CCTV: Data protection – your responsibilities

In the UK this means complying with the Data Protection Act 2018 (DPA 2018), which incorporated the General Data Protection Regulation (GDPR). The Information Commissioner’s Office (ICO) enforces the law upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Padlock on a digital background

Data Protection Impact Assessment Required

Before you install a CCTV system you should carry out a data protection impact assessment on the impact to people’s privacy. If you determine that CCTV will not be overly intrusive, you should then put a policy in place describing how you will use it. Companies should then regularly review whether CCTV is still the best security solution.

Issues to consider in respect of privacy include the siting of cameras. For example, if the cameras are likely to overlook any areas which people would regard as private such as a neighbour’s garden you would look to avoid this, or restrict their fields of view or movement to minimise intrusion.

Internally you also need to consider the placement of cameras in areas that people would expect more privacy such as locker rooms or social areas. Additionally, if your business is sited in a mixed or multiple-use location, consider the privacy concerns of the users of any common spaces.

The ICO says you also ought to consider the differing impacts of camera technologies. For example, a fixed camera might be more appropriate than a Pan-Tilt-Zoom. A system that records sound will be significantly more intrusive and harder to justify than one without that capability.

Importance of image quality

The ICO states that organisations should select a system which produces high quality, clear images which law enforcement bodies, usually the police, can use to investigate crime. Additionally, the cameras should be located so you can provide the clearest images. For example, be aware of tree and plant growth or other obstructions which might interfere with cameras’ views.

Going forward you should also carry out regular checks to ensure that the system is continuing to produce high quality images. Ensure that system settings do not compromise quality – for example on a modern digital system ensure the overwrite cycle is not too long and degrades footage as the system trades resolution for recording time.

Don’t forget to register with the ICO

If you hold or store any kind personal data you will have to register with the ICO so if you haven’t already you will definitely have to do so if you have a CCTV system. Additionally, while there are exemptions, if your business uses non-domestic CCTV systems you are likely to need to pay a data protection fee. The cost of the fee depends on your size and turnover. There are three tiers of fee ranging from £40 and £2,900, but for most organisations the ICO says it will be £40 or £60. It is worth noting that charities, who are likely to be exempt from paying a fee for other data collection, must pay one if they operate a CCTV system.

To help with your GDPR compliance sign up to the CCTV System Compliance portal on CCTV Logbook now.