Your CCTV and new data protection regulations

The British Security Industry Association estimates that there are up to six million CCTV cameras in operation across the UK. Indeed, the UK is often referenced as being one of the most surveillance countries in the world.

The use of CCTV is covered by the Data Protection Act (DPA) and with the new general data protection regulations (GDPR) recently coming into effect, most businesses are aware that personal data must be processed lawfully and transparently – although many are still unaware that this includes the use of CCTV.

The Information Commissioner’s Office (ICO) recommends that organisations using CCTV systems conduct a data privacy impact assessment to ensure CCTV operations are justified and legitimate.

Being able to explain why your organisation is using CCTV is vital to ensuring compliance with the new GDPR. In most cases businesses can rely on legitimate interest, for example, security of a vacant property, for operating CCTV however, they are also required to justify this against the size of the area being monitored.

Under the new GDPR, personal data can only be processed for as long as its purposes requires it so businesses should review their CCTV usage and determine how long footage is kept for. This will vary of course depending on the purpose of the CCTV system but organisations should be aware that indefinite data retention times or waiting until the system overwrites previous footage is not considered to be good practice.

People captured on CCTV are entitled to request access to the footage, which may result in businesses being required to share footage. Organisations must not disclose personal data about other subjects as part of this data-sharing process so this may require parts of the footage to be blurred before it is handed over.

Protecting CCTV data while it is being accessed and when it is stored is essential to ensuring confidentiality. Footage should only be viewed by authorised personnel and either encrypted when stored or accessed electronically, or securely locked away if it is being physically stored.

“The use of CCTV is not discouraged under GDPR,” reassures Michael Knibbs, Operations Manager, SafeSite Security Solutions.

“There is now a more equal balance between the rights and interests of the operator and data subjects.

“Displaying clear signage explaining that CCTV is in use in that area and where further information can be found is an important step to ensuring compliance with the GDPR.”

Further information regarding the use of CCTV systems is available on the Information Commissioner’s Office website.