The deadline for the General Data Protection Regulation is fast approaching on the 25th May 2018. Did you know most businesses are unaware that GDPR will affect their CCTV systems?
If your business has CCTV that captures images of data subjects, whether that be for security or health and safety on site. Imagery that is identifiable is considered as personal data under the GDPR so for data protection purposed it will require the same attention that is put into other areas of your business.
Watch Systems Limited have put together a CCTV GDPR Checklist to help your business with CCTV.
Installing a CCTV System
Your business needs to identify and document the effect on individuals’ privacy this needs to be taken into consideration when installing and operating the CCTV system. You need to regularly review whether CCTV is still the best security solution for your business.
For internal workplace cameras, consider the greater expectation of privacy in certain areas such as toilets & changing rooms.
Consider the differing impacts of camera technologies. For example, a fixed camera might be more appropriate than a Pan-Tilt-Zoom. A system that records sound will be significantly more intrusive and harder to justify than one without.
If your business has CCTV you should register with Information Commissioners Office (ICO).
Privacy Notices & Policies
Your business needs a policy to cover the use of CCTV and needs a selected individual who is responsible for the operation of the CCTV system.
A policy will help you to use CCTV consistently. The policy should cover the purposes you are using CCTV for and how you will handle this information, including guidance on disclosures and recording. It is good practice to assign day-to-day responsibility for CCTV to an appropriate individual. They should ensure that your business sets standards, has procedures and that the system complies with legal obligations including individuals’ rights of access
Subject Access Requests (SAR)
Your business needs to establish a process to respond to individuals or organisations making requests for copies of the images on your CCTV footage and to seek prompt advice from the Information Commissioner where you are uncertain.
Be aware of people’s right to request a copy of their image (including staff) and be prepared to deal with these. These rights exist for both staff and customers.
Have a clear policy that will help you deal with requests effectively. Requests can be made verbally or in writing, so your policy should include how to record any requests you receive verbally.
You must provide the Information as soon as possible and at the latest within one month of receipt of the request.
An individual should not have any greater difficulty in requesting their data when this is an image compared to a document or computer file. Providing information promptly is important, particularly if you have a set retention period which conflicts with the statutory response period. In such circumstances it is good practice to put a hold on the deletion of the information.
When dealing with individual’s requests for personal data you should carefully consider information about third parties, just as you would be if they were mentioned in a document or computer file that was the subject of a request.
Documenting the subject access requests you receive and how you have handled them will help you manage requests and deal with any challenges.
You should not provide images to third parties other than law enforcement bodies to assist them in the detection or prevention of a crime. You should have a process in place to enable you to do this as quickly as possible.
Training for your staff
Your business needs to train its staff in how to operate the CCTV system and cameras (if applicable) and how to recognise subject access requests for CCTV information/images.
Make all relevant staff aware of your CCTV policy and procedures and train them where necessary.
Your business should only retain recorded CCTV images for long enough to allow for any incident to come to light (e.g. for a theft to be noticed) and to investigate it.
You should retain data for the minimum time necessary for its purpose and dispose of it appropriately when no longer required. Your retention period should not be based merely on the storage capacity of your system but reflect how long you need the data for the purpose.
Your business should securely store CCTV images, limits access to authorised individuals and regularly checks that the CCTV system is working properly.
You must sufficiently protect all information to ensure that it does not fall into the wrong hands.
Poor security can lead to your cameras’ feeds being viewed by criminals.
Please do not hesitate to contact Watch Systems Ltd with any queries around GDPR for your CCTV system on the premises for your business, we are more than happy to hold a workshop and advise on how to make your CCTV System GDPR compliant.