Following the implementation of the EU GDPR and the UK’s corresponding 2018 update to the Data Protection Act, the processing of Personally Identifiable Information (PII) now includes personal data in the form of an image. This means if you can identify individuals by the images captured on your CCTV system, then this video surveillance must meet the same rigorous data protection requirements as any other system that’s processing PII.
The impact of the GDPR when considering the use of video surveillance is far reaching. It’s why data security is a crucial part of systems integration and why you must have a lawful basis for processing personal data via your CCTV system. This all needs to be considered, whether you’re installing a new system or if you’re already using video surveillance.
Which lawful basis is applicable?
A lawful basis might be protecting the vital interests of data subjects or when processing is carried out in the interests of the public, but these would typically only be applicable to specific data controllers. For example, body-worn cameras used by the police.
For most businesses, it’s likely that the appropriate lawful basis for using video surveillance will be the legitimate interest of the organisation. Examples of legitimate reasons for processing personal data include the prevention and detection of crime, safeguarding staff and visitors, ensuring compliance with health and safety procedures, and improving productivity.
However, you still need to justify this against the area of coverage. The rights and freedoms of data subjects cannot be ignored, especially in the case of legitimate interests. Even inside a work premises, employees have a right to privacy.
You should have prominent signage in areas where CCTV cameras are operating. Their purpose should also be described in a privacy notice – the GDPR requires that the reasons for processing are noted clearly and unambiguously.
Assessing the impact on privacy
You should consider the reasons for using video surveillance objectively as part of an assessment of the system’s impact on people’s privacy. The principle of Privacy by Design is underpinned by the GDPR and if you’re considering installing new surveillance cameras or making changes to an existing video surveillance system, then you should conduct a Data Protection Impact Assessment (DPIA).
In fact, the Information Commissioner’s Office (ICO) code of practice advises that you should regularly evaluate whether it is necessary and proportionate to use your CCTV system. Does your lawful basis for processing still stand up?
If any aspect of your approach to video surveillance was challenged, under the GDPR you must be able to demonstrate the legitimate grounds for processing. Would you be able to reference documentation that would show the ICO that the processing of personal data and the impact on privacy has been carefully considered?
Working with an experienced, industry-accredited systems integrator can make all the difference to not only the quality and performance of your CCTV system, but also in ensuring compliance with the GDPR.
Contact us for further advice regarding the lawful basis for processing personal data with your new or existing IP-based CCTV system.
