Data Protection Commissioner
Data Protection Commissioner

Frequently Asked Questions - FAQ

6. Use of CCTV


6.1 What issues surround the use of CCTV?

All usage of CCTV other than in a purely domestic context must be undertaken in compliance with the requirements of the Data Protection Acts.  Extensive guidance on this issue is available at https://www.dataprotection.ie/viewdoc.asp?m=m&fn=/documents/guidance/cctv.htm.  In summary all uses of CCTV must be proportionate and for a specific purpose.  As CCTV infringes the privacy of the persons captured in the images there must be a genuine reason for installing such a system.  If installing such a system, it is required that the purpose for its use be displayed in a prominent position.  In a shop or store context this would normally be at the entrance.


The images captured should be retained for a maximum of 28 days, except where the image identifies an issue and is retained specifically in the context of an investigation of that issue.


Tapes should be stored in a secure environment with a log of access to tapes kept. Access should be restricted to authorised personnel. Similar measures should be employed when using disk storage, with automatic logs of access to the images created.

 

6.2 What if I am asked by a law enforcement authority for access to the CCTV footage?

If a law enforcement authority, such as An Garda Síochána, is seeking a recording for a specific investigation, it is up to the data controller to satisfy itself that there is a genuine investigation underway. For practical purposes, in cases of urgency a phone call to the requesting Garda's station may be sufficient, provided that you speak to a member in the District Office, the station sergeant or a higher ranking officer, as all may be assumed to be acting with the authority of a District/Divisional officer in confirming that an investigation is authorised.  In all situations, it is advised that the disclosure of such recordings is best handled in response to a formal written communication from the Gardaí indicating that the material is sought for the prevention, investigation or detection of a crime.


6.3 What if I am asked for a copy of CCTV footage?

 
1.       Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage. To exercise that right, a person must make an application in writing. The data controller may charge up to €6.35 for responding to such a request and must respond within 40 days.
 
2.       When making an access request for CCTV footage, the requester should provide the data controller with a reasonable indication of the timeframe of the recording being sought - i.e. they should provide details of the approximate time and the specific date(s) on which their image was recorded. For example, it would not suffice for a requester to make a very general request saying that they want a copy of all CCTV footage held on them. Instead, it is necessary to specify that they are seeking a copy of all CCTV footage in relation to them which was recorded on a specific date between certain hours at a named location. Obviously, if the recording no longer exists on the date on which the data controller receives the access request, it will not be possible to get access to a copy. Requesters should be aware that CCTV footage is usually deleted within one month of being recorded.
 
3.       For the data controller's part, the obligation in responding to the access request is to provide a copy of the requester's personal information. This normally involves providing a copy of the footage in video format. In circumstances where the footage is technically incapable of being copied to another device, or in other exceptional circumstances, it is acceptable to provide stills as an alternative to video footage. Where stills are supplied, it would be necessary to supply a still for every second of the recording in which the requester's image appears in order to comply with the obligation to supply a copy of all personal data held. 
 
4.       Where images of parties other than the requesting data subject appear on the CCTV footage the onus lies on the data controller to pixilate or otherwise redact or darken out the images of those other parties before supplying a copy of the footage or stills from the footage to the requestor. Alternatively, the data controller may seek the consent of those other parties whose images appear in the footage to release an unedited copy containing their images to the requester
 
5.       Where a data controller chooses to use technology to process personal data, such as a CCTV system to capture and record images of living individuals, they are obliged to shoulder the data protection obligations which the law places on them for such data processing. In the matter of access requests for CCTV footage, data controllers are obliged to comply fully with such requests. Claims by a data controller that they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. In short, where a data controller uses a CCTV system to process personal data, its takes on and is obliged to comply with all associated data protection obligations.

6.4  Can my school introduce a new CCTV system?

CCTV may be used legitimately for security related purposes at the perimeter of a school.  Any use beyond this would need to be fully justifiable and evidence-based with a very high threshold for such evidence.  This is particularly the case in a school environment as most of the personal data processed will relate to minors.

6.5 Can I install CCTV in my taxi?

There are a number of data protection implications regarding the installation of CCTV in taxis as the footage recorded would be considered to be personal data under the Acts. In general, this Office would have a concern about the proportionality and justification of installing CCTV cameras in taxis taking account of the legitimate privacy expectations of vehicle users. Our general guidance is that while a balance must be struck between the privacy considerations of the service users and the legitimate interests of an organisation to protect its business, the continuous recording of passengers in taxis is not compliant with the data protection legislation.


However, this Office is aware that certain taxis have introduced CCTV and it is assumed therefore that they have done so having assessed the proportionality conditions above. Where this is the case we would expect that the footage, given its extremely invasive nature, would be generally restricted from access and deleted on a rolling basis after 24 hours, except where there is a need to retain it in response to a specific instance. Other conditions in relation to prominent notices of such recording would also need to be met. This Office does not accept that it is ever proportionate to use audio recording (recording conversations) in a taxi.