Shortly after the recent video surveillance guidance from the EDPB, the Information Commissioner of the Isle of Man published an updated CCTV data protection guidance.
Key takeaways for controllers:
General Considerations and Governance:
- CCTV images identify living individuals and are, therefore, personal data. This means that the use of CCTV will be covered by data protection law, regardless of the size of the system or organization.
- There must be a lawful reason for considering the use of CCTV, such as crime prevention and detection, health and safety of workers or the public, property security.
- The use of CCTV must be necessary and proportionate. You should take into account what benefits can be gained, whether better solutions exist, and what effect it may have on individuals. For example, vehicles in a parking lot are frequently damaged and broken into at night. Consider whether improved lighting would reduce the problem more effectively than CCTV.
- Consider these matters objectively as part of an assessment of the scheme’s impact on people’s privacy. when considering monitoring publicly accessible areas, a data protection impact assessment (DPIA) must be carried out.
- Understand who the “controller” is and if there is more than one controller; consider whether the respective responsibilities been agreed and each knows its responsibilities.
- Appoint an individual responsible for the administration of the system.
- Ensure that images can be taken from the system if required by the police to investigate crimes but will not be provided to other third parties.
- Regularly review whether the use of CCTV continues to be justified.
Location and Use:
- When selecting the location of the camera consider: minimizing viewing spaces that are not relevant to the processing ; setting recording to set times for achieving the purpose (data minimization).
- Select the image quality that is necessary for the purpose: e.g. Monitoring (lower resolution); Detecting the presence of a person (higher resolution); recognizing a specific person (higher resolution); or Identifying – facial recognition for proving identity beyond a reasonable doubt.
- CCTV must not be used to record conversations between members of the public as this is highly intrusive and unlikely to be justified.
Storing of Images:
- Recorded material should be stored in a way that maintains the integrity of the image and only a limited number of authorized persons may have access to them. This is to ensure that the rights of individuals recorded by the CCTV system are protected and that the material can be used as evidence in court.
- Carefully choose the medium on which the images are stored, and then ensure that access is restricted.
- Keep a record of how the images are handled if they are likely to be used as evidence in court.
- Restrict viewing of live images on monitors to the operator of the recording unless the monitor displays a scene which is also in plain sight from the monitor location.
- View recorded images in a restricted area, such as a designated secure office.
- Restrict the monitoring or viewing of images from areas where an individual would have an expectation to authorized persons only.
- Once you have disclosed an image to another body, such as the police, they become the controller for their copy of that image. It is their responsibility to comply with data protection laws in relation to any further disclosures.
- The method of disclosing images should be secure to ensure they are only seen by the intended recipient.
Retention of Images:
Retention should reflect the organization’s own purposes for recording images or any industry standards or requirements .
You should not keep images for longer than strictly necessary to meet your own purposes for recording them.
Occasionally, you may need to retain images for a longer period, for example, where the police are investigating a crime, to give them opportunity to view the images as part of an active investigation
(1) system installed to prevent fraud being carried out at an ATM may need to retain images for several weeks, since a suspicious transaction may not come to light until the victim gets a bank statement.
(2) Images from a town center system may need to be retained for enough time to allow crimes to come to light, for example, a month. The exact period should be the shortest possible, based on your own experience.
(3) A small system in a pub may only need to retain images for a shorter period of time because incidents will come to light very quickly.
- Individuals must be informed when they are in an area where CCTV surveillance is being undertaken.
- The most effective way of doing this is by using prominently placed signs at the entrance to the CCTV zone and reinforcing this with further signs inside the area.
- Signs should be more prominent and frequent where it would otherwise be less obvious to people that they are on CCTV.
Subject Access Requests:
- Individuals whose images are recorded have a right to view the images of themselves and, if they ask, be supplied with a copy of the images.
- Copies of images must be provided without undue delay and in any event within one month of receiving the request.
- Subject access requests cannot be refused due to the expense incurred by a controller for editing and copying the recordings.
- Those who request access must provide you with sufficient details to allow you to identify them as the subject of the images and also to locate the images on your system. For example: (1) Will an individual need to supply a photograph of themselves or a description of what they were wearing at the time they believe they were captured on the system to aid identification, if they are not already known to you? (2) Will details of the date, time and location be required.
Images of Third Parties:
- When images of third parties are also shown alongside the images of the person who has made the subject access request, you must consider whether you need to obscure the images of third parties.
- If providing those images would involve an unfair intrusion into the privacy of the third party, or cause unwarranted harm or distress, then their images should be obscured.
- In many cases, third party personal data can be disclosed as there will not be such intrusion, particularly if the third party is known to the data subject or if the footage is in a location where there is no expectation of privacy.
(1) A public space CCTV camera records people walking down the street and going about their ordinary business. Where nothing untoward has occurred, this can be released without editing out third party images
(2) Images show the individual who has made the request with a group of friends, waving at a camera in the town center. There is little expectation of privacy and the person making the request already knows their friends were there. It is likely to be fair to release the image to the requester without editing out the faces of their friend.
(3) Images show a waiting room in a doctor’s surgery. Individuals have a high expectation of privacy and confidentiality. Images of third parties should be redacted (blurred or removed) before release.