Under the UK GDPR (General Data Protection Regulation) regulations, the use of CCTV (Closed-Circuit Television) is subject to certain principles and regulations to ensure the protection of individuals’ privacy rights. In addition, providing footage from CCTV and surveillance cameras in response to subject access request, or for public viewing, will require careful consideration, editing and censoring of other parties identities.
In addition to CCTV, the GDPR covers automatic number plate recognition (ANPR), body worn video (BWV), drones (UAVs), facial recognition technology (FRT), dashcams and smart doorbell cameras.
Here are some key points regarding CCTV use under the UK GDPR:
1. **Lawfulness, fairness, and transparency**: The use of CCTV must be lawful, fair, and transparent. This means there should be a legitimate reason for using CCTV, such as for security purposes, and individuals should be informed about the presence of CCTV cameras.
2. **Purpose limitation**: CCTV should only be used for the specific purposes for which it was installed. For example, if CCTV is installed for security reasons, it should not be used for other purposes such as monitoring employee performance.
3. **Data minimisation**: Only the minimum amount of personal data necessary should be collected and processed through CCTV. This might include images of individuals and the time and location of recording.
4. **Retention period**: Personal data collected through CCTV should not be kept for longer than necessary. The retention period should be determined based on the purpose of the CCTV system and any legal requirements.
5. **Security**: Measures should be in place to ensure the security of personal data collected through CCTV, including encryption, access controls, and protection against unauthorised access or disclosure.
6. **Individual rights**: Individuals have rights under GDPR regarding their personal data, including the right to access their data, the right to rectification, the right to erasure (in certain circumstances), and the right to object to the processing of their data.
7. **Impact assessments**: In certain cases, a Data Protection Impact Assessment (DPIA) may be required before implementing CCTV systems, especially if they involve the systematic monitoring of a publicly accessible area on a large scale.
8. **Signage**: Signage should be displayed to inform individuals that CCTV is in operation, along with information about who is responsible for the system and how individuals can exercise their data protection rights.
These principles apply to any organisation or individual that uses CCTV systems within the scope of UK GDPR regulations, whether it’s a business, public authority, or private individual. Failure to comply with these regulations can result in penalties and fines imposed by the Information Commissioner’s Office (ICO), the UK’s data protection authority.
