UK Businesses will now be fully versed in their obligations around client, customer and staff information under data protection and privacy laws. This usually centres on data such as email addresses and telephone numbers, but less commonly considered is video surveillance. Since individuals could also be identified via this data, CCTV footage is subject to the GDPR.
CCTV is an integral component in the protection of many businesses, acting as the eyes and ears (and sometimes, voice) in a holistic security system that monitors, detects and responds to incidents. It is therefore critical that UK businesses understand how to operate a CCTV system in the workplace within the confines of data protection laws.
As an expert in designing, installing and maintaining CCTV systems for businesses for over 20 years, Amthal has produced this guide for UK business managers around the law when it comes to using CCTV in the workplace*.
Whether you’re considering a new CCTV system and want to design-in compliance from the start, or if you want to check an existing system is operating in line with best practices, then this guide is for you.
Before we get to CCTV: A primer on Data Protection and Privacy in 2021
Recent years have seen many changes and ratifications around data protection and privacy laws. Today, it’s important to have a solid foundation of what each of these are and how they relate to each other, before we start to talk about relevance to CCTV footage.
You can also skip straight ahead to the section on CCTV and GDPR.
- The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy within the European Union and in the European Economic Area (as well as the transfer of data outside of these areas).
- The GDPR was introduced in 2018, replacing the previous directive from 1995.
- The GDPR aims to:
- Give control to individuals around how their personal information is used by organisations, businesses or governments.
- Simplify the regulatory environment for international businesses by unifying the regulation within the EU.
- The Data Protection Act 2018 (DPA 2018) is the UK’s implementation of the European Regulation. This replaced the Data Protection Act 1998.
- The UK GDPR is a UK law which came into effect on 1st January 2021. It is based on the GDPR, with a few changes to make it work “more effectively in a UK context”. This was introduced as part of the ‘Brexit’ process.
- The UK GDPR sits alongside the DPA 2018.
- The principles of the UK GDPR are the same as the European regulation. These principles offer guidelines for the “lawful processing of personal data”. Processing includes actions such as collection, storage, organisation, use and destruction. The seven principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
- The Information Commissioner’s Office (ICO,) was formed as the UK’s independent authority on information rights.
Since most uses of CCTV by UK organisations or business will be monitoring or recording the activities of individuals (which represents personal data), CCTV is covered by the UK GDPR under the DPA 2018.
The ICO authored a CCTV code of practice to explain the legal requirements CCTV operators were required to meet by law. While this was updated in 2008 since its original creation in 2000, it has not yet been updated since the DPA 2018 became law. However, the DPO suggests there will only be “subtle differences” between the guidance in the code of practice and the guidance reflecting the new law.
Is my organisation allowed to use CCTV under UK data protection law?
It is of course legal to use CCTV at work, but there are a number of stages where you must ensure you’re CCTV operations are compliant, necessary and proportionate – through planning a system, set up of the system and your processes, and then implementation and review.
You can find the most up-to-date information on good practice and guidance for the use of CCTV on The Surveillance Camera Commissioner’s webpage on the government website. The ICO also offers a useful CCTV self-assessment checklist.
Here, we’ll guide you through best practices for planning, set-up and implementation of your workplace CCTV system.
PLANNING YOUR CCTV IN THE WORKPLACE
An important first step is thinking about whether CCTV is the right technology for your workplace surveillance needs, and if its use is proportionate. For example, the IPO cites the example of an organisation wanting to reduce crime in an underground carpark. A suggestion here is that better lighting may resolve your problem without the risk of infringing on individuals’ privacy.
In many businesses, however, there is a justifiable use for CCTV in the workplace. When this is the case, a Data Protection Impact Assessment (DPIA) is the next crucial step in planning data processing activities – in this case the capture, storage and other processing of CCTV footage. This can help you to identify the risks to individuals’ personal data by your using CCTV, and to minimise that risk.
Thinking about the type of CCTV system you will implement, data quality is an important factor in compliance, so you should select a system which provides high quality, clear images for its intended use (e.g. for the police to investigate crime). The location of cameras can factor into this too; for example, be aware that tree growth may obscure footage over time outdoors, and you can plan in for this as part of your policies and implementation.
If it is decided that CCTV is the right choice to protect your workplace, you must follow a number of criteria in the set-up and implementation of your CCTV system. By working with a trusted partner such as Amthal, you can ensure that your system is designed and installed in line with your legal obligations under data protection and privacy laws.
SETTING UP YOUR CCTV IN THE WORKPLACE
- Register with the IPO
Businesses must register with the ICO and pay a data protection fee, unless exempt. Most businesses, however, will have to pay, as “any company using CCTV for crime prevention purposes is required to pay an annual data protection fee to the ICO, regardless of other aspects of your business and operations.” You may already be paying your annual fee for other data processing (e.g. customer information) – this registration must be renewed every year.
- Create a CCTV policy
A policy will help ensure that your organisation is consistent in the way it uses CCTV. The documentation should outline all those things you looked at in the planning stages, including the specific purposes for your use of CCTV.
A workplace CCTV policy should also include:
- Data security considerations, including control over who can see/access the recordings, protection of wireless CCTV transmissions from interception, and physical security of the place where your footage is stored.
