The use of CCTV surveillance “CCTV” requires the user to have certain measures and controls in place. Measures can range from signposting that makes the public aware CCTV is being used; through to having a compliant CCTV policy and checklist. The data obtained through the use of CCTV falls under the data protection legislation. This means that capturing individuals’ information must comply with the UK GDPR and any other relevant statutory obligations.
Technical and Organisational Measures for CCTV
Those with obligations under the UK GDPR and DPA 2018 are required to develop and implement appropriate technical and organisational measures. But what does the GDPR define as technical and organisational measures?
Such measures and controls ensure processing is secure and compliant. Adequate and effective measures should aim to unify your data protection framework, prevent data breaches and ensure privacy by design. Simply put, technical and organisational measures are the functions, processes, controls, systems and procedures that protect and secure the personal information that you process.
CCTV in a Privacy Notice
In addition to having a compliant CCTV policy, you should also refer to the use of CCTV within your privacy notice(s). This ensures that all relevant individuals know and understand the reasons for CCTV use, the legal basis for processing and what their rights are. It is best practice to have separate privacy notices for employees and the general public (i.e. visitors, customers, clients etc).
Your privacy notice should document the reason(s) for using CCTV, as well as the legal basis on which you are relying for processing. You should also explain how an individual can request access to their personal data.
Data Protection Impact Assessment for CCTV
In certain situations, the use of CCTV must be accompanied by a Data Protection Impact Assessment (DPIA). This helps the business to ensure that the use of CCTV is necessary. It also enables the assessment of the impact of such recordings on the individuals involved.
DPIA’s should be reviewed at least annually to ensure that the original reasons for use and legal basis being relied upon are still valid and necessary. In some scenarios, the use of CCTV can be intrusive and can compromise an individuals’ privacy and rights. Where this is the case, a DPIA is mandatory to verify and demonstrate that recorded surveillance is the most appropriate and effective solution to obtain the required personal data.
CCTV Policy Template Objectives
Whether you are writing your own CCTV Policy or you are using a template, you should ensure that your obligations and objectives are clearly set out. Objectives in a policy define what your business intends to do to comply with the relevant regulations and/or legislation. They also set out the statement of intent for employees and third parties to follow.
Examples of objectives that can be used in your CCTV policy template include (but are not limited to):-
- Ensure signposting is used to so that employees, visitors and the public have been notified about the use and locations of CCTV.
- Adhere to the UK GDPR and ICO CCTV Code of Practice.
- Have a compliant CCTV policy in place to ensure that the use of CCTV is valid, necessary and legal.
- Complete a Data Protection Impact Assessment on an annual basis to ensure that the use of CCTV is necessary and compliant.
- Appoint an employee with oversight of CCTV impact assessments, reviews, use, signage and monitoring.
- Protection and transparency for [patients; general public; customers; clients; employees; visitors; insert entity].
- Document the reason(s) for using CCTV and the legal basis upon which the business is relying.
- Update and privacy notice(s) with the use of CCTV, including technical and organisations measures and the legal basis for processing.
- Ensure all CCTV images and/or footage are as clear as possible and are regularly reviewed to ensure that the footage is of a high resolution.