Is Your CCTV Compliant with EU-GDPR?
In 2018 New Data Protection Requirements Came into Effect for the EU. These can Have Serious Implications for CCTV systems operated by any "entity" inside the EU.
Basically, it means that any Australian business or organisation, of any size, will have to comply with the GDPR if they have an establishment in the EU, offer goods or services in the EU, or monitor the behaviour of individuals anywhere within the EU. Even if they have a website that targets EU customers, they still must comply with the GDPR. The penalties facing businesses for non-compliance are fines of up to €20 million or 4% of global annual turnover.
How are CCTV and Digital Video systems affected by the GDPR? Once you are collecting recognisable images from your CCTV system, you are then managing "personal data". So, the reality is you are now acting as a Data Controller, and with this comes responsibility. A Data Controller must be able to justify the obtaining and use of personal data by means of a CCTV system. There are two distinct roles identified in the GDPR for data management. A controller that says how and why personal data is processed and a processor that acts on behalf of the controller.
There are 6 steps and processes that can help your organisation comply with the GDPR and by extension, the current Australian Privacy Act. See the below image.
1. ReasonWhen you install a CCTV system (and obviously cameras), you are capturing personal data from many persons. If the reason is for surveillance of a property to detect intruders or genuine health & safety concerns for employees and visitors, etc., you have a good reason to go ahead with the installation. If it is just to monitor employee activity it could be an invasion of privacy.
2. InformIt is part of the GDPR that you clearly inform any person that you are collecting data from. Obviously with CCTV this can be difficult if a camera is viewing a public space, streetscape or soccer stadium. So, in these cases you must put up correct signage, contact number and any other notifications that "inform" anyone passing through the camera's field of view that they are being viewed and most probably their images are being recorded. This is very applicable in the workplace. All staff need to know where the cameras are and what they are looking at.
There are some exceptions where surveillance is being carried out by law enforcement or other agencies specifically trying to observe crime in action or shoplifting for example. In these cases, you have a good reason "not" to inform.
3. Retention of DATAGenerally, the standard is 30 days which is a carryover from the times of changing VCR tapes daily (one tape for each day of the month). If you think your business or facility requires more time to keep footage, then you need to conduct a risk assessment that shows your reason for keeping the footage for a longer period. Some reasons could be for investigating hostile reconnaissance or crimes that span over longer periods of time such as in cash handling facilities, etc.
4. PermitThe GDPR states ‘Any person whose image is recorded on a CCTV system has a right to seek & be supplied with a copy of their own personal data from the owner of the system. Therefore, anyone who is captured by your CCTV cameras, whether in your building or on the street, has the right to request that footage; it is seen as personal data. They must follow a procedure but are perfectly within their rights. Keep in mind that if any other individuals are visible in the footage, there needs to be a footage redaction service provided (i.e. blur out the faces of other individuals).
5. Assistthe Police or other law enforcement agencies may request footage from you, and you may supply this, but always ensure it is followed up by a written request on a proper letterhead from the requestor. If the Police just want to view the footage privately on the premises of the Data Controller or Processor, this action will probably not raise any concern for data protection.
6. EnsureSecurity vendors and technicians act as Data Processors under GDPR. Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply. Ensure that any subcontractors working on your behalf, e.g. security vendors or CCTV engineers, follow this procedure. You will be open to data breaches if a third party can distribute or remove personal data in the form of CCTV images without following the above procedures.
ConclusionTaking the above into consideration many companies need to look at their security arrangements and ensure there are no likely breaches of regulations. An innocent oversight could result in a hefty penalty for your business. It is no longer acceptable to ‘not understand’ or ‘not be aware of’ the laws associated with CCTV systems. While it is quick and easy to purchase and install your own CCTV system, without the input of professional consultants, you may leave yourself open to prosecution and fines.
Cornerstone Security Consulting are aware of the implications of how the GDPR and the Australian Privacy Act legislation effect the installation, operation and management of CCTV and digital video surveillance systems.
Please feel free to call us on 1300 952 785 if you require further information or a CCTV Audit.