The GDPR fuss is starting to wane as people finally wade through the plethora of emails begging for a positive opt in. Hopefully we will all benefit by receiving fewer marketing and spam phone calls, and the drop in unwanted email and postal communication will be just as welcome. There is one facet to GDPR that many people have overlooked, or are simply unaware of, and that is how CCTV is affected.
Under the new rules, CCTV imagery taken of people is considered to be personally identifiable data and therefore subject to the same protection as names, addresses and dates of birth. There are over 6 million CCTV cameras in the UK – it is one of the most heavily recorded countries in the world. These cameras are found in places from private homes to gantries over the motorway, so what can CCTV camera owners do to ensure they don’t fall foul of the new law?
Under many circumstances the use of CCTV can be justified to ensure public safety and satisfy security requirements, so no-one will have to stop recording simply because they are capturing and processing personal data. There may be a case for justifying the scope of the recording, for example a business may have to realign their camera to avoid accidentally capturing data that is not justifiably needed for security or safety. This may mean moving the camera or sensors to a position that only triggers a recording when a person crosses a boundary line.
Anyone using CCTV must inform people present in their premises, that their likeness is being recorded and processed. If a business does not already have a sign informing the public, customers or visitors that CCTV is in operation, then one should be put up as soon as possible. The recording and storage of CCTV footage is considered to be processing that data, so businesses now have an extra legal obligation to ensure the encryption of the footage and secure storage so it cannot be stolen or hacked in to. Signage should reflect that data is being recorded and processed on or off the premises, so customers and visitors are aware.
Another key feature of GDPR is that data is not kept for longer than needed. A customer making a one off purchase of furniture can expect their personal and financial data to be kept for at least a year, if not longer, for tax return and accounting purposes. It would not be reasonable for that data to be kept interminably and CCTV recording is no different. Each camera may have different lengths of time that the footage recorded may be kept for. It may be justifiable to keep internal recordings for longer than external ones, but in both cases this time period must be demonstrably justifiable.
Members of the public have always had the general right to request CCTV footage that identifies them, and there used to be a nominal fee for this service. Under GDPR businesses can no longer charge people to obtain copies of CCTV footage featuring them, but they must also ensure that the footage provided does feature the requester and does not also infringe on the rights of other people not to be identified. This means blurring out the faces and any other identifiable details, such as car number plates, on people that are not the requester. This will probably not happen with every business, but it is important to bear this in mind when installing CCTV cameras and making recordings.
If you are unsure about the boundaries of your current recording, or you need to tighten up the processing and storage arrangements for your CCTV footage get in touch today, as we can provide expert advice on the location of cameras, the monitoring and processing and the storage so that you can demonstrate your compliance with GDPR regarding captured images.