The case study at our recent commercial leases seminars included a section about the installation of CCTV in the common parts of a building and in the car park.

We discussed the steps that a property owner needs to take before installing CCTV on the premises. In this legal insight we answer some of the questions that were raised following that session.

You made it clear that the use of CCTV would be subject to the General Data Protection Regulation 2016 (GDPR), but would a landlord offering swipe card entry that tracks tenants' movements be subject to GDPR?

Yes, if a swipe card entry system can track the times that a tenant has entered and left the building, this would be subject to the GDPR as this would involve recording and processing personal data about tenants. However, this type of processing is less intrusive than CCTV as it records much more limited personal data. Therefore, the same obligations apply, but the justification for using a system like this would not need to be as robust as the justification for using CCTV.

Is the landlord responsible for the tenant's own CCTV under GDPR?

The entity responsible for GDPR compliance will be the “controller” of the personal data collected. This means the entity which decides how and why personal data will be processed. If a tenant has made the decision itself to install CCTV and it is the tenant who runs and manages the CCTV system, it is likely that the tenant will be responsible for compliance with GDPR. If the landlord has dictated or recommended to a tenant that CCTV should be used and/or the landlord has its own independent access to the CCTV to use the footage as it wishes, it is possible the landlord will also be a controller and have the same GDPR responsibilities as the tenant.

How many fines relating to GDPR have actually been imposed?

As of 31 October, none! There has been one enforcement action against AggregateIQ (one of the firms linked to Cambridge Analytica) but instead of a fine, this was an “enforcement notice” requiring AggregateIQ to stop certain types of processing. The Information Commissioner’s Office has previously suggested that it will be more interested in helping companies to remediate data breaches rather than issuing overly punitive fines and that fines will not be its “go-to” enforcement tool. Fines are most likely to be issued where organisations have serious systematic failings and/or have made no demonstrable effort to comply with the requirements.

How long does the landlord have to keep the CCTV footage?

There are no retention periods dictated for any personal data. The obligation is to keep personal data for “no longer than is necessary” in order to fulfil the purposes of processing that personal data. We would always recommend that the landlord has a retention schedule in place which sets out retention periods for CCTV and that those retention periods can be properly justified by references to the purposes for the processing of the footage. Usually CCTV is overwritten on a rolling basis of, for example, 30, 60 or 90 days. Footage may be able to be kept for longer if there is a particular reason, for example an ongoing claim, complaint or investigation to which the footage is relevant.

Can the police still stipulate that recordable CCTV is installed as a condition of a premises licence now that we have GDPR?

There is nothing to stop the installation of CCTV being stipulated as a condition of the licence. In fact, the police will often ask for such a condition if it is not offered as part of the operating schedule. However, even where this is a licence condition, the licence holder will still have to ensure that GDPR is complied with. This means that there must be a lawful basis for installing the CCTV (for example, that the CCTV is necessary in the licence holder’s legitimate interests or to enable the licence holder to comply with a legal obligation, namely the promotion of the licensing objectives under the Licensing Act 2003) and the CCTV must be justifiable and proportionate. A Data Protection Impact Assessment should always be carried out so that the applicant can assess whether the CCTV can be justified. If there are serious privacy risks or the CCTV does not appear to be proportionate, the applicant should consider whether the proposed condition should be challenged. If agreement can’t be reached on the condition, the matter will go to a licensing hearing for a committee to determine. The fact that CCTV is a licence condition would certainly go some way towards demonstrating that the use of CCTV is justified, but the applicant should still keep an audit trail demonstrating consideration of the risks and mitigating solution. In all cases, from a practical perspective, we would recommend that any condition relating to CCTV and release of footage is made subject to the licence holder’s compliance with GDPR and other data protection requirements.