Guidance on the use of CCTV
Data controllers and Data Protection Officers (DPOs) should be aware that footage or images containing identifiable individuals captured by CCTV systems are personal data for the purposes of data protection law. Best practice is for data controllers to set out their position on the issues surrounding their use of CCTV in the form of a CCTV Data Protection Policy. Any CCTV policy that relates to a place of work should be brought to the attention of employees. The CCTV policy can also be published on an official website to inform members of the public who may attend the premises.
Before installing a CCTV system, the following questions should be considered:
- Purpose: Do you have a clearly defined purpose for installing CCTV?
- Lawfulness: What is the legal basis under Article 6 GDPR for your use of CCTV?
- Necessity: Can you demonstrate that CCTV is necessary?
- Proportionality: If your CCTV system is to be used for purposes other than security, are you able to demonstrate that those other uses are proportionate? A Data Protection Impact Assessment may be needed to adequately make these assessments.
- Security: What measures will you put in place to ensure that CCTV recordings will be stored safely and securely?
- Retention: How long will you retain recordings for, taking into account that they should be kept for no longer than is necessary for your original purpose?
- Transparency: How will you inform people that you are recording their images and ensure that they have access to the other information required under transparency obligations? A person whose images are recorded by a CCTV system must be able to access information about:
- The identity and contact details of the data controller;
- The contact details for the data protection officer, if one has been appointed;
- The purpose and legal basis for the processing;
- Any third parties to whom data may be disclosed;
- The security arrangements for the CCTV footage;
- The retention period for CCTV footage;
- The existence of data subject rights and the right to lodge a complaint with the DPC.
More information on the use of CCTV for Data Controllers, including case study examples can be found in our guidance note on the use of CCTV for Data Controllers.