Questions to test your CCTV compliance with the GDPR
To help provide an answer, we've created a simple set of questions with yes/no answers and guidance on how you can move to the next step. If you're a home user, then you can stop reading now, as this applies to businesses and organisations only.
Do you have an aim or need for the camera/system?
Great, document what this is and move on to the next question.
Write down the reason for your using CCTV. This doesn't need to be lengthy, just a few paragraphs.
Have you considered the alternatives?
Great, document this and move on to the next question.
Investigate if there's anything else that could achieve your aims.
For example, if your aim is to improve adherence to health and safety, then staff training could be more effective.
If a CCTV system is the most effective way to meet your needs then continue.
Will your system show individuals?
When you're showing individuals, this risks their privacy. To help mitigate this risk, answer the next question.
Skip to the question below - Do you view footage in real time?
Have you considered privacy?
Great, if that’s been included in your documention you’re ready to move on to the next question.
Think about how your footage could impact privacy. If you have a 4k ultra HD PTZ that can follow a person on a street that's more invasive than a 2MP static camera with gives an overview of a scene.
If your reason for filming means you need to identify people, then consider how you do this. More on that in the questions below.
Do you capture public areas like roads and paths?
Can your field of view be adjusted so that only your own site is under surveillance? If not, then consider the next question.
OK that's fine, you can move on to the next question.
Do you view your footage in real time?
The next question is crucial for you.
This is less risky from a privacy point of view. On to the next question.
Is your footage stored securely?
Great news! Have you considered both physical and cyber security? If yes, then on to the next question.
Can you make the area footage is viewed physically secure? If you have a control room, can you restrict those who enter? Can you take any measures to ensure the footage isn't overseen, perhaps by adding a privacy film to windows?
There are some exceptions to this. For example, if you can see the live footage of a shop this can be OK as long as it shows what you could see by looking around.
Also consider the cyber security of your system. Is the footage encrypted? Has the default password been changed for all cameras? Is the firmware up to date?
That's good news. How is this enforced?
That's good news. How is this enforced?
Document (with reasons) how long you need to keep your footage and then ensure that older footage is deleted (unless it's being kept for evidence). Typically 31 days is enough time for an incident to come to light
Have you got "CCTV in operation" signs?
That's good news, you can move on to the next question.
Add CCTV signage to your site, it should be prominent and adequate. You should show who's filming (your logo), why you're filming and contact details.
Do you have policies and procedures for CCTV?
Great, move on to the next question.
Documentation is crucial. Your policy could include:
- Purpose of recording
- What should be recorded
- Who should have access to your footage
- How long your footage will be kept for
Your procedures should look at what to do in certain scenarios. For example, if you have a theft, how it should be investigated? The procedures should also mention who's responsible for controlling your data and what checks are in place.
Do you regularly review your requirements?
Well done, this is a crucial step.
Carry out a review at least annually to make sure your procedures being followed. The ICO in their Data Protection Impact Assessment (DPIA) suggest that you also carry out a review when:
- Cameras are added/removed or change position
- The system is upgraded
- A new system is installed
- When you implement biometrics (i.e. facial recognition)