Data Protection and CCTV
The General Data Protection Regulations (GDPR) was adopted on 8th April 2016 and came into effect on 25th May 2018, replacing the existing Data Protection Act (DPA) and updating the data protection regime across Europe.
The GDPR applies to ‘controllers’ and ‘processors’ as defined in the DPA with controllers saying how and why personal data is processed and the processor acting on the controller’s behalf. If a company is currently subject to the DPA, it is likely that they will also be subject to the GDPR. The GDPR applies to ‘personal data’ and this includes not only the same forms of direct data but also indirectly derived data such as IP addresses and mobile phone usage data to reflect the changes in technology. The GDPR will apply both to automated personal data and to manual filing systems where personal data is accessible.
In short, many of its main concepts and principles are similar to those in the current Data Protection Act 1998 (which was extended from the Data Protection Act 1984) to be able cover all types of records which contain information about individuals. This includes images of a living individual recorded by CCTV cameras which are also considered personal information about that individual.
When we installed CCTV I contacted the Information Commissioners Office (ICO) on behalf of the freehold RMC to see what one of the Directors was required to do under Data Protection when asked by anyone to see CCTV footage as he would be acting as the Data Controller.
They provided the following advice:
1: It is the Data Controller which is the organisation responsible for a) making decisions about the processing of the images and b) ensuring compliance with DPA legislation. So it is the RMC Company Directors in their capacity as Data Controllers who will allow other organisations, such as the company installing the CCTV or the managing agent, to process the images on their behalf. They would then be under contract as data processors. In this the freehold RMC Directors would remain data controllers and be responsible under the DPA for any processing of the images.
2: It is essential that there is a clear basis for the handling of any personal information and the handling of images relating to individuals is no different. It is important to show who has responsibility for the control of the images, i.e. what is to be recorded, how the images should be used and to whom they may be disclosed.
3: They also advised particular attention be paid to the fact that people must be aware that they are in area where CCTV surveillance is being carried out. The most effective way of doing this is by using prominently placed signs at the entrance to the CCTV zone and reinforcing this with further signs inside the area. Such signage is particularly important where the cameras themselves are very discreet, or in locations where people might not expect to be under surveillance. In the exceptional circumstance that audio recording is being used, this should be stated explicitly and prominently.
- Be clearly visible and readable;
- Contain details of the organisation operating the system;
- The purpose for using CCTV;
- Who to contact about the scheme (where these things are not obvious to those being monitored, i.e. the name and contact details of the organisation responsible); and
- Be an appropriate size depending on context, for example, whether they are viewed by pedestrians or car drivers.
This information will be updated should the role of RMC Directors and GDPR become clearer but in the meantime Data Controllers operating under GDPR will need to be able to demonstrate the following:
- Consent has been both sought from, and given by, the data subject under Article 6 (1) (a);
- The individual must be able understand in specific detail what consent is being sought;
- Data must be presented in a clear and plain language;
- For each intended use, separate consent must be given;
- Consent must also be as easy to withdraw as it is to give;
- Data protection must be kept separate from a company’s usual terms of business;
- Where multiple consents are required to different types of data processing such consents cannot be assumed or obtained through pre-ticked boxes;
- Where data is to be transferred to a third party that party must be expressly named;
- The person(s) collecting the data is responsible for how that third party processes the data.
A Guide to the General Data Protection Regulation can be found here.