The rise of CCTV usage has grown at such a rate within the last 10 years which has unfortunately resulted in many systems being installed without the correct guidelines and considerations needed for organisations that monitor & record images where “People” are present. This timeline has resulted in, many badly managed systems being present, of which, do not, comply against UK government guidelines and data protection law.

K2 Fire and Security ltd will support you throughout all steps of your decision process to ensure that your CCTV system will have considered all the factors that will protect your organisation, public, staff and provide responsible people with the training tools to ensure that your system will be designed, applied & managed to comply with UK governance & law.  

What should you consider before deciding to proceed with planning to install a CCTV system?

The below guidance will outline key factors and requirements that should be followed for applications within Domestic and Organisational environments.  

Domestic CCTV systems

The use of recording equipment, such as CCTV or smart doorbells, to capture video or sound recordings outside the user’s property boundary is not a breach of data protection law.  

People should try to point their CCTV cameras away from their neighbours’ homes and gardens, shared spaces or public streets. But this is not always possible.

When people capture images and audio recordings outside of their property boundary, they should consider how intrusive this activity is. They should consider whether they can point their cameras elsewhere or, if possible, apply filters or privacy blocks. In these circumstances, the data protection law also requires them to follow certain rules – although these are difficult to enforce.   

Non-Domestic CCTV systems

The below Six key steps of consideration should be followed when considering CCTV where the public, customers, staff & students may be recorded.

People care about how you treat their personal information and that includes footage of them captured by your CCTV. By following these basic steps, we hope you’ll feel confident that your use of CCTV complies with data protection law. Your organisation will also demonstrate to your customers, staff, members, and visitors how seriously you take your data protection obligations. 

If you decide to install CCTV that could potentially capture images of people, your organisation is required to register with the ICO (ico.org.uk)

Step #1: Respect people’s privacy and uphold their rights.

It’s not unusual to see security cameras in the doorway of a bank or a nightclub, but people don’t reasonably expect to be filmed all the time.

CCTV shouldn’t be running in areas considered private – such as in toilets and changing rooms. Using CCTV in such applications wouldn’t usually be fair or proportionate and most importantly it wouldn’t be compliant with data protection law.

In exceptional cases – such as when dealing with repeated serious antisocial behaviour, it may be necessary to have surveillance in private areas. You’d need strong justification for this and should make it clear that people are being filmed in these areas.

If your only option is to use CCTV you need to justify this within a controlled document with evidence of other less intrusive security options that you have considered within your organisation’s decision process

Step #2: Is audio required / and why?

Some of the key concepts in data protection law are about transparency, fairness, and proportionality. Because recording conversations can be particularly intrusive, it’s difficult to justify audio recording. You won’t usually need to hear what people say, and you’re unlikely to find a lawful basis for this level of intrusion.

But the ability to record audio can be helpful for businesses in situations where you’ve exhausted all other options and you’ve got a particular need for it. If you decide this is the way forward for your business, you must make clear to people that your CCTV captures audio as well as images.

Consider using a system where the audio can be switched on in specific circumstances e.g., where staff press a button to enable voice communication via the CCTV device.

Step #3: Justify your organisations decision within a case study document record.

It’s important to record your reasons for using CCTV. You should officially create a case study document to explain your decisions and the process that lead to them.

If your use of CCTV is likely to result in a high risk to people, you’ll also need to carry out a Data Protection Impact Assessment (DPIA) to identify the impact your use of CCTV may have on people.

Step #4: Create policies and keep them updated.

Every company, no matter the size, will have policies in place for how they do things. It’s important that you update your privacy notice to reflect that you’re now using CCTV and create a separate CCTV policy.

A CCTV policy should explain the reasons why you’re using CCTV, this should include:

– The lawful basis you’re relying on for gathering and using the CCTV footage.

– Who has responsibility for the CCTV.

– The security measures you have in place to protect the data you’re gathering

– Who you’ll share the data with

– How long you’ll keep the data.

Step #5: Understand your CCTV system design and purpose.

Make sure the system design only captures what you need to – and nothing more.

Check that the footage is clear and to a presentable quality.

Put up signs to let people know you’re filming them, where they can be seen, ensure that your signs identify who to contact to raise any queries.

Step #6: Manage footage that is captured by your system.

Decide how long you’ll keep the data for and record this in your CCTV policy and privacy information. You should only keep CCTV footage for as long as you need it.

Have a process in place to delete the footage you no longer need. Keep the CCTV footage safe and log who has seen it and who may be holding it.