Is CCTV being operated in your workplace?
Are you an employer who is considering introducing CCTV?
The Data Protection Commissioner has issued updated guidelines in December, 2015 in respect of the use of CCTV.
Because recognisable images captured by CCTV systems are considered to be “personal data”, as defined by the Data Protection Acts in Ireland, and are subject to the provisions of Data Protection legislation.
Justification of CCTV System
This means that a data controller must be able to justify use of a CCTV system. Sometimes this is easy, for example, using CCTV to keep an eye on a building for security reasons.
However, the use of CCTV to watch employees, students, or customers can be harder to justify.
But that is the first question to be answered: is the use of a CCTV system justified?
The second question to be looked at, assuming the system is justified, is what will the system be used for?
Is the use of CCTV proportionate?
If it is used to capture images of attempted burglars or other undesirables, there is no problem with the test of proportionality.
However, if it is used to monitor employees, showing that it is proportional can be more problematic, although not impossible, for example for health and safety reasons.
But whatever the reason, use of CCTV needs to be justified in the particular circumstances. This justification would generally arise from issues which have arisen prior to the installation.
Where will the cameras be located? What sort of images will be captured? The use of CCTV cameras in toilets, and other locations where you could reasonably expect privacy, will be difficult.
However, even where they can be justified in toilets they should never be used to capture images from urinals or cubicles.
Carry Out an Assessment
The Data Protection Commissioner’s office recommends that detailed assessments be carried out prior to the installation of cctv cameras. It also recommends the following steps:
- A Risk Assessment
- A Privacy Impact Assessment
- A Specific Data Protection policy drawn up for use of the devices in a limited and defined set of circumstances only (this policy should include documented data retention and disposal policy for the footage)
- Documentary evidence of previous incidents giving rise to security/health and safety concerns
- Clear signage indicating image recording in operation.
Warning to Data Subject
Before any data is recorded the data subject must be warned.
This warning can generally be achieved by placing signs in prominent positions.
If it is obvious that the purpose of the data collection is security it will suffice that the sign states that CCTV is in operation and a contact number should be provided.
If the purpose is not obvious then the data subjects should be warned beforehand. This would be especially true if CCTV was being used to monitor staff conduct or performance, as this would not be an obvious purpose.
Written CCTV Policy
A written CCTV policy should be in place and it should contain
- The identity of the data controller
- The purpose of the data processing
- Any 3rd parties to whom it is made available
- How to make an access request
- The retention period of the CCTV
- The security arrangements for the CCTV
Data should not be kept for longer than necessary.
Longer than 1 month in the case of CCTV would be hard to justify.
Access to the data should be restricted to authorised personnel, and it should be stored in a safe place.
Supplying Images to an Garda Siochána
Supplying, as opposed to permitting viewing of, CCTV images to an Garda Siochana should be by written request which states that a criminal investigation is being carried out.
If a verbal request is acceded to, where there is a degree of urgency, a formal written request should be obtained afterwards.
Rights to Access Data
When a data subject requests CCTV images he should supply a time frame of the recording. This would refer to specific days and/or hours but a general request for all CCTV data held would not be acceptable.
Where images of parties other than the requesting data subject appear on the CCTV footage the onus lies on the data controller to pixelate or otherwise redact or darken out the images of those other parties before supplying a copy of the footage or stills from the footage to the requestor.
Alternatively, the data controller may seek the consent of those other parties whose images appear in the footage to release an unedited copy containing their images to the requester.
It would be unacceptable for the data controller to claim that he cannot pixelate images or provide copies for technical reasons, or that he cannot provide images to be viewed on the requester’s device.
If the data controller chooses to use this technology he needs to be able to comply with the data protection consequences.
Generally, the use of hidden/covert surveillance is forbidden, except on a case by case basis to prevent or detect offences or crimes. Any covert surveillance should be specific, limited, and for a short period.
Security companies acting on behalf of clients are considered to be “data processors”.
Their clients are the data controllers. Data processors have specific obligations placed on them by the data protection acts, for example to prevent unauthorised access to the data and ensuring security of the data.
Also certain data processors must have an entry in the public register maintained by the Data Protection Commissioner. (See section 16 Data Protection act, 1988)
The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Acts.
However, this would not allow recording of a public space, and neighbour has a constitutional and common law right to privacy. They could enforce this right by taking a civil court action.
What to Do Now
- Carry out an assessment,
- draw up a written CCTV policy,
- obtain professional advice if you are unsure or unclear about your rights or obligations.