CCTV and GDPR – what you need to know
A while ago we talked about the use of CCTV as a security measure – see the article here. Within that we covered an important issue around informing people that they are likely to be captured on CCTV. This now becomes a serious regulatory issue if you are a business owner with CCTV on their premises given the imminent introduction of the GDPR – the General Data Protection Regulation.
What is the GDPR?
It is a new regulation brought forward by the European Union to protect people’s rights when their data are being used. It replaces the Data Protection Act of 1998 and will come into force on the 25th of May 2018.
Who must comply with it?
Any organisation which controls or processes individuals’ data will have to comply. This means that when it comes to installing or operating CCTV cameras on your business premises, you will be affected by this new regulation.
What must you do?
Previously it was sufficient to simply inform people that they could be captured on CCTV and this could be done with a simple notice. The regulations are about to become much tighter. From the end of May, you must have a strong and ‘fair use’ reason for the placement and use of CCTV. For example, you may justify it by citing the health and safety of staff on your premises or to capture incidents which may occur. Spying on employees is not allowed and, unless you are concerned about security, using them in public places such as canteens and break-out areas will require justification through the preparation of an Operation Requirement (OR).
Informing people and managing data
You still have an obligation to inform people on your premises that there are CCTV cameras in place and that they are likely to be caught on camera. In this way, you are the controller of data and as such you must comply with the new regulations. Importantly, your security provider becomes the processor of the data and they must comply as well. The onus is on you as the controller to specify what must be done with the data and how you want them processed and stored, so be sure to put the proper agreements in place.
Typically, data can only be stored for 30 days unless there are specific reasons why this must be a longer period of time. You will need to provide justification and a risk assessment in order to keep images for longer.
Potential data breaches are possible when it comes to sharing data with third parties, so you must also have processes in place to manage this risk. If the police need to review your CCTV data for any reason, they will most likely do it on your premises in order to minimise this risk.
For full details on the forthcoming GDPR, you can visit the Information Commissioner’s Office website. For any assistance in complying with existing CCTV systems or if you are thinking of installing one and want to know more about your rights and obligations, talk to anyone in our DNA Security team. You can find us on 01424 718 844 for an exploratory chat or to make an appointment.