Irish Data Protection Commissioner (DPC) issues guidance on CCTV for controllers

• United Kingdom
• Ireland

• Privacy, data protection and cybersecurity

08-07-2019

The DPC has published useful guidance on CCTV usage for controllers. The guidance is intended to assist owners and occupiers of premises to understand their responsibilities and obligations regarding data protection when using CCTV. This is particularly relevant for premises that are workplaces or are otherwise accessible to the public.

The guidance states that any person or organisation that collects and processes the personal data of individuals is considered a ‘controller’. Therefore the use of a CCTV system must be considered in light of data protection legislation and the resulting obligations imposed on controllers. The DPC notes that the use of CCTV systems has expanded significantly in recent years, due to the increased sophistication of the technology and its affordability. There are very legitimate uses of CCTV for security, workplace safety and the prevention and detection of crime. However, the DPC states that unless CCTV is used proportionately, it can give rise to legitimate concerns of unreasonable and unlawful intrusion in the data protection and privacy rights of individuals and excessive monitoring or surveillance may be taking place. This is particularly the case in the workplace setting which the DPC discusses later in its guidance.

Personal data

The DPC highlights that controllers should be aware that footage or images containing identifiable individuals captured by CCTV systems are personal data for the purposes of data protection law. Where processes are used to obscure or de-identify individuals from CCTV footage, the footage or images are still considered personal data if it is possible to re-identify the individuals. Furthermore, if footage or images are initially captured in an identifiable form and then irreversibly de-identified, data protection law will still cover the processing up to the point of anonymisation.

CCTV data protection policies

The DPC recommends having a CCTV Data Protection Policy as best practice and states that a good policy will set out the reasons why you have decided to implement the use of CCTV and how you will manage it. Furthermore, the DPC notes that the scale of the CCTV system and its impact on individuals whose images may be captured will help determine the level of detail that should be in the policy. This will also determine the manner in which the policy should be brought to the attention of the individuals concerned.

In particular, policies relating to a place of work should be brought to the attention of employees so that they are fully informed about the processing of their personal data by CCTV. Publishing a policy on an official website can inform members of the public who may attend the premises and answer their questions about how you use CCTV. This can also assist the DPC in the event of an investigation or audit to understand how controllers have applied the principles relating to processing of personal data.

DPC guidance

The DPC guidance clearly sets out the key considerations from a data protection perspective when implementing CCTV and the key points are summarised in the DPC’s checklist as follows:

1. Purpose: Do you have a clearly defined purpose for installing CCTV? What are you trying to observe taking place? Is the CCTV system to be used for security purposes only? If not, can you justify the other purposes? Will the use of the personal data collected by the CCTV be limited to that original purpose?

2. Lawfulness: What is the legal basis for your use of CCTV? Is the legal basis you are relying on the most appropriate one?

3. Necessity: Can you demonstrate that CCTV is necessary to achieve your goal? Have you considered other solutions that do not collect individuals’ personal data by recording individuals’ movements and actions on a continuous basis?

4. Proportionality: If your CCTV system is to be used for purposes other than security, are you able to demonstrate that those other uses are proportionate? For example, staff monitoring in the workplace is highly intrusive and would need to be justified by reference to special circumstances. Monitoring for health and safety reasons would require evidence that the installation of a CCTV system was proportionate in light of health and safety issues that had arisen prior to the installation of the CCTV system. Will your CCTV recording be measured and reasonable in its impact on the people you record? Will you be recording customers, staff members, the public? Can you justify your use of CCTV in comparison to the effect it will have on other people? Are you able to demonstrate that the serious step involved in installing a CCTV system that collects personal data on a continuous basis is justified? You may need to carry out a Data Protection Impact Assessment to adequately make these assessments.

5. Security: What measures will you put in place to ensure that CCTV recordings are safe and secure, both technically and organisationally? Who will have access to CCTV recordings in your organisation and how will this be managed and recorded?

6. Retention: How long will you retain recordings for, taking into account that they should be kept for no longer than is necessary for your original purpose?

7. Transparency: How will you inform people that you are recording their images and provide them with other information required under transparency obligations? Have you considered how they can contact you for more information, or to request a copy of a recording?

In addition to the general principles of data protection, the DPC also discusses specific issues that arise for consideration such as CCTV in the workplace, disclosing CCTV footage to third parties, providing access to CCTV to the data subject, covert surveillance, and facial recognition and biometric data.

In relation to CCTV in the workplace, the DPC highlights that while employers have legitimate reasons for installing CCTV, employees also have legitimate expectations that their privacy will not be intruded upon disproportionately. Where possible the location of CCTV should be focused on areas of particular risk such as cash points or areas where human observation is difficult. The DPC states that CCTV recording in areas such as break rooms, changing rooms and toilets would be difficult to justify as there is an increased expectation of privacy in these areas by employees. In addition, where the use of CCTV has been justified for a particular purpose such as security or health and safety, it should not be further used for monitoring staff attendance or performance. However, the DPC acknowledges that situations may arise where an employer needs to use CCTV for another purpose such as investigating an allegation of misconduct or disciplinary matter. This may be legitimate where carried out strictly on a case-by-case basis and justified based on necessity and proportionality to achieve the given purpose. The DPC further highlights that employee rights should not be seen as presenting a barrier to the investigation of serious incidents.

The full DPC guidance for controllers can be found on the DPC website here.