CCTV

Data protection law covers the use of CCTV. This checklist help you to assess the compliance of your CCTV systems including the installation, management, operation, public awareness and signage

Step

Privacy impact assessment

Your business decided to install CCTV cameras as the best solution to a clearly defined problem. Your business regularly reviews whether CCTV is still the best solution to the problem. Your business has identified and documented the potential impact on individuals’ privacy and taken this into account when installing and operating the system. For example, you have positioned cameras to avoid capturing images of people not visiting your premises.

Your business has registered its CCTV processing with the the supervisory authority.

Step

Governance

Your business has a policy and/or procedure about the use of CCTV. Your business has nominated an individual who is responsible for the operation of the CCTV system.

A policy will help you to use CCTV consistently. The policy should cover the purposes you are using CCTV for and how you will handle this information, including guidance on disclosures and recording them. It is good practice to assign day-to-day responsibility for CCTV to an appropriate individual. They should ensure that your business sets standards, has procedures and that the system complies with legal obligations including individuals’ rights of access.

Step

Requests for personal data

Your business has established a process to recognise and respond to individuals making requests for copies of their own images and to seek prompt advice from the Information Commissioner where there is uncertainty. Your business does not provide images to third parties other than law enforcement bodies.

Be aware of people’s right to request a copy of their image (including staff) and be prepared to deal with these. These rights exist for both staff and customers. Have a clear policy already in place that will help you deal with requests much more effectively. An individual should not have any greater difficulty in requesting their data when this is an image compared to a document or computer file. Providing information promptly is important, particularly if you have a set retention period which conflicts with the statutory 40 calendar day response period. In such circumstances it is good practice to put a hold on the deletion of the information. When dealing with subject access requests you should carefully consider information about third parties, just as you would be if they were mentioned in a document or computer file that was the subject of a request. Keeping an accurate log of subject access requests you receive and how they have been handled is valuable in helping manage requests and in case your handling is challenged.

Step

Training

Your business trains its staff (to ensure that they have sufficient understanding of how) to operate the CCTV system and cameras (if applicable). Your business trains its staff to recognise requests for CCTV information/images.

Make all relevant staff aware of your CCTV policy and procedures and train them where necessary. For example: • All staff who are authorised to access the cameras should be familiar with the system, and with the processes for reviewing footage and extracting it if required. • All staff should be familiar with procedures for recognising and dealing with requests for personal data. • All staff should be familiar with the likely disciplinary penalties for misuse of the cameras. • Where a staff member’s role explicitly includes monitoring of CCTV – for example a security guard, ensure that appropriate training standards are met and recorded (such as SIA qualifications)

Step

Retention

Your business only retains recorded CCTV images for long enough to allow for any incident to come to light (eg for a theft to be noticed) and to investigate it.

You should retain data for the minimum time necessary for its purpose and dispose of it appropriately when no longer required. The retention period should not be based merely on the storage capacity of the system, but reflect how long the data is needed for the purpose. You may need to retain information for a longer period, if a law enforcement body is investigating a crime and asks you to preserve it, to give them opportunity to view the information as part of an active investigation. You should delete it when it is not necessary to retain, for example, it does not achieve the purpose for which you are collecting and retaining information. You should implement controls including: • Document your information retention policy for CCTV information and ensure it is understood by those who operate the system. • Implement measures to ensure the permanent deletion of information through secure methods at the end of the retention period. • Undertake systematic checks to ensure that the retention period is being complied with in practice. In addition it is worth noting that long retention periods can affect the quality of the footage with modern cameras recording to hard disks.

Step

Data quality

Your business has selected a system which produces high quality, clear images which law enforcement bodies (usually the police) can use to investigate crime. Your business can easily extract these images from the system when required. Your business has sited its CCTV cameras to ensure that they provide clear images. Your business carries out regular checks to ensure that the system is producing high quality images.

Ensure the quality of the footage is fit for purpose, and ensure that system settings do not compromise quality – for example on a modern digital system ensure the overwrite cycle is not too long and degrades footage as the system trades resolution for recording time. Be aware of tree and plant growth or other obstructions which might interfere with cameras’ views.

Step

Data security

Your business securely stores CCTV images and limits access to authorised individuals. Your business regularly checks that the CCTV system is working properly.

You must sufficiently protect all information to ensure that it does not fall into the wrong hands. Poor security can lead to your cameras’ feeds being viewed by criminals, or being hijacked by them for use in computer botnets. Security precautions should include technical, organisational and physical security. For example: • Protect wireless transmission systems from interception. • Restrict the ability to view or make copies of information to appropriate staff. • A secure space where footage is stored. • Staff training in security procedures and sanctions against staff who misuse surveillance system information. • Establish appropriate controls if the system is connected to, or made available across, a computer network. Internet-protocol (IP) cameras should be protected by firewall and router controls, and wherever possible default passwords should be changed. • Apply any software updates (particularly security updates) published by the equipment’s manufacturer to the system in a timely manner. Modern IP camera manufacturers issue security advisories and fixes to security problems, and users should keep these patched and up to date just as much as their other computer equipment. • Protect the recorded footage from a CCTV, whether tapes or hard disk, and against access by any unauthorised person, whether an unauthorised staff member or an outsider. • Store any data you have collected securely, for example by using encryption or another appropriate method of restricting access to the information.

Step

Fair processing

Your business clearly displays signs showing that CCTV is in operation. Where it is not obvious who is responsible for the system, contact details are displayed on the sign(s). Your business outlines the use of CCTV and its purposes on its website (where applicable).

Make signs the right size and location so that a person is aware that they are being observed, and given as much warning as possible. Such transparency may also have a deterrent effect in itself.