CCTV regulation and compliance: Surveillance footage and the new GDPR information security standard
CCTV compliance: Grey area Number 1
CCTV regulation has been something of grey area. Firstly, since 24 October 2001, there has been a requirement for businesses using CCTV to register with the Information Commissioner’s Office (ICO). The registration is essentially a declaration that the business is processing Personal Identifiable Information, or PII. This is because CCTV footage may enable people to be identified.
In the main, the vast majority of organisations and businesses where CCTV is installed and there is public access are in scope of the requirement to register:
- The Data Protection Act 1998 requires every data controller (e.g. organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt.
- If you use CCTV on your business premises for the purpose of crime prevention, you need to register with the Information Commissioner’s Office.
With approximately 5.4 million SMEs in the UK and some 465,000 businesses registered on the ICO’s database, about 8.6 percent. While many of the 5.4 million SMEs are unlikely to be in scope because they simply do not utilise CCTV, it is likely that there are many that are in breach of the regulation.
CCTV compliance: Grey area Number 2
Secondly, October 2014 saw the publication of ‘In the picture: A data protection code of practice for surveillance cameras and personal information’ by the Information Commissioner’s Office (ICO).
This was nothing less than a root and branch overhaul of best practice and regulatory code for security and surveillance systems. This was the first guidance issued since 2000 under the Data Protection Act (DPA) 1998.
The grey area here is that it is guidance in the shape of a code of practice. It essentially means that businesses and organisations need to self-regulate voluntarily. There will be consequences should a breach of privacy actually occur and come under scrutiny of the regulator, however, there is little to compel compliance.
Essentially there are no fines for breaking the ICO code of practice. The code is not enforceable; it is a guide to best practice. However, the majority of surveillance systems are used to monitor or record the activities of individuals. Recording is essentially the collection of PII.
The reason that an enforceable code was avoided was because privacy and security have to co-exist side by side. In combination with the DPA, the ICO code of practice is designed to bring the needs for privacy and security together, by safeguarding privacy without throwing insurmountable obstacles in the way of security.
GDPR and the need for certainty and clarity around CCTV compliance
The problem with such voluntary codes is that because CCTV and information security is now of such importance, grey areas are no longer acceptable. There needs to be certainty and clarity. In short, the compliance rules need to be black and white.
The European Union General Data Protection Regulation (EU-GDPR) comes into force on the 25th May 2018 and is designed to strengthen the privacy laws governing the data of EU citizens right around the world. Protecting PII, including image data which may allow individuals to be personally identified, is a central consideration and it brings CCTV data in scope of GDPR.
Here are the key facts about GDPR:
- The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens.
- In the case of the UK standing outside of the EU as a result of Brexit, the UK government has stated its intent to write GDPR into UK law in the next parliament. One of the reasons for this is to remove any potential barriers to trade and security post-Brexit, that might arise if the UK had a different data protection framework.
- The GDPR widens the definition of personal data, bringing new kinds of data under regulation. The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
- The GDPR tightens the rules for obtaining valid consent to using personal information. The GDPR requires all organisations collecting personal data to be able to prove clear and affirmative consent to process that data.
- The GDPR introduces mandatory privacy impact assessments (PIAs) to identify privacy breach risks and minimise risks to data subjects. The inclusion of PIAs is mainly due to the influence of the UK’s Information Commissioner’s Office (ICO).
- The GDPR introduces a common data breach notification requirement that harmonises the data breach notification laws in Europe. This is intended to ensure organisations constantly monitor for breaches of personal data. Organisations need to notify the local data protection authority of a data breach within 72 hours.
- The GDPR introduces the right to be forgotten. Organisations are not to hold data for any longer than necessary, and are not to change the use of the data from the purpose for which it was originally collected. Data must be deleted at the request of the data subject.
- The GDPR requires that privacy is included in systems and processes by design. Software development processes must factor in compliance with the principles of data protection. Essentially, all software will be required to be capable of completely erasing data.
- The GDPR allows any European data protection authority to act against organisations, regardless of where in the world the company is based. This enforcement is backed by significant fines for non-compliance of up to €20m or 4% of group annual global turnover.
CCTV, integrated security and your organisation’s GDPR compliance
Businesses and organisations operating CCTV and electronic surveillance systems need to consider:
- Conducting a Privacy Impact Assessment (PIA) to be sure all CCTV cameras serve a legitimate purpose.
- Allowing CCTV systems to be on / off switchable, where appropriate, so recordings of footage are not continuous. Audio and video need to be independent (on / off) from each other as well. Legitimate reasons for recording either or both need to be clearly established.
- Sound recordings should only be obtained only where absolutely necessary to support the legitimate reasons. The use of CCTV surveillance systems should not be ‘normalised’ in the working environment to record conversations between the public and employees.
- Recordings from CCTV systems need to be securely stored and access restricted to authorised personnel.
- CCTV recordings need to be of an appropriate quality to meet the purpose intended.
- Regular checks are needed to ensure date and time stamps recorded on images is accurate.
- Recording and playback functions need to provide access to recordings made in specified locations and times to comply with subject access requests from individuals in recordings or in response to police requests.
- Appropriate policies need to be in place so that employees know how to respond to requests from individuals or police for access to CCTV recordings.
- Ensuring appropriate security safeguards are in place to prevent interception and unauthorised access, either copying recordings or viewing.
- CCTV recordings that no longer serve a purpose need to be deleted. Clear documentation of the information retention policy which is clearly understood by CCTV system operators.
- The need for signage and the availability of other appropriate information. There is a need to notify individuals of surveillance information processing, such as their presence in an area where CCTV is in operation, and their rights of access to recordings/images of themselves.
Get certainty on GDPR compliance of CCTV with iC2
iC2 holds CCTV and security accreditations with NSI and BSI and all CCTV integrated security systems are installed, operated and maintained in full compliance with applicable regulatory codes and guidelines. GDPR is certainly going to pose some challenges. The regulations are yet another demonstration of the convergence of physical and digital security.
iC2 CCTV and surveillance compliance services help:
- Smaller businesses to meet their obligations while avoiding unnecessary cost and complexity
- Larger businesses to take complete control by understanding and meeting the compliance requirement in full
To find out more about how we can help you to get certainty on GDPR compliance and CCTV, simply get in touch today.