Read our Essential Guide to CCTV Operation & GDPR | Wirehouse
With GDPR legislation coming into effect on 25th May, all organisations need to be working on their compliance and ensuring that what they currently have in place for data protection, is not only currently adequate, but is in line with the new rules which place more obligations on organisations of all sizes, to protect and be lawful with individual’s personal data. CCTV operation processes personal data on a large scale, usually for monitoring or surveillance; therefore any organisation using CCTV operation would be advised to undertake a data protection impact assessment (DPIA) to decide whether the current usage complies with the GDPR legislation. A DPIA should be carried out at the outset of any new CCTV installation or change of purpose for the CCTV usage.
Why is the use of a DPIA of paramount importance?
Not only do you have to document your processing activities where they relate to personal data, but this will allow you to determine the risks of the operation & whether you can treat, terminate, transfer or tolerate certain risks. It could be the difference between complying with the legislation and falling foul of it. Whilst the ICO want to use fines as a last resort, they do have the power to impose fines of up to £20million or 4% of global turnover and data subjects also have rights to take organisations to court, if these rights are breached.
The two contrasting cases below highlight the importance of a DPIA and not just rushing into CCTV installation. These claims relate to a breach of a right to private life under Article 8 of the European Convention on Human Rights and the use of covert cameras however they still show the importance of the use of a DPIA and how this could be the difference between the financial risk to any organisation. The relevant points here are that one employer limited the usage to what was necessary, whereas the other didn’t.
- López Ribalda v. Spain – There was held to be a breach.
- Köpke v. Germany – There was not held to be a breach.
Both cases involved supermarkets who implemented the use of covert cameras to try and capture employee theft of company property. In Lopez, it was found that a fair balance had not been struck between the employee’s rights and the employer’s legitimate interests. Whereas in Kopke it was found a fair balance had been struck as the interference to the employee’s private life was restricted to what had been necessary in order to achieve the aims.
Main differences between the cases – In Lopez, it was based on a general suspicion of all staff therefore recording of all staff, over all working hours, over a prolonged period with no time limit. In Kopke, it was limited to the recording of specific employees who were suspected of theft and limited to a time period of 2 weeks & only covered the area surrounding the cash desk.
It’s important to remember that these cases are pre-GDPR therefore we can’t guarantee the results would be the same in terms of sufficiency in showing ‘legitimate interests’ in any claims brought for a breach of data protection rights under the new legislation, or that the ICO would reach the same conclusions.
Key Issues to Consider
- Data minimisation – Are you collecting any personal data you don’t actually need in order to fulfil your purpose? i.e. if imagery is enough, you shouldn’t record audio.
- Is the installation of CCTV necessary or are there any other reasonable and less intrusive way to fulfil your purpose?
- You need to be confident on your ‘lawful basis’ for processing personal data in this way. Under GDPR, there are 6 lawful basis’ to rely on.
- Do you have a Legally Compliant Privacy Notice in place? You need to let data subjects know a variety of specific things about your collection of their personal data (anything that identifies them). The above cases involved covert cameras but in the majority of instances, organisations need to be completely transparent about their CCTV operation.
- Retention – Don’t retain recordings for longer than you have deemed necessary to fulfil the purpose.
- Put technical and organisational measures in place to maintain security of the recordings.
- “Accountability” – GDPR places obligations on organisations to outline in writing, their processing activities of personal data.
It’s important to remember that GDPR doesn’t just apply to your employee personal data. This article is written from a HR perspective but you also need to be mindful of CCTV operation of your customers, visitors or any other third party including the general public.
Wirehouse now have a separate GDPR Service to advise you on your compliance project. If you want any further information or more detail on any of the above, please contact Joanne Kay our GDPR Practitioner, for a full outline of the services we offer. We also have a range of template including DPIA’s, example privacy notices and more information on lawful basis’ for our GDPR clients.