CCTV in the Workplace

Footage or images containing identifiable individuals captured by CCTV systems are personal data for the purposes of data protection law. Best practice is for data controllers to set out their position on the issues surrounding their use of CCTV in the form of a CCTV Data Protection Policy. Any CCTV policy that relates to a place of work should be brought to the attention of employees. The CCTV policy can also be published on an official website to inform members of the public who may attend the premises.

Before installing a CCTV system, the following questions should be considered:

• Purpose: Is there a clearly purpose for installing CCTV?
• Lawfulness: What is the legal basis for using CCTV?
• Necessity: Can it be demonstrated that CCTV is necessary?
• Proportionality: If CCTV system is to be used for purposes other than security, can it be demonstrated that those other uses are proportionate?.
• Security: What measures are put in place to ensure that CCTV recordings will be stored safely and securely?
• Retention: How long will recordings be retained, bearing in mind that they should be kept for no longer than is necessary for the original purpose?
• Transparency: People should be informed that their images are being recorded.
•  A person whose images are recorded by a CCTV system must be able to access information about:
  • The identity and contact details of the data controller;
  • The contact details for the data protection officer, if one has been appointed;
  • The purpose and legal basis for the processing;
  • Any third parties to whom data may be disclosed;
  • The security arrangements for the CCTV footage;
  • The retention period for CCTV footage;
  • The existence of data subject rights and the right to lodge a complaint with the DPC.