There are now less that nine months to go before the General Data Protection Regulation (GDPR) comes into force replacing the Data Protection Act 1998 (DPA).
So what should operators and controllers of CCTV and video systems be doing now? The short answer is, ensure you are complying with the current law and don’t believe the doom merchants:
“The GDPR will require a wholesale reassessment of data protection for the UK’s millions of CCTV cameras, which so far have gained from relatively light touch regulation.”
The ICO CCTV Code
Overt CCTV camera systems are regulated by the DPA. The Information Commissioner’s Office (ICO) revised its CCTV Code of Practice in 2015 to:
reflect the developments in existing technologies that have taken place in the last six years,
discuss the emergence of new surveillance technologies and the issues they present (e.g. drones and body worn cameras etc.)
reflect further policy development in areas such as privacy impact assessments,
explain the impact that new case law has had on the area of surveillance systems
reflect the wider regulatory environment that exists when using surveillance systems.
The ICO has produced a CCTV self-assessment tool that will help you assess your compliance with its code.
Jonathan Bamford, then the Head of Strategic Liaison at the ICO, emphasised in his blog post at the time of the consultation in to the new CCTV code that the that the underlying principles remain the same. And the same can be said about GDPR’s impact on CCTV systems. All the familiar provisions found in the DPA are there in the GDPR including the need for transparency, security, respect for individuals’ rights etc.
Data Protection Impact Assessment
One area, which needs particular consideration, is whether a Data Protection Impact Assessment (DPIA) needs to be undertaken before setting up a new CCTV system. DPIAs (also known as Privacy Impact Assessments) are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will allow Data Controllers to identify and fix problems at an early stage, reducing the associated costs and damage to reputation that might otherwise occur.
A DPIA is required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1) of GDPR). Such processing, according to Article 35(3)), includes “large scale, systematic monitoring of public areas (CCTV)”.
Even where your CCTV does fall into this category it may still be deemed to be “high risk.” The Article 29 Working Party’s data protection impact assessment guidelines set out the criteria for assessing whether processing is high risk. This includes systematic monitoring of individuals.
For its part the CCTV code emphasises the importance of conducting a privacy impact assessment before undertaking surveillance using CCTV, especially when fitted to drones e.g. broadcasters seeking to gather footage for production purposes, police forces conducting surveillance on suspects, or construction companies monitoring job progress.
For more on DPIAs including how it should be conducted and by whom, please read our DPIA blog post. Other points to consider in relation to CCTV systems include:
How are you going to comply with GDPR’s more prescriptive transparency requirements?
Have you reviewed your records management and information risk policies?
How secure is the recorded data in the light of the GDPR’s more stringent security obligations and breach notification provisions?
Have you revised your subject access procedures in view of the changes under GDPR?
If a CCTV system is being used for employee monitoring, then other aspects of GDPR will come into play as well as, in some cases, Part 2 of the Regulation of Investigatory Powers Act (RIPA). For more on this topic see our blog post and forthcoming webinar.
The PoFA Surveillance Camera Code
Just to complicate things a bit more, some organisations also have to comply the Surveillance Camera Code (PoFA code). Made in 2013, pursuant to the Protection of Freedoms Act 2012 (PoFA), this code governs the use of CCTV and ANPR systems by local authorities and policing authorities in England and Wales.
The Surveillance Camera Commissioner (in charge of the PoFA code) has set up a voluntary certification scheme. He says on his website:
“Over the coming weeks and months we will look at what else will be useful or necessary to support those using surveillance cameras on their journey to compliance. At the same time I can reassure you that we are working hard with certification bodies to adjust our independent third party certification scheme to ensure that if you or your organisation acquire that standard it is very likely that you will measure up to the new requirements under GDPR. Many police forces, local authorities, large retailers and transport networks sit within that category and I aim to broaden that base – outward reassurance to the public concerning inward compliance!”
GDPR will have an impact on CCTV and other video recording systems. But there is not going to be a revolution. If time is spent on complying with the current law by making use of existing resources (as explained above), there will be no need for a big jump into GDPR land.