The Office of the Data Protection Commissioner (DPC) has issued new guidance on the use of CCTV systems which clarifies its position in respect of the use of such systems. Recognisable images captured by such systems are “personal data” and are therefore subject to the provisions of the Data Protection Acts (the Acts) and a data controller must be able to justify the obtaining and use of such data.
The DPC outlined its views on what may or may not justify the use of CCTV systems and, for example, where it is used to constantly monitor employees or customers, this will be significantly more difficult to justify than where it is used for security purposes.
The DPC has also stated it expects data controllers to have carried out detailed assessments as to how the use of such equipment meets with requirements of the Acts. Data controllers must document a risk assessment, a privacy impact assessment, a specific data protection policy for the use of the devices, documentary evidence of previous incidents and use clear signage indicating image recording in operation.
The new guidance has also provided further clarity in respect of the engagement of third party providers as well as the obligations that arise in such circumstances. Issues such as retention periods for CCTV footage, the use of CCTV systems in private dwellings and the procedure when dealing with access requests (both from law enforcement and third parties) have also been helpfully clarified by the DPC.
As the use of CCTV and the sophistication of such systems have greatly expanded in recent years, it is important for all CCTV users to be conscious of their obligations under data protection law, particularly in advance of the coming into force of the General Data Protection Regulation which will significantly increase the obligations and fines in this area.