Before Christmas 2015, the Office of the Irish Data Protection Commissioner issued a new practice note in relation to the use of CCTV. The use of CCTV systems has greatly expanded over the past few years and the systems have become far more sophisticated. Recognisable images captured by CCTV systems are personal data and are subject to the provision of the Data Protection Acts. If you are using CCTV systems in your business you should be concerned with the following developments.
Is a CCTV system justified?
Data Protection legislation focuses on proportionality and considers what the system will be used for. CCTV system that is used for security of premises or other property is likely proportional and is probably the most common use of CCTV. However, using a CCTV system to constantly monitor employees is far more intrusive and may not be justified or proportional. You would have to reference special circumstances (such as an example of an incident that happened in your business before) to address issues that arose before the installation of the system. The location of cameras is also a key consideration in determining whether the system is proportional.
The Data Controller of your business should ensure to complete the following steps:
1. Conduct and document a Risk Assessment Process.
2. Conduct and document a Privacy Impact Assessment.
3. Prepare a specific Data Protection Policy dealing with CCTV devices. This should reference that the retention and disposal policies for the CCTV footage.
4. Prepare and display clear signage indicating that there is an image recording in operation.
It is also be recommended that you keep documentary evidence of prior incidents that led to the introduction of the CCTV.
A written CCTV policy must also be in place and should include the following information:
• The identity of the Data Controller
• The purpose for which the data is processed
• Any third parties to whom the data may be supplied
• How to make a data access request
• The retention period for the CCTV
• Security arrangements for the CCTV
You should notify that you are using CCTV and you should place easily read and well-lit signs in prominent positions.
If the identity of the Data Controller and the usual purpose is obvious (i.e. security) then you need to only notify that CCTV is operating together with contact details for the person who controls the processing. If the purpose of purposes is not obvious then there is a duty on the Data Controller to make this clear. A CCTV camera is often assumed to be used for security purposes but if it is used for monitoring staff performance or conduct then staff must be informed before any data is recorded for this purpose as it is not an obvious purpose. Similarly, if the purpose of the CCTV is for safety reasons, this should be clearly stated and made known.
Supply of CCTV images to An Garda Síochana
If an Garda Síochana makes a request to download footage it is recommended that the request for copies of footage should only be acceded to where there is a formal written request to the Data Controller. This is differentiated from An Garda Síochana making a request to view footage on the premises and the written request would not be necessary. A written request is only needed if they require copies.
If my organisation uses CCTV, what should I do?
We recommend that you take action to comply with the guidance. While this guidance is not yet legally required, it is recommended and if you comply with these obligations you will be in compliance with the new EU Data Protection Regulation which will come into force in Ireland 2 years after its enactment.
If you receive your CCTV services from a third party you should review their arrangements.
You should also review your employment policies and handbooks to ensure CCTV use is dealt with and notified in line with your usage.
For any other information please do not hesitate in contacting MW Keller & Son Solicitors LLP at firstname.lastname@example.org or 051 877 029.