We live in a surveillance society.
CCTV and other forms of video surveillance are increasingly common in workplaces. These technologies are frequently used to monitor areas such as building entrances, lifts, workstations and factory floors, but as the use of these technologies grows, businesses must continue to ensure that they are being used fairly and lawfully.
Before collecting any footage, businesses should think carefully about the reasons for collecting surveillance footage. This process should start by asking some simple questions - “Why is this video surveillance needed?”, “Does this use of surveillance achieve our aims?” “What laws do we need to comply with?”
In this article we explain the steps you should take to ensure your use of video surveillance keeps you on the right side of the United Kingdom’s data protection laws.
What laws apply?
While a variety of laws can apply to the collection of video images, businesses must principally comply with the United Kingdom’s data protection laws.
Video recordings are classed as “personal data” under the United Kingdom’s data protection laws and organisations that collect surveillance footage must comply with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018).
These laws dictate how you should collect, use and dispose of personal data contained within the video footage collected.
What do organisations need to do to comply with these laws?
If your business is looking to use video surveillance for the first time or is reviewing its use of video surveillance practices, you should take the following steps:
Step 1 - conduct a risk assessment: this is known as a Data Protection Impact Assessment (“DPIA”) and allows you to assess the reasons you are using video surveillance and how you can mitigate the personal data risks involved.
Step 2 – update your privacy notices: you should clearly inform employees and visitors about your use of surveillance technologies and the reasons why this footage is collected. This notice should also tell them about what rights they have in relation to the footage you are collecting.
Step 3 - erect signage: you should install clear and visible signage that informs individuals that cameras are in operation.
Step 4 - create a clear and well-communicated CCTV policy: this should outline your internal purpose for collecting video surveillance, the length of time footage will be retained for, and the procedures for staff accessing and reviewing footage.
Step 5 – training and review: you should train staff on the use of CCTV to ensure your system is manged safely and securely. This will ensure you only collect the footage necessary to achieve your objectives.
Step 6 - notify the ICO: you will need to inform the Information Commissioner’s Office and pay a fee. This is quick and easy to do on the Information Commissioner’s website.
If you would like to introduce video surveillance or refresh your organisation’s approach to the use of video surveillance, please speak to a member of the Shepherd and Wedderburn data protection team who would be happy to assist.