This blog post will help you ensure your CCTV system is ICO compliant; including the installation, management, operation, public awareness and signage of your organisation’s CCTV system. 

Step 1: Installation

Perform a data protection impact assessment. Your business should identify and document any possible impact on individuals’ privacy. You must take this into account when installing and operating a CCTV system. A regular review must be conducted to assess whether CCTV is still the best security solution. 

Once you have determined the purpose for which your business will be processing personal data, you must pay the ICO a data protection fee unless you are exempt. If your business uses non-domestic CCTV systems, it is likely that you will need to pay a fee. There are three different tiers of fee; between £40 and £2,900. The fee depends on the size of your business, your turnover and, in some situations, the type of business you are. If you would like more information on this, the ICO has published more detailed guidance on their website.

Step 2: Management

Governance: Your business has a policy and/or procedure covering the use of CCTV and has appointed an individual who is responsible for the operation of the CCTV system. The policy should cover the purposes for which you are using CCTV and how you will use this information, including guidance on recording and disclosures. 

Requests for personal data: Your business has developed a process to recognise and reply to individuals or organisations requesting copies of the images on your CCTV footage and to promptly seek guidance from the Information Commissioner if there is any uncertainty. Your organisation must be aware of people’s right to request a copy of their image and be prepared to handle such requests. In many instances, any images of any present third parties in the CCTV footage must be redacted – this can be done quickly through a software product such as Pixelate by Ocucon (learn more on our website: https://ocucon.com/pixelate/). 

Training: Ensure that all relevant staff are aware of your CCTV policy and procedures, and train them where necessary.

Step 3: Operation

Retention: Your business should retain data for the minimum time that is necessary for its purpose and dispose of it appropriately when no longer required. The ICO’s guidance on retention period of data is that this time frame should reflect how long your business needs the data for its purposes. Furthermore, the ICO advises that your business should undertake systematic checks in order to ensure compliance with the retention period in practice. The ICO notes that long retention periods can affect the quality of the footage with modern cameras recording to hard disks. However, if your business is storing CCTV footage on a secure cloud platform like Cloud by Ocucon, this will not be a concern. 

Data Quality: Your business should ensure that the CCTV images are clear and of a high quality. You should select a system which produces high quality, clear images. The ICO advises that you should situate your CCTV cameras in the best location possible to ensure that they provide clear images.

Data Security: Your business should ensure that CCTV images are securely stored, access is limited to only authorised individuals, and that checks are regularly carried out on the CCTV system to ensure it is working properly. 

Step 4: Public awareness and signage

Your business should clearly inform individuals of your use of CCTV. This can be done by displaying signs in clear view that show that CCTV is in operation. Where applicable, you should also outline the use of CCTV and its purposes on your company’s website.