GDPR & CCTV a Quick but Comprehensive Guide to Compliance
GDPR & CCTV; What are the risks and how do we avoid falling foul of the new regulations?
The 1st thing to say is that if your system has been designed properly and has been fitted in accordance with the System Design Proposal which your Licensed CCTV Installer is obliged to provide in advance of installation, then you have already gone a long way to being compliant.
The purpose of the system and each camera will have been documented, as well as the proposed retention time of images.
As long as you can show a good reason for the coverage of an area E.G. Theft prevention or Health & Safety then there should be no issue.
So why does CCTV Fall under GDPR? Well, once your system is recording and retaining recognisable images, these are deemed to be “Personal Data”.
The Steps to Compliance;
- Be clear about the reason for having a camera in each area. Be careful that the reasonable expectation of privacy is not breached (e.g. CCTV in changing rooms or toilets)
- Have signage up, which informs the public that there is CCTV and that they may enquire about their data protection by, for instance contacting a manager.
- Appoint a Data Controller. This person is responsible for the dissemination of images and for ensuring that retained images are controlled. 30 days is usually considered reasonable, but where longer retention is required a reason for such retention e.g. a dispute or incident, should be documented and a record kept of the medium and location of such images.
- A Data processor is someone who downloads images from it’s primary source onto another medium, e.g a usb stick for further use or retention. A record of date, reason and circulation should be kept. There needs to be a specific reason for this. If you employ your CCTV Company to do this, there should be written procedures in place.
- If somebody requests to see images of themselves, captured by your CCTV, then as this is deemed to be personal data and they have a right to do so. However, it should be noted, that where other people can be seen and recognisable in this footage, this should be blurred or redacted.
- If there is a request for footage from the Gardai, then this should be made in writing on official Garda Headed paper. This should be retained. Where the Gardai are just asking to view the footage on the premises, this would not pose Data Protection issues.
- Ensure that, where a system is on a network, that is properly firewalled and password protected.
- Where access to the system is available on mobile devices or external P.C.s, ensure that this access is restricted and password protected and treated as securely as other sensitive data.
In summary, your main risk of breaches is complacency and open access to the system or retained footage.
Always ensure that only licensed contractors can work on the system and have a maintenance contract in place which covers data processing.
Make sure that access to the recorder / images / footage is restricted by a combination of password protection and physical security. Ensure that where employees have access, then the protocols for use of such footage forms part of the terms and conditions of employment (e.g. in employee handbook or code of practice.
Crothers Security are happy to carry out an audit of your existing system, or answer any questions you may have.
Just call us on 01)4567947 or contact us at firstname.lastname@example.org