Why is this important?
Recognisable images captured by CCTV systems are personal data and therefore subject to the Data Protections Acts 1988 and 2003. Companies that use CCTV systems need to be able to justify the obtaining and use of personal data by means of CCTV systems.
The updated guidance note recently issued by the DPC (Guidance Note) clarifies the DPC’s position on the use of such systems (see https://www.dataprotection.ie/docs/Data-Protection-CCTV/242.htm). For example, use of CCTV systems for security purposes will be easier to justify than using CCTV systems to monitor employees, students or customers.
We use a CCTV System – what does this mean?
The DPC expects those that use CCTV systems to carry out detailed assessments as to how the use of CCTV is justified. This would involve carrying out the following:
- A risk assessment
- Privacy impact assessment
- Document evidence of previous incidents giving rise to security/health and safety concerns
- Use of clear signage indicating image recording in operation.
In addition, a CCTV policy should be drawn up which includes:
- The identity of the data controller
- The purposes for which data are processed
- Any third parties to whom the data may be supplied
- How to make an access request
- Retention period for CCTV
- Security arrangements for CCTV.
Next step for companies
Companies that use CCTV systems should review their use and make any changes necessary to comply with the Guidance Note. For example:
- Companies that monitor employees using CCTV in areas where they work or congregate should review their employment policies or staff handbook to ensure that CCTV use is dealt with in line with the Guidance Note; and
- Companies that outsource CCTV to third parties (such as security companies) should review their contracts with such providers.