Complying With GDPR and UK DPAThe ICO implements and regulates the General Data Protection Regulation (GDPR) and the UK Data Protection Act of 2018 (DPA). And because you are using the CCTV system to monitor the activities of people outside the boundary of your private domestic property (i.e. workplaces, public areas), it is considered processing of personal data. It, therefore, falls under the UK DPA, which incorporates the GDPR. Following the GDPR principle, personal data which is, in this case, video surveillance data, may only be kept as long as it is necessary. While that means the length of time CCTV footage may be kept is flexible to take into account the different aims and challenges each business has with making use of CCTV surveillance, there are still a few provisions stated by CCTV legislation. Do note though, that as of writing this blog, the GDPR is still in effect, as the UK is still in the post-Brexit transition period. These guidelines may change after this 11-month transition period, which is set to end in December 2020.
Best CCTV installers and Aerial engineers near you
What Do I Do To Ensure Compliance?
If you are putting up a surveillance security system in public spaces (including offices and business areas) or capturing footage in locations outside the boundary of your property using a domestic CCTV system, there are some laws that you must comply with. These include:
Putting Up A GDPR-compliant CCTV Signage
GDPR states that organisations (and individuals who are recording areas that reach outside the boundary of their private property) must notify people (employees, customers, bystanders, pedestrians, etc.) that they are taking their data. One way of doing this is by putting up a CCTV warning sign.
Here are some CCTV signs legal requirements one should take note of:
- A clear and prominent CCTV sign is most important when the surveillance camera is placed discreetly, or in areas where people do not expect to be recorded.
- A CCTV security sign should be clear and prominent.
- Post a CCTV warning sign frequently.
- The reason as to why there is a CCTV camera in the area should be stated.
- Your CCTV sign should be appropriate in relation to size and context. If for example, you are pointing security cameras to a public street, then your sign should be visible to both pedestrians and vehicles.
- Consideration should be paid to what material your sign is made of. If you, for example, are posting it outdoors, consider putting up a sign made of durable material.
- Staff or members of the household should know what to do if someone enquires about the CCTV system. Security cameras in a public area must also show the organisation or individual responsible for the system.
Registering with the ICO as a CCTV Operator or Data Controller
You or someone from your company or your household must register for a CCTV license or with the ICO as a CCTV operator or data controller. By doing so, you can ensure that someone is aware of how to operate the CCTV system, knowing what to do with any data that is asked of them, and making sure that all regulations are being followed.
You may also be required to pay a data protection fee.
Ensuring That Private Spaces Are Not Under Surveillance
While putting up a CCTV system allows you to manoeuvre around some privacy laws, there are still some limitations as to what can go on your CCTV recording. For example, you can’t install a security camera in areas that will capture footage or intrude on interactions and conversations that are private. This includes:
- Fitting rooms or changing rooms
- Comfort rooms
- Areas facing your neighbour’s private property (including garden, doors, and windows)
- Conference rooms
- Bathrooms or locker rooms
- Shower areas
- Bedrooms or hotel rooms
You should also conduct a privacy impact assessment to ensure that you are not intruding on the privacy of your employees, neighbouring households or establishments, guests, and random members of the public.
Regularly Purging CCTV Footage
As mentioned above, CCTV surveillance data may only be kept for a certain period. Usually, such recordings are purged or deleted after 30 days. There are instances, however, where circumstances involving the local authority, among many others, call for the storage of such data for a more extended period.
It is also essential to make sure that all footage is properly disposed of.
Providing Members of the Public Access To The Footage
Members of the public who have been subject to CCTV monitoring are legally allowed, as stated by the Data Protection Law, to request surveillance footage of themselves by using a Subject Access Request.
You may, however, refuse to provide the data subject with a copy of the footage if you are unable to hide the identity of other individuals on the footage or if the footage is part of an ongoing criminal investigation.
If you are unable to provide anyone with a copy of the footage for any reason, you may also invite them for a viewing of the footage, granted that they are amenable to this option.
Get Fast-Service Aerial Repairs and CCTV Installations
Making Sure CCTV Image and Surveillance Footage are Properly Recorded and Stored
As a CCTV operator, you are not authorised to share any footage you may record to individuals not found on any CCTV image. Part of protecting the privacy of those who are recorded is making sure that all footage is properly stored and secured from being accessed by other people during the 30-day data holding time.
Additionally, a data controller may not show the CCTV footage to anyone who does not have an acceptable reason to do so.
Auditing CCTV System Operation and Disclosing Related Findings
Make sure that your CCTV operation complies with legal requirements, policies, and standards by periodically auditing your CCTV system operation. Record and disclose the results of your audit by putting it on a document.
Making Sure There is No Audio Recording Of Any Sort
Recording Conversations between members of the public is prohibited while recording audio at the workplace is only acceptable if the purpose is justifiable, and if employees are made aware that the CCTV system is capturing video and sound. Otherwise, the only exceptions to this are panic buttons in taxis or monitoring conducted in a police custody room.
Why Comply To These Data Protection Obligations?
Non-compliance to the above-mentioned data protection obligations may result in appropriate regulatory action by the ICO and potential legal action by individuals involved. It is, therefore, best to practice the following to avoid any legal entanglements.
While complying with these obligations seem to be mere legal burdens, there are, in fact, some security benefits to following them. More than just being able to avoid getting fined, prosecuted, or incarcerated, complying to these CCTV laws will:
Help you avoid overspending.
CCTV legislation aims to strike a balance between data privacy and security. Hence, it forbids for the development, and deployment, of unnecessarily complicated and expensive security equipment.
Ensure that your ownership of surveillance data will not be taken against you.
Because you are protecting data from your surveillance system in accordance with the DPA, among other legal data protection acts, no one can use your possession of this data against you. Moreover, you may seek the protection of the authorities when someone tries to come after you.
You may refine and strengthen your security strategy.
Because you are required to maintain internal documentation, you will be able to refine and strengthen your security strategy whenever you find the need to.
Now that you’ve gotten an idea on just how much work goes into installing and making sure your CCTV system follows every legal requirement on surveillance systems, you may begin the process of your CCTV system installation. To do this, contact a local engineer or book an appointment with an AerialForce expert today!