It's time to review your use of CCTV in light of a new Guidance Note from the Data Protection Commissioner
Before Christmas the office of the Irish Data Protection Commissioner (ODPC) issued an updated and expanded guidance note in relation to the use of CCTV.
What has changed?
One of the most significant differences between the new and earlier guidance is the requirement that "a written CCTV policy must be in place". In previous guidance the Irish Data Protection Commissioner had simply stated her views with regards to the type of information that must be provided to those recorded using CCTV.
There is also a new section in the guidance dealing with proportionality. In Irish data protection law the concept of proportionality is one of the core obligations placed upon those who control data, namely data controllers.
Section 2(1)(c)(iii) of the Data Protection Acts 1988 to 2003 states that personal data must be collected and processed in a manner that is:
“adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed.”
Data controllers are now expected to carry out detailed assessments which will show that any use of CCTV is justified and satisfies the relevant statutory obligations.
The guidance note provides that data controllers who wish to use CCTV should ensure that they complete the following steps:
- conduct and document a risk assessment process;
- conduct and document a Privacy Impact Assessment;
- prepare a specific data protection policy dealing with CCTV devices, which should include data retention and disposal policies for the CCTV footage recorded;
- be able to demonstrate, using documentary evidence, previous incidents that have led to security or health and safety concerns that may justify the use of CCTV; and
- prepare and display clear signage indicating that there is image recording in operation.
My organisation uses CCTV, what should I do?
It's unlikely that all of the steps outlined above would have been carried out by many organisations previously, and even less likely that they would have been formally documented. We recommend that data controllers take action now to comply with the guidance. Taking these steps will reduce the likelihood of issues arising in relation to your CCTV use in the future, or your ability to rely upon CCTV footage when it's important. Moreover, by taking the recommended actions now, organisations will also be moving towards complying with certain obligations in the EU's new General Data Protection Regulation, which has been almost finalised and will come into force in Ireland two years after its enactment.
While this guidance from the Data Protection Commissioner is not actually law, we recommend that organisations adhere to any guidance issued by the ODPC. The Commissioner is the regulator charged with upholding and enforcing data protection legislation in Ireland. Some organisations will have another reason to comply with the guidance, as it's also common to see clauses in commercial contracts requiring compliance with ODPC guidance, in addition to requiring compliance with relevant data protection legislation.
Organisations that outsource CCTV to third parties should review their arrangements with these service providers. Employers that monitor employees using CCTV, or the areas in which employees work or congregate, should review their employment policies or staff handbooks to ensure that CCTV use is dealt with in line with the Guidance Note.
If your organisation uses CCTV it is time to review your use, and make the appropriate changes needed to comply with the Data Protection Commissioner's new Guidance Note.