How Is CCTV Affected By The New GDPR Legislation?

Posted by Ryan Blair on July 30th, 2018

Homes and businesses use CCTV for security and health and safety purposes, and many businesses use WiFi security cameras both outdoor and indoor to transmit images that are recorded. These images are personal data according to the newly introduced General Data Protection Regulation (GDPR) and come under data protection regulations. They need to be treated the same as other personal data held by a business.

Justifying the use of CCTV

GDPR requires all data that is held to be lawful and transparent. Most businesses will be using CCTV for lawful purposes to protect their business from intruders or prevent items being stolen. Fair use must be weighed up against the worker’s right to privacy, so obviously, cameras should not be used in bathrooms as this would be considered a breach of privacy. Businesses need to carry out privacy assessments that justify the processing of images.

Data protection legislation

Under data protection legislation, people being recorded on CCTV cameras need to be informed of this. This can be done through clearly visible signs that tell people they may be recorded.

In a comparable way to other data, people have the right to access their data. This can be tricky on CCTV footage that shows more than one person. If there are images of the person requesting the data, they have the right to see the recordings, but if there are other people on the same images, they have the right to their privacy. A way around this is to use technology that blurs other people so that they cannot be recognised.

The police have the right to see footage to identify people or vehicle number plates.

Images cannot be kept indefinitely, though the law is vague about the maximum time they can be kept.

Encryption

Only authorised persons can have access to the footage recorded. To prevent unauthorised access, the data should be encrypted and accessed with passwords or other forms of identification technology.

If footage is kept on memory cards, discs or tapes, these should be stored securely in locked enclosures and any access recorded.

GDPR and home CCTV

People using surveillance cameras for home use are also covered by GDPR. IP cameras can be accessed on smartphone apps via the internet. Non-members of the household should not have access to the video images transmitted to the app. Phones should be password or fingerprint protected so that non-authorised people cannot easily access them.

Everyone recorded by the cameras is entitled to have access to their video data. Tradesmen and delivery drivers filmed at your entrance door could request access, and in theory, even an intruder filmed in your home could want access to their footage.

In practice, if you’re setting up a wireless security camera system for home use, you should not expect any data access requests. Even though home cameras are covered by GDPR, you do not need to register yourself or your CCTV system with any authority. It is, however, a good idea to display signs warning people that they may be recorded. This in itself could also deter intruders.