Personal data according to the general data protection regulation (GDPR) refers to anything that can identify an individual including CCTV cameras. Footage can be used as surveillance to deter or identify intruders and if so, must be available to the Police as required. It must be stored securely and encrypted wherever possible.
GDPR is a new European regulation governing data protection but the UK is introducing a very similar piece of legislation which will apply after Brexit. Personal data includes CCTV footage, email marketing, social media posts, names including newsletter recipients, European cloud storage, IP addresses for websites as well as data already in scope under existing data protection law.
It allows individuals to request a copy of any CCTV footage where they are clearly identifiable. If the request is valid, the organisation must show the footage to the individual within 30 days. GDPR will take effect in just over three months’ time on 25 May this year, 2018, and businesses need to be ready. It is very important that organisations get the use of data right because they can face fines of up to 20 million Euros or 4% of global turnover if they get it wrong.
Individuals must give active consent that is, ‘freely given, specific, informed and unambiguous’ so implied consent will no longer be sufficient. Organisations must make CCTV cameras very obvious and may need to obtain further explicit consent from individuals to record them.
To remain on the right side of the law, organisations must make sure that they can switch CCTV on and off and access a specific recording upon request. Footage and sound recordings should be captured separately to avoid being excessive and must be stored securely. Take care with sound recordings because it is intrusive to record conversations of staff or the public unless there is a strong and explicit justification which is unusual.
Access to footage and sound should be restricted and safeguards need to be in place to prevent interception and unauthorised access. Footage should be deleted when it’s no longer necessary.
All CCTV footage needs to be underpinned by a written information retention policy that is understood by all operatives. Staff need to know how to respond to requests from individuals for access to footage and recordings. Individuals also need to know if they are in an area covered by CCTV and that they have a right to access recordings and footage.