by Anne Reily, Founder and CEO of PaycheckPlus
Personal data can be captured using CCTV cameras – any video, images or audio that can be used to identify an individual is subject to the Data Protection Acts. If you use a CCTV system for your business you are likely considered a data controller and therefore have significant responsibilities. So businesses using CCTV cameras must make themselves aware of their data protection obligations. Here are some details and recommendations / expectations that will help you comply with data protection regulations.
Before introducing a CCTV system on your business premises you need to be able to justify its presence and consider what will actually be captured.
Can you justify the CCTV system and what data will be captured?
Businesses must be able to justify obtaining personal data through a CCTV system and also justify the use of the personal data. This can be easily done if the system is for security reasons however it gets a lot more difficult if it’s used to monitor employees or customers etc. as this is more intrusive.
All of the data captured needs to be considered, including the data that’s not relevant to the intended purpose of the CCTV system. A case study provided by the Data Protection Commissioner highlights a case where Luas CCTV cameras overlooked private property; this was outside of the intended purpose of the system and had to be rectified (details here). You should ask yourself if people in the areas captured by the CCTV system have an expectation of privacy and are you capturing no more than appropriate for the purpose of the system.
Data Protection Commissioner Recommendations / Expectations
The Data Protection Commissioner expects / recommends the following to be carried out and documented:
- A Risk Assessment
- A Privacy Impact Assessment
- A Specific Data Protection policy drawn up for use of the devices in a limited and defined set of circumstances only (this policy should include documented data retention and disposal policy for the footage)
- Documentary evidence of previous incidents giving rise to security/health and safety concerns
- Clear signage indicating image recording in operation.
Before recording, certain information must be supplied to data subjects. The Data Protection Commissioner details that:
A written CCTV policy must be in place and should include the following information;
- the identity of the data controller;
- the purposes for which data are processed;
- any third parties to whom the data may be supplied.
- How to make an access request
- Retention period for CCTV
- Security arrangements for CCTV
Notification of CCTV usage can usually be achieved by placing easily- read and well-lit signs in prominent positions. A sign at all entrances will normally suffice.
If the purpose of the CCTV system is obvious, e.g. for security reasons, all that is required is a sign noting contact details and highlighting that CCTV is in operation. However if the reason is less obvious, e.g. for monitoring employee conduct, then the data subjects must be made clear of the existence and purpose of the CCTV system. A case study provided by the Data Protection Commissioner highlights a case where covert recording and out-of-scope data use caused issues for a business and their employee, click here for details.
Other expectations / recommendations
- Don’t keep the data longer than necessary for the intended purpose
- Store the data securely
- Maintain an access log
- Only allow authorised access
- Be prepared for access requests
- Be prepared to obscure (e.g. pixelate) other individuals
- If a security company is used, ensure that appropriate contracts are in place (e.g. an SLA that ensures that your data is processed appropriately in the event of a request being made etc.)
Crucially, data protection legislation is going through radical changes, be sure that you’re prepared. Find details of the changes and what impact they will have on payroll personnel, along with details on how to prepare here.