GDPR, Data Protection and your CCTV System

A useful guide from GBSG, about GDPR, Data Protection and your CCTV System

Guidelines

All GBSG installations comply with the Information Commissioner’s Office CCTV Code of Practice, and we put up notices so people know when CCTV is in use.

https://ico.org.uk/for-organisations/guide-to-data-protection-1998/encryption/scenarios/cctv/

Customer Responsibilities

Data protection act and code of practice for CCTV monitoring

On specification of a CCTV system, we draw attention for all customers to the Data Protection Act 1998 and the Information Commissioner’s Office CCTV Code of Practice 2008. By Law the customer is responsible for registering the system with the Information Commissioners’ Office.

More information can be obtained from the Information Commissioner’s Office:

Website: https://www.gov.uk/data-protection-your-business/using-cctv

Protecting the data, you record

https://www.gov.uk/data-protection-your-business/using-cctv

  • Recording equipment to be secured and not accessible by unauthorised persons
  • Access to any images to be restricted to only approved personnel
  • Display screens are not permitted on show in public areas where other individuals can be viewed (this to include screens in shops, receptions etc.)
  • Access to any equipment images are to be password protected and require signing into for each use
  • Where a member of the public requests a copy of images, this must be provided but all other persons or details such as number plates must be blanked out prior to issue.

Making sure your system complies with regulations

Once you have a CCTV system installed you will have registered with the ICO (information Commissioner’s Office) You will register this along with your other DPA requirements about holding personal data.

This is a secondary registration, we provided link details for this within our specification for the CCTV system. You can also follow this link below:

https://ico.org.uk/for-organisations/register/

GDPR changes

One of the main changes through the new GDPR regulations is that GDPR is now more about recording of any individual which includes staff as well as the public. If you were complying with the Data Protection Act you will comply with GDPR. GBSG have been advising on this and providing the signage signs since 2001 when it was enforced, please see CCTV information signage for more details.

CCTV information signage

One sign, providing information compliant with the Data Protection Act, will be located:

  • On each main entrance, to be viewed by persons entering the site
  • GBSG CCTV Warning signs are to be installed to the customer’s requirements.

The data protection signs are yellow in colour and hold details about who to contact and who is responsible for the CCTV system on site, they also explain the reason and purpose for use of CCTV.

Signage requirements

All signage should be fitted and clearly visible. If you find that you need new signage, or you do not have the right signage on site. Please contact sales@gbsg.co.uk so that we can provide you with a quotation for these.

Signage Example:

CCTV criteria

Under new GDPR rules the reason for having CCTV and recordings haven’t changed, but it is worth completing an assessment to document why you use CCTV and the purpose and also the length of recording just so that it is available in case of issues.

Some suggested reasons for the use of CCTV:

  • Prevention of crime
  • Public safety when entering the site
  • Health and Safety in the working environment
  • Protection of lives and equipment
  • Business integrity
  • Business planning.

Retaining recorded data

In terms of recording times this needs to be reasonable, if you require 30 days then this is fine but just state why you need 30 days. You might keep data due to customer complaints, or delivery of goods against invoice checking. Some companies can record for longer: petrol stations, ATM machines where bank statements are produced quarterly, need to keep images for 90 days for evidence purposes. As long as you can justify the reason you are keeping data and the recording times, within a simple document this will be adequate and reasonable.

Recommended Posts