GDPR & CCTV
The General Data Protection Regulation (GDPR) came into affect may 25th 2018. These regulations drastically changed the way organisations approach data and the capture and handling of CCTV footage. It is important for all businesses understand the regulatory requirements, and know what actions are needed to be prepared. The penalties facing businesses for non-compliance are fines of up to €20 million or 4% of global annual turnover.
Until may 25th 2018 anyone could install a CCTV system without really thinking about it. Now with the new GDPR regulations,once you are collecting recognisable images and footage from a CCTV system, you are then managing ‘personal data’. That you are now acting as a Data Controller, and with this comes responsibility. As a Data Controller you must be able to justify the obtaining and use of your CCTV system.
Is your CCTV system justified?
Placing cameras around the perimeter of your site to detect intruders should be easy to justify. If your camera are monitoring employees, then it is not straight forward. This is seen as an invasion of privacy. you might need to prove that the cameras are there for Health & Safety reasons, highlighting incidences in the past should help justify your CCTV .
What images will be captured and why?
When you are capturing images where someone would expect privacy, then you must justify the need. If there has been an obvious level of security incidents in theses areas, then this must be proven to allow for these cameras.
Your should carry out a risk assessment itemising each camera, the viewing area, and the reason for the camera.
People must be informed of CCTV presence
You must make the purpose for the data collection clear. This is especially important if the purpose is not obvious. If you are monitoring employees for health & Safety, this needs to be highlighted to persons being captured by the cameras. Signs highlighting CCTV use and contact number for anyone wishing to follow up is sufficient.
As a Data Controller you need to justify reasons for storing and retaining data.
It is generally CCTV systems retain data for about 30 days. If you feel you need to retain CCTV data for longer, then your risk assessment should state how long and why. Must modern CCTV system will allow you to set retention limits per camera.
Access Requests for personal data
GDPR states ‘Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.’
So, anyone who is captured by your CCTV cameras has the right to request that footage. They must follow a procedure, but are perfectly within their rights. If any other individuals are visible in the footage, there needs to a footage redaction service provided i.e. blur out the faces of other individuals.
Supply of CCTV images to the Gardaí
The Gardaí can request footage from you and you may supply this, but ensure it is followed up by a written request on Garda headed paper. Sometime the Gardai will just want to view the footage on your premises , this action would not raise any concern for data protection.
Responsibilities of security companies
Security companies act as Data Processors under GDPR. ‘Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.’
Ensure that any subcontractors working on your behalf, e.g. Security companies or CCTV Engineers, follow this procedure. You will be open to data breaches if a third party can distribute, or remove, personal data in the form of CCTV images without following the above procedures.
It is no longer acceptable to ‘not understand’ or ‘not be aware of’ the laws associated with CCTV systems. While it is quick and easy to purchase and install your own passive CCTV system, without the input of professional security service providers you may leave yourself open to prosecution and fines.