A customer of a restaurant lost their belongings while in the premises. They then requested that a staff member provide them with access to the restaurant CCTV footage to assist in finding out what happened to their belongings. 

The staff member, using their phone, took a photo of the footage and then allowed the customer to view the image however: 

1. They did not prevent the customer from using their mobile phone to take a copy of the image.
2. Did not log the customers contact details should the need arise to make contact relating to the image.

Having become aware of the incident, the restaurant manager submitted the breach as low risk, however following a DPC risk analysis the risk level was increased to high due to the lack of internal controls and policies in place. 

When the owner/occupier of a premises installs a CCTV system, having justified it as a necessary and proportionate measure, they as a data controller must give due consideration to the safe storage of personal data and the implementation of appropriate security measures. Data controllers are obliged to implement technical and organisational measures to ensure that personal data are kept secure from any unauthorised or unlawful processing and accidental loss, destruction or damage. In this case, the staff member should not have allowed the individual take a photo of the image. 

The restaurant was not able to mitigate the risks associated with this breach, as it was unable to contact the customer to request/ confirm the deletion of the image from all locations. 

The DPC engaged and advised the restaurant that it should review CCTV Policies and Procedures. In particular, it drew its attention to risk factors around: 

1. Authorisation of access to CCTV footage.
2. Restrictions and logging of any duplication of CCTV footage.
3. Awareness training for staff of the risks involved in the sharing of the CCTV footage. This should be clearly called out in its CCTV usage policy.