What impact will GDPR have on your CCTV systems?

559f1a3ebd2f22fd7a728654a05a8a92

There are now less that nine months to go before the General Data Protection Regulation (GDPR) comes into force replacing the Data Protection Act 1998 (DPA).

So what should operators and controllers of CCTV and video systems be doing now? The short answer is, ensure you are complying with the current law and don’t believe the doom merchants:

“The GDPR will require a wholesale reassessment of data protection for the UK’s millions of CCTV cameras, which so far have gained from relatively light touch regulation.”

The ICO CCTV Code

Overt CCTV camera systems are regulated by the DPA. The Information Commissioner’s Office (ICO) revised its CCTV Code of Practice in 2015 to:

  • reflect the developments in existing technologies that have taken place in the last six years,
  • discuss the emergence of new surveillance technologies and the issues they present (e.g. drones and body worn cameras etc.)
  • reflect further policy development in areas such as privacy impact assessments,
  • explain the impact that new case law has had on the area of surveillance systems
  • reflect the wider regulatory environment that exists when using surveillance systems.

The ICO has produced a CCTV self-assessment tool that will help you assess your compliance with its code.

Jonathan Bamford, then the Head of Strategic Liaison at the ICO, emphasised in his blog post at the time of the consultation in to the new CCTV code that the that the underlying principles remain the same.  And the same can be said about GDPR’s impact on CCTV systems. All the familiar provisions found in the DPA are there in the GDPR including the need for transparency, security, respect for individuals’ rights etc.

Data Protection Impact Assessment

One area, which needs particular consideration, is whether a Data Protection Impact Assessment (DPIA) needs to be undertaken before setting up a new CCTV system. DPIAs (also known as Privacy Impact Assessments) are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will allow Data Controllers to identify and fix problems at an early stage, reducing the associated costs and damage to reputation that might otherwise occur.

A DPIA is required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1) of GDPR). Such processing, according to Article 35(3)), includes “large scale, systematic monitoring of public areas (CCTV)”.

Even where your CCTV does fall into this category it may still be deemed to be “high risk.” The Article 29 Working Party’s data protection impact assessment guidelines set out the criteria for assessing whether processing is high risk. This includes systematic monitoring of individuals.

For its part the CCTV code emphasises the importance of conducting a privacy impact assessment before undertaking surveillance using CCTV, especially when fitted to drones e.g. broadcasters seeking to gather footage for production purposes, police forces conducting surveillance on suspects, or construction companies monitoring job progress.

For more on DPIAs including how it should be conducted and by whom, please read our DPIA blog post. Other points to consider in relation to CCTV systems include:

If a CCTV system is being used for employee monitoring, then other aspects of GDPR will come into play as well as, in some cases, Part 2 of the Regulation of Investigatory Powers Act (RIPA). For more on this topic see our blog post and forthcoming webinar.

The PoFA Surveillance Camera Code

Just to complicate things a bit more, some organisations also have to comply the Surveillance Camera Code (PoFA code). Made in 2013, pursuant to the Protection of Freedoms Act 2012 (PoFA), this code governs the use of CCTV and ANPR systems by local authorities and policing authorities in England and Wales.

The Surveillance Camera Commissioner (in charge of the PoFA code) has set up a voluntary certification scheme. He says on his website:

“Over the coming weeks and months we will look at what else will be useful or necessary to support those using surveillance cameras on their journey to compliance. At the same time I can reassure you that we are working hard with certification bodies to adjust our independent third party certification scheme to ensure that if you or your organisation acquire that standard it is very likely that you will measure up to the new requirements under GDPR. Many police forces, local authorities, large retailers and transport networks sit within that category and I aim to broaden that base – outward reassurance to the public concerning inward compliance!”

GDPR will have an impact on CCTV and other video recording systems. But there is not going to be a revolution. If time is spent on complying with the current law by making use of existing resources (as explained above), there will be no need for a big jump into GDPR land.

Learn more about GDPR on our full day workshop. We also offer a GDPR health check service. 5 out of our next 7 GDPR Practitioner Certificate courses are fully booked. Be prepared and book your place now. 

Author: actnowtraining

Act Now Training is Europe's leading provider of information governance training, serving government agencies, multinational corporations, financial institutions, and corporate law firms. Our associates have decades of information governance experience. We pride ourselves on delivering high quality training that is practical and makes the complex simple. Our extensive programme ranges from short webinars and one day workshops through to higher level practitioner certificate courses delivered online or in the classroom.

Leave a Reply

%d