There are six steps required in order for a CCTV system to comply with the GDPR.
1. Reason for the CCTV system.
2. Informing people of its presence and use.
3. Retention policies regards recorded footage and images.
5. Assisting the Gardai.
6. Verification of Use.
1. REASON FOR THE CCTV SYSTEM
Is your CCTV system justified?
If you are placing cameras in your store to deter or detect shoplifting, then this is easy to justify. If you have installed a camera to monitor employees, then it is not as straightforward as it can be seen as an invasion of privacy. If you can prove that the cameras are there for Health & Safety reasons, highlighting incidences in the past, that may be acceptable. Maybe there is a safe in the staff room that needs to be monitored?
What images will be captured and why?
When you are capturing images where someone would expect privacy, then you must justify the need. For example, in a bathroom or on a public path. If there has been an obvious level of security incidents, then this must be proven to allow for the presence of the cameras.
You need to carry out a risk assessment itemising each camera, the intended viewing area, and the reason for the camera. Resolution and intended recording time should also be indexed on the assessment.
You must inform people of CCTV presence
The purpose in data being collected should be clear. This is especially important if the purpose is not as obvious or straight forward, such as employee monitoring or Health & Safety reasons. The reason needs to be highlighted to any person being captured by the cameras. A sign(s) highlighting CCTV use and contact number for anyone wishing to follow up is sufficient. It is also good practice to state in employment contracts and your data protection policy that cameras are used and footage may be recorded.
Redactus can assist clients with signage design and templates.
3. RETENTION POLICY
A Data Controller needs to justify reasons for storing and retaining data.
A standard cctv system allows 30 days retention of data. If you feel you need to retain CCTV data for longer, then your risk assessment should state how long and why. Longer retention times are allowed where you can prove past incidents / reasons etc.
Redactus can assist in ensuring that best practice in this area is achieved. Our software can also monitor retention times and provide audited proof.
Access Requests for personal data
GDPR states ‘Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.’
Anyone who is captured by your CCTV cameras has the right to request that footage, as it is seen as personal data. They must follow a footage request procedure, but are perfectly within their rights. However, if any other individuals are visible in the footage, there needs to a footage redaction service in place to ensure their faces are blurred before the footage is shared or downloaded.
Usee can provide you with a means to control the whole footage request process, and perform the redaction service on the footage if required.
5. ASSISTING THE GARDAI
Supply of CCTV images to the Gardaí
The Gardaí may request footage from you, although they must have a valid reason for the request. And although the request / process may be time consuming and inconvenient you may feel obliged to cooperate.
As with general public requests, Usee can provide a service to liaise with the Gardai directly regards all footage requests.
6. VERIFICATION OF USE
Responsibilities of security companies
Security companies act as Data Processors under GDPR. ‘Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place; and what verification procedures may apply.’
Ensure that any subcontractors working on your behalf, e.g. Security guards or alarm engineers also follow this procedure. You will be open to data breaches if a third party can distribute, or remove, personal data in the form of CCTV images without following the above procedures.
Taking all the above into consideration, many companies need to look at their security arrangements and ensure there are no likely breaches of regulations. An innocent oversight could result in a hefty penalty for your business. It is no longer acceptable to ‘not understand’ or ‘not be aware of’ the laws associated with CCTV systems. While it is quick and easy to purchase and install your own passive CCTV system, without the input of professional security service providers you may leave yourself open to prosecution and fines.
The Redactus team are very clear on the necessary requirements under the new GDPR and will assist all clients in adhering to these regulations. If you have any doubts over your CCTV system and would like to discuss how Redactus can help you meet your requirements under the GDPR legislation, contact a member of the Redactus team today.