- Information on how footage will be captured, viewed and stored.
- Information retention policies, outlining how you will retain data for the minimum time necessary for its purpose and dispose of it appropriately when no longer required.
The ICO is the best resource when it comes to drafting a CCTV section of your data protection policy – you can view the privacy notice template here.
- Assign responsibility for day-to-day CCTV management
It is good practice to assign the day-to-day responsibility for CCTV to an appropriate individual (which can also be outlined as part of your policy.) Their role is to ensure that your organisation has the right standards and procedures in place, and that these are being complied to.
- Notify people that they are being recorded on CCTV
In the name of transparency, anyone who may be captured should be notified that they are being monitored by CCTV, whether that’s your staff or visitors to your site. The easiest and most common way to do this is by displaying prominent signage, which should also indicate its intended usage (e.g. “CCTV is in operation in the interest of public safety”). This ‘warning’ can have a deterrent effect on crime in itself, such as shoplifting or theft in warehousing.
It is also good practice to indicate the system’s owner, and where a person can access more detail on your CCTV policies. This is all related to the individuals’ right to be informed, under data protection laws.
IMPLEMENT AND REVIEW CCTV BEST PRACTICES
You may have created the best privacy policy in the world, but if your staff are unaware of your CCTV policies, your system will be vulnerable to misuse. You must communicate your policy to all relevant staff.
Training is also necessary to offer staff; for example, any staff who are authorised to access the live or stored footage should be familiar with the system, as well as the processes for reviewing and extracting footage if required. Staff should also be aware of the likely consequences for misuse or mismanagement of the cameras.
Regular reviews can ensure your system remains compliant over time. For example, a visual check can ensure that your cameras are still producing high quality images in line with your use case, where they might have been obscured by tree growth or new shop fittings.
While data security will have been designed into your privacy policy, the security of your CCTV footage should be regularly reviewed to ensure information is protected over time. Data security is important as poor security over time could lead to your footage being used for criminal activity.
For example, could a member of staff who has left your organisation still have access to your CCTV system? This can be resolved by making reneging security access part of your exit processes. Are all new staff kept informed about CCTV policies? This can become a standard part of your onboarding process. Software updates also play an important part in data security, so ensure your systems are being kept up-to-date over time, and this is reflected in your policy documentation.
Regularly reviewing your CCTV usage means you can be confident that your system is adhering to best practice and your legal obligations. The Surveillance Camera Commissioner is a great resource for the person responsible for CCTV in your organisation to keep an eye on, so that your policies can keep pace with advancements in technology, and with landmark cases in other organisations.
SOME FREQUENTLY ASKED QUESTIONS WHEN IT COMES TO USING CCTV IN THE WORKPLACE
What if someone wants to see the video footage we have of them?
As part of your staff training, you should ensure that all personnel are able to recognise and deal with a request for personal data.
Individuals have a ‘right of access’ under data protection laws. If someone requests to see the CCTV footage you have stored on them, this is known as a “Subject Access Request” or an SAR. Since CCTV footage is sensitive data, you need to follow a formal process of retrieving and handing over the information, which should be outlined in your privacy policy. You must reply to the request within 30 days of receipt, but there is the possibility of an extension if the request is a complex one. SARs should be logged and filed.
You can find more information on Subject Access Requests on the ICO’s website.
Can I use CCTV for staff monitoring?
It is possible to use CCTV for staff monitoring, but this should be clearly outlined and justified as a use case in your privacy policy, and all staff should be made aware that they are being monitored, and for what purpose. Staff should generally not be monitored without their knowledge, or by a system that is not intended for staff surveillance. The consequences of doing this could be an employment tribunal, or a complaint to the ICO, which can lead to a hefty fine.
The only circumstance under which you can monitor staff without their knowledge is as part of a specific investigation where there is a legitimate suspicion that they are breaking the law, and if informing them would make it hard to detect the crime. You must stop using your CCTV for this purpose once that particular investigation is over.
Can I use broader CCTV technologies at work?
Some CCTV systems include additional functionalities such as Automatic Number Plate Recognition (ANPR), audio recording or Live Facial Recognition. Any additional technologies need to be accounted for in determining your proportionate use of CCTV technologies at work. Once it has been established whether there is justifiable use for this functionality, it can then be drafted into your privacy notice, and those who might be monitored by the technologies can be made aware that this is the case (e.g. signs in a car park that say ‘we employ ANPR’, along with the ways in which this data will be used).
As with other CCTV technologies, these technologies must then only be utilised in the context of its intended use. The Surveillance Camera Commissioner’s office regularly published the latest news and good practice for CCTV, as the technologies continue to develop.
We hope this guide to the laws around CCTV in UK businesses is useful, and can help you in implementing a new CCTV system in line with the current regulations.
Need help with the finer details of using CCTV within the law in your workplace? Talk to our expert team of qualified technicians who can help design, install and maintain a CCTV system designed specifically for your business’ security needs, and help you stick to best practice. Call us today on 0800 093 7818, email us via info@amthal.co.uk or use the form below to get in touch.
*This is intended as a quick reference guide; bespoke professional and/or legal advice should be sought for specific applications or queries.