This blog post offers guidance for individuals / organisations looking for steps that they can take to ensure that their CCTV system is ICO compliant; including the installation, management, operation, public awareness and signage of your organisation’s CCTV system.
Step 1: Installation
Perform a data protection impact assessment: Your business should identify and document any possible impact on individuals’ privacy. You must take this into account when installing and operating a CCTV system. A regular review must be conducted to assess whether CCTV is still the best security solution.
Pay a fee: Once you have determined the purpose for which your business will be processing personal data, you must pay the ICO a data protection fee unless you are exempt. If your business uses non-domestic CCTV systems, it is likely that you will need to pay a fee. There are three different tiers of fee; between £40 and £2,900. The fee depends on the size of your business, your turnover and, in some situations, the type of business you are. If you would like more information on this, the ICO has published more detailed Guidance on the ICO website.
Step 2: Management
Governance: Your business has a policy and/or procedure covering the use of CCTV. It has appointed an individual who is responsible for the operation of the CCTV system. The policy should cover the purposes for which you are using CCTV and how you will use this information, including guidance on recording and disclosures.
Requests for personal data: Your business has developed a process to recognise and reply to individuals or organisations requesting copies of the images on your CCTV footage. In the case of uncertainty, promptly seek guidance from the Information Commissioner. Your organisation must be aware of people’s right to request a copy of their image. It also must be prepared to handle such requests. In many instances, images of any present third parties in the CCTV footage must be redacted. Video redaction can be done quickly through a software product such as Pixelate.
Training: Ensure that all relevant staff are aware of your CCTV policy and procedures. Then train them where necessary.
Step 3: Operation
Retention: Your business should retain data for the minimum time that is necessary for its purpose. It should dispose of it appropriately when no longer required. The ICO’s guidance on retention period of data is; this time-frame should reflect how long your business needs the data for its purposes. Furthermore, the ICO advises that your business should undertake systematic checks in order to ensure compliance with the retention period in practice. The ICO notes that long retention periods can affect the quality of the footage with modern cameras recording to hard disks. However, if your business is storing CCTV footage on a secure cloud platform like Ocucon, this will not be a concern.
Data Quality: Your business should ensure that the CCTV images are clear and of a high quality. You should select a system which produces high quality, clear images. There are an array of CCTV system comparison tools; we like the one provided by IPVM. The ICO advises that you should situate your CCTV camera(s) in the best location possible to ensure image clarity.
Data Security: Your business should ensure that CCTV images are securely stored, access is limited to only authorised individuals. It should regularly carry out checks on the CCTV system to ensure it’s working properly.
Step 4: Public Awareness & Signage
Public awareness and signage: Your business should clearly inform individuals of your use of CCTV. Display signs in clear view that show that CCTV is in operation. Where applicable, you should also outline the use of CCTV and its purposes on your company’s website.
Scroll down to view a helpful checklist that we created as a resource for our readers…