What does this cover?
In recent years, the capabilities of CCTV have greatly improved and in addition to recording images may also have face recognition and/or voice recording capabilities. While there are many benefits to such systems, they do give rise to concern that an individual's "private space" is being unreasonably invaded.
Are CCTV Images Personal Data?
In its updated guidance note issued on 22 December 2015 (Guidance Note) the Office of the Data Protection Commissioner (ODPC) reaffirmed the position that recognisable images (including facial images and car registrations) captured by CCTV systems are personal data and are subject to the Data Protection Acts 1988 and 2003 (the Acts).
A data controller needs to be able to justify the obtaining and use of personal data by means of a CCTV system. Section 2(1)(c)(iii) of the Acts requires data to be "adequate, relevant and not excessive" for the purpose for which they are collected. A data controller must be able to demonstrate the following:
1. The collection of personal data on a continuous basis is justified
A CCTV system operating in order to secure premises (for instance to capture images of intruders) is likely to meet the proportionality test. However, a system which constantly monitors employees or members of the public would need to be justified by reference to special circumstances. For example, if the monitoring is for health and safety reasons, a data controller would need to demonstrate that the installation of CCTV was proportionate in addressing specific health and safety issues that had arisen prior to the installation of the system.
2. Images that are captured by the system are reasonable in the circumstances
The location of cameras should also be a key consideration for data controllers. In order to justify the use of CCTV to monitor areas where individuals would normally have a reasonable expectation of privacy, a data controller would have to demonstrate that a pattern of security breaches had occurred in the area prior to the installation of CCTV such as would warrant constant surveillance. CCTV placed to record external areas should be positioned in such a way as to prevent or minimise recording of passers-by or of another person's private property. Importantly, there are some areas that the use of CCTV would never by justified such as bathroom cubicles or urinals.
3. Detailed assessments validate the use of the CCTV system
The ODPC confirmed that they would expect a data controller to have carried out detailed assessments which support the use of CCTV in that particular area and for the collection of likely images. In particular, data controllers should be able to evidence that they carried out the following steps: a risk assessment, a privacy impact assessment, a specific data protection policy (this policy should include a documented data retention and disposal policy for the footage), documentary evidence of previous incidents giving rise to security and/or health and safety concerns, and clear signage indicating image recording in operation.
Section 2D of the Acts requires that certain essential information is supplied to a data subject before personal data is recorded. The Guidance Note recommends data controllers to have a written CCTV policy in place setting out the following:
- the identity of the data controller;
- the purposes for which data is processed;
- any third parties to whom the data may be supplied;
- how to make an access request;
- the retention period for CCTV footage; and
- security arrangements for the footage.
Notification of CCTV usage is usually achieved by placing easily-read and well-lit signs at all entrances. If the identity of the data controller and the usual purpose for processing is obvious (e.g. security), the sign can simply confirm that CCTV is in operation and provide contact details of the security firm operating the CCTV or the owner of the premises for persons wishing to discuss the processing. If, however, the purpose of CCTV is not obvious (e.g. to monitor staff performance or conduct) there is a duty on the data controller to make the purpose clear before any data is recorded.
Storage and Retention
Section 2(1)(c)(iv) of the Acts states that data "shall not be kept for longer than is necessary" for the purposes for which it was obtained. A data controller needs to be able to justify the retention period. For a normal security system, it would be difficult to justify retention beyond one month, except where the images identify an issue (such as a break-in or theft) and is retained specifically in the context of an investigation of that issue. The storage facility should be stored in a secure environment and access by authorised personnel should be maintained in a log.
Supply of CCTV Images to An Garda Síochána
The ODPC has confirmed that a request by An Garda Síochána (the Irish Police Force) (the Police) to view footage on the premises of a data controller or processor would not raise any specific concerns from a data protection perspective. If, however, the Police wish to download footage, it is best practice to obtain a formal written request stating that they are investigating a criminal matter. For practical purposes, and to expedite requests speedily in urgent situations, a verbal request may be sufficient once that request is followed up in writing. It is also recommended that a log of all requests is maintained by data controllers and processors.
An organisation may have to provide copies of all personal images captured by CCTV if served with a data access request. It is therefore important that the CCTV system in use allows a data controller to make copies of footage or stills. The ODPC will not accept claims that a system is unable to do so in the context of dealing with an access request.
- Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage. To exercise that right, a person must make an application in writing.
- The data subject must provide a reasonable indication of the timeframe of the recording being sought. It is not sufficient to make a very general request for all CCTV footage held on them.
- A data controller may charge up to EUR 6.35 for responding to a data access request.
- A data controller must respond within 40 days.
- A data controller must provide a copy of the data subject's personal information which normally involves providing a copy of the footage in video format. In circumstances where the footage is technically incapable of being copied to another device, or in other exceptional circumstances, it is acceptable to provide stills. However, it is necessary to supply a still for every second of the recording in which the requester's image appears.
- A data controller must pixelate, redact or black out images of any other party before supplying a copy of the footage or stills to the requestor. Alternatively, the data controller may seek the consent of those other parties whose images appear in the footage to release an unedited copy containing their images to the requester.
- Covert surveillance is generally unlawful and can only be used in specific and limited purposes and must be focused and of short duration.
- Security companies that place and operate cameras on behalf of clients are considered to be data processors. As data processors, they operate under the instruction of data controllers (their clients).
- The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Acts. However the exemption may not apply if the occupant works from home or if images of public roads or neighbouring property have been captured.
- Section 38 of the Garda Síochána Act 2005 provides for the installation of CCTV systems for public security purposes under the authority of the Garda Commissioner.
To view the Guidance Note on Data Protection and CCTV, please click here.
What action could be taken to manage risks that may arise from this development?
We recommend that organisations in Ireland, in their role as data controller, review their use of CCTV and ensure they are compliant with the Guidance Note. In particular, data controllers should be able to evidence detailed assessments confirming that the use of CCTV is justified, proportionate, reasonable and transparent. In order to do so, data controllers should ensure that they:
- Carry out a risk assessment;
- Conduct and document a privacy impact assessment;
- Prepare a specific CCTV policy to include data protection/retention of images captured by CCTV;
- Have documentary evidence of previous incidents giving rise to security/health and safety concerns;
- Have clear signage indicating image recording in operation;
- Maintain a log of all requests to view personal data;
- Ensure that CCTV system enable them to respond to data access requests;
- Review the contractual arrangements in place with any third party service providers engaged;
- Review employment policies or staff handbooks to ensure that CCTV use is dealt with in line with the Guidance Note. Where it is used to monitor employees or in the areas in which employees work or congregate