A sensible and well-designed and CCTV system is a powerful tool for deterring criminals and tackling security issues. On the other hand, badly designed systems, cause legal and PR problems while generating a false sense of security.
In our experience, privacy and security are not mutually exclusive. We find a pragmatic approach based on the twin principles of selectivity and proportionality can deliver an more effective CCTV systems than blanketing the premises with unusable cameras. CCTV can and should be used selectively and should only target specifically identified security problems thus minimising irrelevant footage..
When considering CCTV its worth reiterating the roles of data controllers and data processors. The organisation(s) who decides to implement the CCTV system is the data controller. If a third party is involved in maintaining or monitoring the CCTV system they are probably the data processor. The data controller is primarily responsible for compliance with Irish data protection law. Even if the data controller has outsourced CCTV operations completely to a security company, the controller cant outsource its legal responsibilities. In the case where two companies jointly decide to implement a CCTV system, perhaps a landlord and a tenant, both companies are responsible for any damages (Art 82 (4) GDPR)
Since 2018 personal data has a very wide definition in Irish law covering both directly or indirectly identifiable data. When we talk about CCTV directly identifiable would cover recognisable facial images, indirectly identifiable might include vehicle number plates recorded by a camera near a boundary fence. Both must be handled as personal data.
Privacy by design
Data protection thinking and legislation now relied heavily on the concept that privacy safeguards must be built into the design that the organisation use as well as into their processes and internal controls.
When installing or updating a CCTV system, an initial data protection assessment should be carried out with the assistance of a specialist well before a tender for new acquisitions is issued or any financial commitments are made. This will help prevent costly mistakes.
The Data Protection Commission recommends that a privacy and data protection impact assessment should be carried out before installing and implementing CCTV systems.
The purpose of the impact assessment is to balance the impact of the proposed system on individuals’ privacy with the needs of the organisation. Often an outcome of the assessment is the identification of ways to mitigate or avoid adverse effects. The organisation can calmly and with good advice produce a document which explains and justifies the organisation’s decision to have as an insurance policy, in advance of a crisis.
Finally, due to their complexity, novelty, specificity, or inherent risks, the following suggest a detailed impact assessment in:
- Purposes other than security
- Covert Surveillance
- Employee monitoring
- Special categories of data
- Location under heightened expectations of privacy
- High-tech and/or intelligent video-surveillance
- Internet of things
Data Protection Commission
In Ireland the DPC as the statutory authority has taken a very aggressive stance on CCTV especially in employment situations. Table 1 below shows a selection of case studies which the DPC has chosen to highlight their concern over the past few years.
|DPC report||Case #||Issue||Summary finding (*our summary)||Industry /Sector|
|2007||3||Using CCTV to respond to a query about tidiness||In breach of the data protection acts||Gym|
|2008||10||Using CCTV to monitor staff attendance||Lacking transparency and proportionality||Office|
|2011||9||Remote monitoring of staff||Infringing on the legitimate privacy expectation of staff||Gym|
|2015||5||Monitoring canteen with CCTV||No justification for CCTV from a security perspective||Supermarket|
|2015||9||Covert CCTV||Covert CCTV only for use on a case by case basis for matters that are crimes||Hospital|
|2015||12||Accidentally recording an offence||Unfairly obtained CCTV, IE fair processing requirement not met can’t be used||Coach/Bus|
|2017||4||Legitimate use in a disciplinary case||The commissioner was satisfied adequate notice was given.||Security monitoring|
Table 1 Selection of DPC CCTV cases
impact assessment should be adequately documented and signed off by an appropriate level of management. It needs to clearly specify the risks to privacy and/or other fundamental rights that the organisation has identified and any additional safeguards proposed.
A solution description document could be incorporated into the impact assessment. It needs to contain a list of CCTV camera locations and purposes as well as details about the central control system. In here the organisation should document the controls in place, both technical and organisational.