The use of CCTV (Closed Circuit Television) for surveillance and security purposes is now widespread. What people may not realise is that the recording of a persons image is considered recording personal data. Furthermore, the quality and sophistication of CCTV systems now mean that faces, images and recordings may be clearly recorded.
This means that the Data Protection Acts apply to the obtaining and use of such data. It is essential that CCTV is used with proper care and consideration so that an individual’s privacy is not unreasonably invaded.
The Office of the Data Protection Commissioner (DPC) has issued a Guidance Note on the use of CCTV. The Note identifies the following issues which should be carefully considered and adhered to if an organisation is installing CCTV:
¨ Is the use of CCTV justified?
The Data Protection Acts require that the collection of personal data must be “adequate, relevant and not excessive” for the purpose required. The organisation must be able to demonstrate that installing a CCTV system that collects personal data on a continuous basis can be justified. The test of proportionality will be applied e.g. the use of CCTV for security purposes is likely to be justified. On the other hand, the DPC gives the example that using a CCTV system to constantly monitor employees is highly intrusive and would need to be justified by reference to special circumstances.
¨ Storage and Retention of data
The Data Protection Acts state that data “shall not be kept for longer than is necessary for” the purposes for which they were obtained. The data needs to be deleted as soon as possible if not required, and in practice the guideline from the DPC is that data recorded is only held for 28 days unless there is an absolute need to retrain it further — such as for on-going investigations, or court proceedings.
The data should be stored securely for a limited period and access should be restricted to authorised personnel.
There should be clear signs confirming that CCTV is in operation and the purpose for which it is operating. This should be the only basis for which it is used.
¨ Comprehensive CCTV policy
A detailed written CCTV policy should be in place which gives certain essential information to individuals before their personal data is recorded.
¨ Service Providers
A contract should exist with the security company if they operates the cameras.
Anyone intending to install CCTV on their premises should be very familiar with the requirements of the Data Protection Acts to ensure that the system will comply with the legislation.