Have you been framed?

Smile. You’re on camera…. and your data is being processed. This seems to have been causing many concerns lately, in particular when CCTV users are deciding whether they need to disclose footage.

Data protection implications

CCTV usually captures personal data. Whether that’s by capturing images of individuals, car registration plates, or other data that identifies individuals, CCTV usage is a data processing activity and needs to comply with data protection laws. Amongst other things, this means CCTV data must be processed lawfully and securely, be limited to only what is necessary, and kept for no longer than is needed to fulfil its original purpose.

Lawful use of CCTV

As with any other type of data processing, for CCTV to be lawful, there needs to be a lawful basis. Of the six lawful bases set out in the GDPR, the one that usually applies is legitimate interests. It’s unlikely that you will realistically be able to obtain sufficient consent from every person whose data you might capture in this way. A sign saying, ‘By entering these premises you consent to being captured on CCTV,’ won’t usually meet the GDPR criteria for valid consent. The other lawful bases will likewise only apply very narrowly to the use of everyday CCTV.

So if your organisation does use CCTV, you will almost always need to have a valid, recorded legitimate interest, which does not outweigh the rights and freedoms of the individuals whose personal data you capture.

Further compliance requirements for CCTV

Organisations that use CCTV will need to register with the ICO to pay their annual data protection fee as a data controller.

The use of CCTV needs to be explained in a privacy notice, and, data subjects need to be informed of the processing before it occurs. In practice this means you will need signage at the entrance to areas where CCTV is in use, before the recording takes place, and a CCTV policy.

There are further privacy safeguards to be applied for exceptional uses of CCTV, such as covert recording, or recording in places individuals would expect a greater degree of privacy, like fitting rooms or toilets. Such intrusive uses will rarely, if ever, be justified under the legitimate interests test.

Disclosing footage

You may be asked to disclose footage you hold through subject access requests (SARs) under the data protection legislation. You might also receive freedom of information requests from members of the public (if you’re a public authority); or general requests to view footage outside of these two statutory rights.

For SARs, the requester will need to provide enough information for the controller to identify the data in question. If the footage includes any third party personal data, this will need to be redacted, i.e. blurred or blanked out.

The right of access gives individuals the right to copies of their data, as long as this does not adversely affect the rights and freedoms of others. This means if your organisation does not have the capability to redact third party personal data, you can’t provide copies, but may instead be able to meet your obligations by inviting the person making the request to view the footage on site.

In most cases responding to general disclosure requests, perhaps from the media, insurance bodies, or members of the public, will be at your organisation’s discretion and should be governed by a CCTV policy. In all cases, your organisation need to make sure that it is protecting personal data when disclosing CCTV footage, and that all of its other data protection obligations are met.