The majority of surveillance systems are used to monitor or record the activities of individuals, or both. As such they process individuals’ personal data and this processing must comply with the GDPR. The legality of usage and the means for compliance differs among various EU Member States so it is important that you engage with your supervisory authority where necessary.
The guidance given here is intended for less-sophisticated systems which smaller organisations might be using for say, purposes of safety and security of individuals or the monitoring of premises. GDPR365 provides you with a checklist as well as a sample CCTV policy which you may use to incorporate into your organisation’s policy documents. Operators of more sophisticated systems such as body worn cameras, drones and automated recognition systems must take further guidance from their supervisory authority.
Why do you need surveillance cameras? You should take into account the nature of the problem you are seeking to address. Is a surveillance system an effective solution or is there an alternative, less privacy-intrusive solution? Is its usage a proportionate response to the problem? An effective way to answer these questions is to carry out a data protection impact assessment (DPIA).
Whether it is for planned systems or systems already in use, you should at least:
Record a full description of the processing operations as well as the reasons (purposes) why you use CCTV, including if the reason is for your organisation’s legitimate interest;
Assess the necessity and proportionality of the processing operations in relation to the purposes;
Record the potential risks to individuals such as, excessive or irrelevant data, data that is out of date, data that might be kept for too long, data that is not easily accessible, images that are unclear, data that could be unlawfully disclosed, data that is not securely kept, and then;
Record what you are doing about managing those risks;
Preparing for use
Publish and enforce your organisation’s CCTV Policy. Document all the processes, roles and persons responsible for setting up, operating and decommissioning the system. Include, for example, what is to be recorded, where cameras must be sited, how the information should be used and to whom it may be disclosed. Where relevant, ensure that your contract with any external company that operates the system clearly states that company’s data protection responsibilities. Place privacy notices on or near the equipment so that staff and the public are aware of the presence of and purpose for CCTV.
Using the system
Regardless of who is doing the processing, all data must be securely stored and all forms of access must be limited to authorised individuals. If an external company is providing the service, they must provide the assurance that they can and will protect the data. Once there is no reason to retain the recorded information, it must be properly deleted.
Disclosure of information from surveillance systems must be controlled and consistent with the purpose for which the system was established. For example, it can be appropriate to disclose surveillance information to a law enforcement agency when the purpose of the system is to prevent and detect crime, but it would not be appropriate to place the information on the internet.
Individuals who have been recorded have the right to request access to their personal data.
The retention period of the personal data should be informed by the purpose for which the information is collected and how long it is needed to achieve this purpose. It should not be kept for longer than is necessary and should be the shortest period necessary to serve your own purpose.
The siting of cameras
The equipment should only collect the necessary information to meet the purpose for which it was installed. For example, a CCTV system that allows recording to be switched on and off easily, and therefore does not have to record continuously, will help mitigate the potential risk of recording excessive amounts of information.
Both permanent and movable cameras should be sited and image capture restricted to ensure that they do not view areas that are not of interest and are not intended to be the subject of surveillance, such as individuals’ private property. The cameras must be sited and the system must have the necessary technical specification to ensure that unnecessary images are not viewed or recorded, and those that are recorded are of the appropriate quality.
In areas where people have a heightened expectation of privacy, such as changing rooms, cameras should only be used in the most exceptional circumstances where it is necessary to deal with very serious concerns. In these cases, you should make extra effort to ensure that those under surveillance are aware that they are being recorded and that appropriate restrictions on viewing and disclosing images are in place.
Some organisations make use of in-vehicle camera surveillance. Questions to be answered:
Can the surveillance be conducted without yielding information about the private use of the vehicle?
Is private use of vehicles supplied by, or on behalf of the employer allowed?
If the employee’s own private vehicle is used for business purposes, has the employee freely consented to the installation and use of surveillance equipment?
Are clear and unambiguous rules established and communicated as to what private use is or is not allowed of vehicles supplied by the employer as well as any conditions attached to both private and business use.
If you would like to know how our service might enable your organisation's GDPR compliance journey, please visit us here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018