

To comply with the legislation, you will need to demonstrate compliance and this requires you to have a documented case which shows the need for the surveillance equipment, have undertaken a risk assessment to look at and mitigate any unnecessary exposure and finally to have a clear process which documents decisions on capture, storage and disposal of personal data.

One additional flag that should be raised is if you could be capturing data which could be considered ‘sensitive’. This is information which could be used for profiling, or on which other individuals could draw conclusions which might negatively impact the person in the footage, for example patients attending medical clinics, union meetings, polling offices, etc, or any footage relating to children.

Workforce and CCTV
Members of the workforce can object to the placement of certain CCTV cameras if they feel as though it could invade their privacy. This can range from places such as canteens, break areas and public spaces. If you are able to highlight a security risk that could be minimised through using CCTV, it is more likely that the CCTV will be accepted in these places. CCTV is not allowed simply because you want to keep tabs on your employees’ effectiveness — employers need to be able to demonstrate that they have a valid reason for video surveillance implementation in specified areas.

An example of a justifiable business need would be if the business wanted to improve health and safety to help protect employees, or to capture footage of any incidents that occur within the company. There would need to be justification of these, for example to comply with ISO standards that the company has or wishes to attain, or to reduce the number of site incidents that have been occurring.

A sign of things to come
To inform people who operate in and around your business, you should have a disclosure to tell them that CCTV is in use and that they could be captured on any footage that is obtained. A common method is to have signs that are clear and feature a number for those who want to contact the CCTV operators if they have any queries.

Any data that comes from the CCTV can be kept for 30 days. If you need to keep it for longer, you need to carry out a risk assessment as well as capturing the reasons why, as well as how the information will be stored. This rationalisation for the capturing and keeping of the images needs to be documented in a risk log, which should be held by the company’s Data Protection Officer. Images and videos that you acquire through your CCTV system might be requested by the police, but make sure that they comply with your process, which usually requires a written request and to have the footage viewed on site.

Where Responsibility Lies
Under the new legislation, there will be a distinction between data controllers and data processors so it is advisable to check which one you are.

According to the ICO:
• “data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed
• “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller
• “processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including— a) organisation, adaptation or alteration of the information or data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, dissemination or otherwise making available, or alignment, combination, blocking, erasure or destruction of the information or data

With the new regulation coming into play, it’s important to understand that some security suppliers may become data processors rather than simply providers of a service. It will be important to have clarity, and have this documented, to ensure that the responsibility is clearly understood and any necessary protections are in place.

The over-riding ambition of the ICO is to ensure that companies behave ethically and responsibly and support the individual’s right to privacy, capturing only data which is appropriate. In reality, the changes to a business should not be significant following the introduction of the GDPR, it should be more of a case of documenting the already good practices and ensuring that processes are being followed throughout the company. However, with the greater powers of the ICO under the GDPR, it would definitely be sensible to take the next couple of months to investigate your position and ensure that your company’s Data Protection Officer is fully aware of the requirements.

Posted: 05/02/2018 16:18:56 by Michael O'neill | with 0 comments


Blog post currently doesn't have any comments.

Leave comment

  1. Enter security code:
     Security code