Time to adjust focus on CCTV
Before Christmas the Office of the Data Protection Commissioner (ODPC) issued an updated and expanded Guidance Note in relation to the use of CCTV. What has changed?
One of the most significant changes is the requirement that “a written CCTV policy must be in place”. In previous guidance the Data Protection Commissioner had simply stated the type of information that must be provided to those recorded using CCTV.
There is also a new section in the guidance dealing with proportionality. In Irish data protection law, the concept of proportionality is one of the core obligations placed upon those who control data, called data controllers. Irish law provides that personal data must be collected and processed in a manner that is “adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed”.
The guidance note provides that data controllers who use CCTV should:
- Conduct and document a risk assessment process
- Conduct and document a privacy impact assessment
- Prepare a specific data protection policy dealing with CCTV devices, which should include data retention and disposal policies for the CCTV footage recorded
- Be able to demonstrate, using documentary evidence, previous incidents that have led to security or health and safety concerns that may justify the use of CCTV
- Prepare and display clear signage indicating that there is image recording in operation
My organisation uses CCTV, what should I do?
It’s unlikely that all of the steps outlined above would have been carried out by many organisations previously, and even less likely that they would have been formally documented. We recommend that data controllers take action now to comply with the guidance. Taking these steps will reduce the likelihood of issues arising in relation to your CCTV use in the future, or your ability to rely on CCTV footage, when it’s important. Moreover, by taking the recommended actions now, organisations will also be moving towards complying with certain obligations in the EU’s new general data protection regulation, which has almost been finalised and will come into force in Ireland two years after its enactment.
When installing CCTV a data controller must be able to demonstrate that there is a legitimate justification for collecting personal data on a continuous basis. The location of the device capturing the images should be carefully considered. For example, CCTV can often be justified when used to keep premises secure. Cameras recording images at the perimeter of the premises that capture personal data are likely to be found to be permissible. The cameras should be positioned in such a way as to prevent or minimise recording of passers-by or of another person’s property. It’s much harder to justify CCTV use for security in areas where individuals would have a reasonable expectation of privacy, such as toilets.
It is generally unlawful to use CCTV to secretly obtain personal data without an individual’s knowledge. Usually the only time covert surveillance is lawful is when it used in a specific case, for a limited time and in a focused way to prevent, detect or investigate offences, or to apprehend or prosecute offenders. If no evidence is obtained within a reasonable period, the covert surveillance should cease. If a controller uses covert surveillance it should have a written policy recording the purpose, justification, procedure, measures and safeguards involved in the process. The ODPC states that the aim of covert surveillance should be the involvement of An Garda Síochána, or some other prosecution authorities, or the issue of civil legal proceedings, connected with the offence.
Access requests and retention periods.
An organisation must also ensure that it can provide people with copies of images captured by the system, when requested to do so. Any person captured on a CCTV recording has a right to write to the data controller and be supplied with a copy of their personal data from the footage.
Retention periods for data should also be managed, and must be justifiable. The ODPC states that images captured by CCTV, used exclusively for a normal security system, generally should not be retained for over a month, unless the images identify an issue.
An Garda Síochána.
The ODPC has changed the guidance relating to interaction the Gardai, and has recommended more formal processes be followed when a data controller is asked to cooperate with the Gardai. While the Gardai may be permitted to view CCTV footage informally, the ODPC now provides that allowing downloads of CCTV footage must be in writing, and must deal with a specific subject matter set out tin the guidance.
Organisations that outsource CCTV to third parties should review their arrangements with these service providers. Employers that monitor employees using CCTV, or the areas in which employees work or congregate, should review their employment policies or staff handbooks to ensure that CCTV use is dealt with in accordance with the Guidance Note.
If your organisation uses CCTV it is time to review your use, and make the changes needed to comply with the Data Protection Commissioner’s new Guidance Note.
Deirdre Kilroy is head of Technology & intellectual property with LK Shields Solicitors