How does GDPR affect video surveillance (CCTV)?
There has been a growing market for video surveillance systems, such as smart video doorbells like Amazon’s Ring, which allows homeowners to keep an eye on their property and take deliveries without having to be at home.
This is despite security concerns raised by consumer group Which? in November 2020 and reports of lawsuits from hacks into the systems around the world.
For users in the UK, they need to consider how the installation of such a device will call into play the General Data Protections Regulations (GDPR) and Data Protection Act (DPA) 2018.
Are video images data?
Personal Data is defined as information relating to natural person which identifies them. Video images can therefore be considered as personal data.
Does GDPR apply to me as an individual?
Normally the GDPR and DPA provisions are there to protect individuals against organisations who process their personal data.
The use of commercial CCTV systems is an example of when organisations process personal data in the form of video footage of an individual.
The ICO first issued its Code of Practise covering the use of CCTV in 2000. Their latest guidance (In the Picture: A data protection code of practice for surveillance cameras and personal information) recognises the growing sophisticated operations on the market using digital and increasingly portal technology such as Automatic Number Plate Recognition.
The purpose of surveillance cameras is no longer just the passive goal of monitoring for security reasons but is increasing used to collect data and evidence for other purposes.
Due to these concerns a Surveillance Camera Commissioner was created by the Protection of Freedoms Act 2012.
The use of personal CCTV and video surveillance cameras are exempt from the requirements of GDPR and DPA if they only capture images within the boundary of your own private domestic property (including your garden).
If images are captured of people outside the boundary of your private domestic property (e.g. a neighbour’s home or garden, shared/communal spaces or public streets) then you will be obliged to comply with the GDPR and DPA in your use of the system and the personal data collected.
The Court of Justice of the European Union (CJEU) issued its judgment in the case of Ryneš on 11 December 2014. In this judgment, the CJEU concluded that where a fixed surveillance camera faces outwards from an individual’s private domestic property and it captures images of individuals beyond the boundaries of their property, particularly where it monitors a public space, the recording cannot be considered as being for a purely personal or household purpose.
What obligations do I have to comply with?
First of all you need to have a clear and justifiable reason for using a video surveillance system given its intrusive nature. You should consider the necessity and whether there are alternative ways to protect your property instead (e.g. better lighting).
The ICO has published guidance on its website (Domestic CCTV systems – guidance for people using CCTV) which sets out useful tips you should consider:
- Let people know you are using CCTV by putting up signs saying that recording is taking place, and why.
- Ensure you don’t capture more footage than you need to achieve your purpose in using the system.
- Ensure the security of the footage you capture – in other words, holding it securely and making sure nobody can watch it without good reason.
- Only keep the footage for as long as you need it – delete it regularly, and when it is no longer needed.
- Ensure the CCTV system is only operated in ways you intend and can’t be misused for other reasons. Anyone you share your property with, such as family members who could use the equipment, needs to know the importance of not misusing it.
What if I receive a Subject Access Request (SAR)?
Individuals have a right to access the personal data you hold about them, including identifiable images. They can ask you verbally or in writing. You must respond within one month and give them a copy of the data.
You need to consider though whether there are any other third parties caught in the images/video clips as you cannot release this without their consent too.
Many of the companies who make the systems will have in place automatic deletion after a certain period but you need to be aware of any images that you have downloaded and held on your own personal device, as a data subject will have a right to ask you to delete any images or video footage which you must also do so within one month. You can refuse to delete it if you specifically need to keep it for a genuine legal dispute – in which case you need to tell them this, and also tell them they can challenge this in court or complain to the ICO.
GDPR and DPA obligations can be quite onerous so you need to give serious consideration about whether the benefits from having the video surveillance system is justified.
This is especially because if you do not meet the obligations imposed by the GDPR and DPA, then you can be subject to enforcement action by the ICO including a fine. The data subject could also bring a civil claim against you for compensation in the courts.