A Practical guide to the GDPR & CCTV surveillance
The GDPR is intended to update the Data Protection Act and give individuals more information and control over how their data is used. So, how does this impact CCTV?
For those who run a CCTV system, the act requires you to think and document the use of your system. The ICO have detailed guidelines on this. The purpose of this guide is to look at the practical considerations for most surveillance scenarios.
Let's start with what to consider and document:
Reason for surveillance
Do you know the reason you have, or are thinking about, installing cameras?
Having a strong reason or aim for the installation can help you evaluate if CCTV is the right choice and provide a means to evaluate effectiveness, post installation.
For example, if you're trying to deter vandalism around your property at night, lights may be a more effective deterrent.
Whatever your choice, write it down. This could be a few simple paragraphs outlining your need and the reasons you've made the choice you did.
By knowing your reason for surveillance, you can decide your basis for surveillance which also needs documenting.
As part of your reasons for surveillance, you should note down what precautions you'll take to minimise the impact to privacy. This could include thinking about camera positioning, data retention and keeping your system as physically and cyber secure as possible.
Here are some examples of questions for you to consider:
1. Have you followed the hardening guide for your cameras?
2. Who has access to your security system?
3. Can system access be audited?
4. Are staff aware of data retention policies?
5. Are they followed?
6. Do you have alerts to detect incidents?
Policies and procedures
A key requirement of the GDPR is written documents, particularly policies and procedures. Here's some examples of what you could include:
1. What should be recorded
2. Who can view the footage
3. How long it should be retained for
4. Practical examples of situations and how to respond
5. Finally, ensure that your staff are aware of the policies and they have been trained in them. Your data controller should check understanding and that the policies are being followed.
Areas of extra scrutiny
With the ever-improving array of features in IP cameras, there are some which pose a larger threat to privacy and therefore require more thought:
1. Audio input (particularly where you can record conversations)
2. Automatic number plate recognition
3. Facial recognition
4. High resolution PTZ
All these solutions can be used, but they require more justification than general surveillance. If you choose to use this technology, ensure it's clear on your signage.
Regular (at least annual) reviews
The needs of your organisation change over time, so keeping your assessments up to date is important. The CCTV Data Protection Impact Assessment (DPIA) from the Surveillance Camera Commissioner suggests carrying out a DPIA when:
1. Cameras are added/removed/move position
2. System is upgraded (whole or partially)
3. New system is installed
4. Biometrics are introduced
The government data protection impact assessment is available to download as a template.
Other regular checks could include more practical tasks to keep your system secure like:
1. Are your security feeds encrypted?
2. Is the VMS accessed with user logins for everyday surveillance (i.e. an account without admin rights)?
3. Are there any firmware updates that can be added to the system?
Accountability - named responsible person
The GDPR requires accountability through a named person within an organisation.
This could be your head of security, IT or business owner. In GDPR speak they're known as "data controllers". It's their responsibility to carry out regular checks to ensure that your policies and procedures are adhered to.
Informing the ICO
Unless you're a home user, you need to make the ICO aware that you're using CCTV. This is done by paying an annual fee to the ICO if you use your CCTV for crime prevention.
You'll also need to inform the ICO if you have a breach, for example, if your security footage is hacked.
Other laws which affect CCTV footage
The GDPR isn't the only law that governs security footage, the following also apply:
Network and Information Systems (NIS)
Freedom of Information Act
Protection of Freedom Act
The NIS relates to critical infrastructure like energy, transport, finance and digital infrastructure. As well as emphasising policies and procedures, it requires organisations to manage risk in their supply chain.
The Freedom of Information Act applies to public sector organisations and entitles members of the public to request information. This means a person can request a copy of footage containing them.
While the Protection of Freedom Act introduced a statutory code of practice for CCTV and automatic number plate recognition systems.
From a security system point of view, the GDPR puts personal freedom first, so surveillance is:
1. Used for a specified purpose
2. Not kept for longer than necessary
3. Clearly signposted
A common failing with many organisations is the lack of written documentation. In other words, the organisation has done the hard work but hasn't documented anything.
Hopefully, this guide helps to point you in the right direction to comply with the act.