CCTV and Data Privacy: What’s the story?

A sensible and well-designed and CCTV system is a powerful tool for deterring criminals and tackling security issues. On the other hand, badly designed systems, cause legal and PR problems while generating a false sense of security.

In our experience, privacy and security are not mutually exclusive. We find a pragmatic approach based on the twin principles of selectivity and proportionality can deliver an more effective CCTV systems than blanketing the premises with unusable cameras. CCTV can and should be used selectively and should only target specifically identified security problems thus minimising irrelevant footage..

When considering CCTV its worth reiterating the roles of data controllers and data processors. The organisation(s) who decides to implement the CCTV system is the data controller. If a third party is involved in maintaining or monitoring the CCTV system they are probably the data processor.  The data controller is primarily responsible for compliance with Irish data protection law. Even if the data controller has outsourced CCTV operations completely to a security company, the controller cant outsource its legal responsibilities.  In the case where two companies jointly decide to implement a CCTV system, perhaps a landlord and a tenant, both companies are responsible for any damages (Art 82 (4) GDPR)

Personal data

Since 2018 personal data has a very wide definition in Irish law covering both directly or indirectly identifiable data. When we talk about CCTV directly identifiable would cover recognisable facial images, indirectly identifiable might include vehicle number plates recorded by a camera near a boundary fence. Both must be handled as personal data.

Privacy by design

Data protection thinking and legislation now relied heavily on the concept that privacy safeguards must be built into the design that the organisation use as well as into their processes and internal controls.

When installing or updating a CCTV system, an initial data protection assessment should be carried out with the assistance of a specialist well before a tender for new acquisitions is issued or any financial commitments are made. This will help prevent costly mistakes.

Impact assessment

The Data Protection Commission recommends that a privacy and data protection impact assessment should be carried out before installing and implementing CCTV systems.

The purpose of the impact assessment is to balance the impact of the proposed system on individuals’ privacy with the needs of the organisation. Often an outcome of the assessment is the identification of ways to mitigate or avoid adverse effects. The organisation can calmly and with good advice produce a document which explains and justifies the organisation’s decision to have as an insurance policy,  in advance of a crisis.

Warning signs

Finally, due to their complexity, novelty, specificity, or inherent risks, the following suggest a detailed impact assessment in:

  1. Purposes other than security
  2. Covert Surveillance
  3. Employee monitoring
  4. Special categories of data
  5. Location under heightened expectations of privacy
  6. High-tech and/or intelligent video-surveillance
  7. Internet of things
  8. sound-recording

Data Protection Commission

In Ireland the DPC as the statutory authority has taken a very aggressive stance on CCTV especially in employment situations.  Table 1 below shows a selection of case studies which the DPC has chosen to highlight their concern over the past few years.

 

DPC reportCase #IssueSummary finding (*our summary)Industry /Sector
20073Using CCTV to respond to a query about tidinessIn breach of the data protection actsGym
200810Using CCTV to monitor staff attendanceLacking transparency and proportionalityOffice
20119Remote monitoring of staffInfringing on the legitimate privacy expectation of staffGym
20155Monitoring canteen with CCTVNo justification for CCTV from a security perspectiveSupermarket
20159Covert CCTVCovert CCTV only for use on a case by case basis for matters that are crimesHospital
201512Accidentally recording an offenceUnfairly obtained CCTV, IE  fair processing requirement not met can’t be usedCoach/Bus
20174Legitimate use in a disciplinary caseThe commissioner was satisfied adequate notice was given.Security monitoring

Table 1 Selection of DPC CCTV cases

Output

impact assessment should be adequately documented and signed off by an appropriate level of management. It needs to clearly specify the risks to privacy and/or other fundamental rights that the organisation has identified and any additional safeguards proposed.

A solution description document could be incorporated into the impact assessment. It needs to contain a list of CCTV camera locations and purposes as well as details about the central control system. In here the organisation should document the controls in place, both technical and organisational.

Leave a Reply