CCTV security surveillance is one of the most powerful tools available today in protecting your home or commercial property. CCTV cameras footage can be used to solve crimes, prevent crime, and enforce laws.
But what about privacy?
With the growing use of surveillance systems in society, there is an increased risk of data breaches and misuse of data. Many will recall the large-scale hack of the surveillance camera company Verkada in 2021.
The hack resulted in footage and live feeds of 150,000 surveillance cameras inside hospitals, organisations, police departments, prisons and schools being accessed by criminals.
There are rules in place to ensure that CCTV cameras footage is only accessed for legitimate purposes and that its use is restricted to law enforcement and criminal detection purposes.
In this blog, we will cover how you can use CCTV cameras footage legally, what happens if you’re caught breaking the rules, and tips to keep your data secure.
Content
What are the rules for CCTV in a business?
Is sharing a CCTV footage a breach of GDPR?
Can you post CCTV footage on Social Media?
Rules for CCTV camera footage beyond your perimeter
How long can you legally keep CCTV footage in the UK?
What restrictions apply in terms of collecting, storing and using CCTV footage?
Are there any legal requirements to consider when installing a CCTV system?
What rights do people have when it comes to accessing CCTV footage of themselves?
What are the potential consequences of misusing CCTV footage?
CCTV Systems & Data Protection in the UK
CCTV images are considered to be personal data under current data protection law (DP & GDPR 2018) whether that CCTV just covers your business premises or if it overlooks public areas, such as the road or path outside your premises.
Organisations and sole traders (with few exemptions) that process personal data must pay an annual data protection fee to the UK regulator, the Information Commissioners Office (ICO).
This includes all businesses that have a CCTV system installed. If you haven’t paid your fee as a Data Controller (an organisation that processes data for their own means) then you don’t appear on the public register which as its name suggests can be readily searched by any member of the public.
What are the rules for CCTV in a business?
Businesses must comply with Data Protection law when using CCTV cameras surveillance.
This means that businesses must ensure that any camera surveillance is necessary and proportionate and that it is used only for the purpose for which it was installed, such as crime prevention, rather than monitoring staff.
In addition, businesses must provide clear signage in their premises to indicate that CCTV is being operated, for what purpose and by whom (data controller). These steps are essential to ensuring the privacy of individuals being recorded by the CCTV system and to ensure you as the business owner don't inadvertently break the law.
The privacy of individuals should be considered throughout the entire process, from choosing a surveillance system to managing footage and the retention of data (CCTV images).
Is sharing a CCTV footage a breach of GDPR?
It is essential that businesses comply with data protection laws when using CCTV cameras or disclosing captured footage. By law, the footage must only be used for a legitimate purpose and must be stored securely.
Organisations must also ensure they are transparent about where and how the footage is being used, where it is being stored and how long it will be retained. Individuals have the right to access the footage if it relates to them, subject to certain conditions.
Data subjects can request that footage that has captured images of them be released following receipt of a Subject Access request. Businesses must comply with SAR's within a specific time frame.
Disclosing footage to external agencies such as the HMRC, Police, Council etc is permitted, however all transfers should be recorded.
Can you post CCTV footage on Social Media?
Increasingly we see footage from CCTV systems uploaded to the internet, either in an effort to name and shame criminals, or as a form of entertainment. Uploading images that could be used to identify an individual is a breach of data protection law.
Organisations must ensure that any CCTV footage is properly secured and that only authorised personnel have access to it. This is vital to protect the privacy of individuals and prevent unauthorised use or disclosure of information.
If footage taken from your surveillance system is uploaded to the internet, either intentionally or inadvertently (due to hacking), you could be held responsible and as a consequence face fines, as well as possible reputational damage. Release footage to the Police not to Facebook or YouTube!
Rules for CCTV camera footage beyond your perimeter
It is important to understand the rules and regulations regarding the use of CCTV footage. The data protection act (DPA) and general data protection regulation (GDPR) provide general guidelines for how organisations can ensure that CCTV is being used responsibly.
In most cases, a CCTV camera is installed to monitor your property (external / internal areas of your business). However often we come across systems that monitor public areas or neighbouring properties.
