Technical Focus: Is your CCTV system compliant with GDPR?
This month our technical focus is on the impact of GDPR on CCTV systems, since the implementation date of 25th May 2018.
The GDPR sets out how organisations can handle personal data; what principles they must abide by when processing personal data; and the technical and organizational measures they should have in place to safeguard the information. This personal data relates to images captured by CCTV, as well as personal details held about individuals.
It is important for businesses who operate a CCTV system to be aware of potential GDPR pitfalls.
Here’s 7 tips to help you stay GDPR compliant:
1. Display Signage – The CCTV operator must let people know they are using CCTV. Signs are the most common way of doing this. The signs must be clearly visible and readable, and should include the details of the organisation operating the system.
2. Register with the ICO – All companies operating a CCTV system must register with the Information Commissioner’s Office on an annual basis. Failure to do so may result in footage being deemed inadmissible in a court case. You can find out more on the ICO website.
3. Assign Responsibility for CCTV – Make sure someone in the organisation has been assigned responsibility for CCTV images, deciding what is recorded, how images should be used, who has access to footage and who images can be disclosed to. Have clear procedures on how to use the system. As a business owner, you should make regular checks to ensure the procedures are followed.
4. Consider the Coverage area – If a camera is being positioned in a public place, the operator may need to complete a Data Protection Impact Assessment (DPIA), which is a risk assessment documenting the reason for the camera, and the measures to protect the personal information captured. More information on DPIA’s can be found in our partner, Axis Communications white paper on CCTV and GDPR.
5. Be aware of Retention Periods – CCTV operators are not allowed to retain images indefinitely – organisations should have a retention policy and should only keep images for as long as necessary to meet the purpose of recording them. Where multiple recorders are in operation, they should have a standard retention period.
6. Respond to Subject Access Requests – Under GDPR, anyone can make a “Subject Access Request” for the footage held on CCTV of themselves. If a CCTV operator is asked to provide CCTV images through a Subject Access Request, they will have 30 calendar days to provide these images. This is assuming the individual requesting the images can help to prove they are the individual in the images.
7. Disclosure restrictions – CCTV operators are not allowed to disclose images of identifiable people to the media – or to put them on the internet for entertainment. A key point in terms of disclosure is that images of members of the public within the CCTV footage are masked BEFORE the footage is given out under a subject access request. Our CCTV partner, Axis Communications demonstrates how this can be achieved with the Axis Camera Station in the video below: