The majority of offices use CCTV as part of their security measures to protect the perimeter of buildings and/or to monitor restricted areas. There is nothing wrong in doing this providing a legal basis for processing the personal data (images) is established, you tell people what it is used for and meet any requirements laid down by local legislation; in the UK the Surveillance Camera Commissioner has the camera code of practice.
The lawful basis is probably going to be legitimate interest – Article 6 (1) (f) in the General Data Protection Regulation (GDPR). The privacy rights of individuals should be less than the organisation’s legitimate interest in protecting the building and secure areas and providing evidence if someone attempted or managed to get entry.
So how do you confirm this is the case? The first step is to a complete a Legitimate Interest Assessment to validate the legitimate interest. See References below on where to get a template for this. The next step will be doing a Data Protection Impact Assessment (DPIA) to assess and mitigate any privacy issues, e.g. location and positioning of cameras, who can access the images and how long they are retained for. See References below on where to get a template for this.
One of the actions that will come out of the DPIA is to be transparent on what is being done – tell people that video surveillance is in operation. The recent guidance from the European Data Protection Board (EDPB) on the processing of personal data through video devices is to use a ‘layered’ approach.
The first layer is a warning sign that isn’t hidden away (or dirty!). The guidance says it should:
- be positioned at a reasonable distance from the places monitored in such a way that the data subject can easily recognize the circumstances of the surveillance before entering the monitored area (approximately at eye level). It is not necessary to specify the precise location of the surveillance equipment as long as there is no doubt, as to which areas are subject to monitoring
- convey the most important information, e.g. the details of the purposes of processing, the identity of controller and the existence of the rights of
the data subject, together with information on the greatest impacts of the processing. This can include the legitimate interests being pursued and contact
details of the data protection officer (if applicable). It also has to refer to the more detailed second layer of information and where and how to find it
- contain any information that could surprise the data subject, e.g. transmissions to third parties, particularly if they are located outside the EU, and the storage period. If this information is not indicated, the data subject should be able to trust that there is solely live monitoring (without any data recording or transmission to third
The guidance gives an example of what this could contain.
The second layer provides full details about the processing and rights of data subjects. It needs to meet the requirements defined in Article 13 of the GDPR. The EDPB guidance says this should:
- be made available at a place easily accessible to the data subject, for example as a complete information sheet available at a central location (e.g. information
desk, reception or cashier) or displayed on an easily accessible poster
- be easily available non-digitally
- be possible to access the second layer information without entering the surveyed area. This can be achieved for example by a link or any other appropriate means like a phone number that can be called on the first layer notice
And finally, don’t forget to include CCTV in your GDPR Article 30 Records of Processing Activities.
Get in touch if you want advice on using CCTV.
t: +44 (0)7941 188462
ICO – Legitimate Interest Assessment template
Surveillance Camera Commissioner – Surveillance camera code of practice
Surveillance Camera Commissioner – Data Protection Impact Assessment template
EDPB guidelines on the processing of personal data through video devices