CCTV cameras should be properly positioned to ensure they monitor your property only and not those of neighbouring businesses or public areas. Masking of cameras is encouraged to ensure privacy is maintained, especially if your business overlooks residential areas.
Placement of cameras should be considered as part of the initial operational requirement, with any privacy concerns identified in the data protection impact assessment conducted prior to installation.
How long can you legally keep CCTV footage in the UK?
A CCTV camera is a valuable security tool that can help monitor an area or capture footage of an incident. However, it must be used for legitimate purposes with images retained for a specific period of time.
Organisations must ensure they have a data retention policy in place that outlines how long footage can be kept and who has access to it. Such a policy should also include procedures for storing, handling and managing surveillance data, as well as an overview of information privacy protections in place, such as encryption, pixelization etc. In summary you need to justify how long you hold on to CCTV footage.
Retaining footage for 30 days for crime prevention purposes could be justified, however holding on to the same footage for a few years would be difficult to justify. Set your DVR / NVR for the minimum retention period possible and then automatically erase data.
FAQ's
What restrictions apply in terms of collecting, storing and using CCTV footage?
When it comes to collecting, storing and using CCTV footage, it is important to understand data protection laws and regulations. Generally speaking, CCTV footage should not be used in a way that breaches the privacy of individuals and should only be used for legitimate purposes. Moreover, CCTV footage must not be shared with third parties without the explicit permission of the organisation or individual responsible for collecting the data (Data Controller).
It is also important to ensure that data collected is securely stored and access to the data should be restricted to authorised personnel only.
Are there any legal requirements to consider when installing a CCTV system?
Yes, there are legal requirements that you must consider when installing CCTV. This may range from needing to pay a fee to the ICO (Information Commissioners Office) or informing individuals that they are being recorded, through the installation of signage.
It is also important to make sure that the CCTV cameras are not placed in areas where there is a reasonable expectation of privacy such as bathrooms, changing rooms and bedrooms. It is illegal to record individuals in such places without their consent.
Additionally, you should ensure that data collected by CCTV cameras stored securely and deleted after a specific period of time. This is especially important if personal data has been captured. Failing to do so may result in legal action.
What rights do people have when it comes to accessing CCTV footage of themselves?
When it comes to accessing footage of themselves captured by CCTV camera, individuals have natural rights and can make a subject access request to the organisation that is holding the footage.
Organisations are required to provide individuals with a copy of the footage within a reasonable time period. If an organisation refuses access or an individual believes their privacy rights have been violated, they can challenge the decision and make a complaint directly to the ICO.
What are the potential consequences of misusing CCTV footage?
Misusing CCTV footage can have serious legal consequences, ranging from fines to criminal charges and civil lawsuits. The misuse of CCTV footage is often subject to data protection laws which, if violated, could result in the offender facing disciplinary action or even dismissal if an individual, or financial sanctions if a business.
Businesses may also face loss of reputation and trust among customers and employees. Therefore, it is always advisable to use CCTV footage responsibly and in accordance with the law.
Conclusion
CCTV systems are an important tool when used for crime prevention purposes, either in capturing images for evidential purposes, or when used as a highly visible deterrent encouraging adversaries to seek softer targets elsewhere.
However, CCTV cameras also has the ability to negatively impact lives, incur costs and reputational damage for those businesses that fail to manage surveillance systems properly.
Following the simple steps below ensures your use of CCTV systems doesn't break the law:
As the controller responsible for your surveillance system you must ensure that personal data captured by the system is processed in accordance with Article 5 GDPR, which stipulates that personal data (CCTV Images) must be: -
Processed lawfully, fairly and transparently
Collected for specific, explicit and legitimate purposes and not further processed for other purposes
Adequate, relevant and limited to what is necessary
Accurate and where necessary kept up to date
Kept in a form that allows data subjects to be identified for no longer than is necessary
Processed securely & disposed of properly
At Propertysec we conduct comprehensive Data Protection Impact Assessments (DPIA) when deploying surveillance technologies.
About the writer: Justin Quigley, is a recognised security expert in the protection of property through the introduction and deployment of technical and non-technical security measures, including CCTV towers, video verification systems, fencing, perimeter protection technology, hostile vehicle barriers, alarms and analytical camera systems.
He is a prolific writer on the subject of crime prevention, security technology and void property security.