CCTV systems capture personal data – what are your obligations?
Personal data can be captured using CCTV cameras – any video, images or audio that can be used to identify an individual is subject to the Data Protection Acts. If you use a CCTV system for your business you are likely considered a data controller and therefore have significant responsibilities. So businesses using CCTV cameras must make themselves aware of their data protection obligations. Read on for more details and recommendations / expectations that will help you comply with data protection regulations.
In previous articles we gave insights and tips on how to ensure security and comply with data protection regulations. In this article we’re focusing on CCTV and data protection obligations for businesses but our other articles that may be of interest to you are:
- 11 non-tech tips to help ensure payroll security and confidentiality
- 6 important steps to securing your company Wi-Fi
- Avoid falling victim to email and SMS scams purporting to be from Revenue
- What impact will the GDPR have on payroll personnel and how to prepare
- Payroll and the cloud
Before introducing a CCTV system on your business premises you need to be able to justify its presence and consider what will actually be captured.
Can you justify the CCTV system and what data will be captured?
Businesses must be able to justify obtaining personal data through a CCTV system and also justify the use of the personal data. This can be easily done if the system is for security reasons however it gets a lot more difficult if it’s used to monitor employees or customers etc. as this is more intrusive.
All of the data captured needs to be considered, including the data that’s not relevant to the intended purpose of the CCTV system. A case study provided by the Data Protection Commissioner highlights a case where Luas CCTV cameras overlooked private property; this was outside of the intended purpose of the system and had to be rectified (details here). You should ask yourself if people in the areas captured by the CCTV system have an expectation of privacy and are you capturing no more than appropriate for the purpose of the system.
Data Protection Commissioner Recommendations / Expectations
The Data Protection Commissioner expects / recommends the following to be carried out and documented:
- A Risk Assessment
- A Privacy Impact Assessment
- A Specific Data Protection policy drawn up for use of the devices in a limited and defined set of circumstances only (this policy should include documented data retention and disposal policy for the footage)
- Documentary evidence of previous incidents giving rise to security/health and safety concerns
- Clear signage indicating image recording in operation.
Before recording, certain information must be supplied to data subjects. The Data Protection Commissioner details that:
A written CCTV policy must be in place and should include the following information;
- the identity of the data controller;
- the purposes for which data are processed;
- any third parties to whom the data may be supplied.
- How to make an access request
- Retention period for CCTV
- Security arrangements for CCTV
Notification of CCTV usage can usually be achieved by placing easily- read and well-lit signs in prominent positions. A sign at all entrances will normally suffice.
If the purpose of the CCTV system is obvious, e.g. for security reasons, all that is required is a sign noting contact details and highlighting that CCTV is in operation. However if the reason is less obvious, e.g. for monitoring employee conduct, then the data subjects must be made clear of the existence and purpose of the CCTV system. A case study provided by the Data Protection Commissioner highlights a case where covert recording and out-of-scope data use caused issues for a business and their employee, click here for details.
Other expectations / recommendations
- Don’t keep the data longer than necessary for the intended purpose
- Store the data securely
- Maintain an access log
- Only allow authorised access
- Be prepared for access requests
- Be prepared to obscure (e.g. pixelate) other individuals
- If a security company is used, ensure that appropriate contracts are in place (e.g. an SLA that ensures that your data is processed appropriately in the event of a request being made etc.)
Crucially, data protection legislation is going through radical changes, be sure that you’re prepared. Find details of the changes and what impact they will have on payroll personnel, along with details on how to prepare here.
PaycheckPlus Payroll Data Protection
Here at PaycheckPlus we understand that businesses need to focus on profits, not paperwork. Ensuring compliance with the many regulations and legislations can be a difficult and time consuming task for businesses. Payroll compliance can be of particular difficulty and importance due to the complex ever changing legislation and substantial fines that can be incurred if in breach. Plus, as payroll is not a core function of most businesses, payroll staff experience significant pressure to ensure accuracy and compliance with the most up to date legislation. However PaycheckPlus can assist, we provide payroll outsource solutions that ensure compliance, security and confidentiality – it’s a core feature of our business. Our clients can rest assured that their payroll is compliant and safe with us, and that their payroll will be delivered on time, every time by our payroll specialists.
We handle compliance, payroll processing and data security which allows payroll teams, HR teams and businesses to operate more efficiently by focusing on their core responsibilities and profit making activities. We also provide a cover service for payroll staff which gives businesses and payroll teams peace of mind that when a payroll employee becomes ill or goes on leave their staff will still be paid.
To ensure secure payroll compliance and for expert support contact PaycheckPlus now.
PaycheckPlus – Payroll Excellence