In 2021 it was estimated there were one billion surveillance cameras around the world. London features in the top 20 most surveilled cities, whether by cameras per person or cameras per mile. There is also an increase in the use of CCTV in the workplace. Many data protection authorities have guidance addressing the balance between data subjects’ rights and security, safety and the prevention and/or detection of crime, e.g. IDPC, the CNIL, the EDPB and of course the ICO.
As video surveillance technology becomes more mainstream and affordable - think smart doorbells and wireless cameras - the ICO announced new guidance on video surveillance systems earlier this year, covering both the public and private sector. While the advances in closed-circuit television (CCTV) and the development of new video surveillance techniques has been hailed as a breakthrough by some, others believe it has resulted in an increased risk to the privacy of individuals.
The recording of individuals through surveillance techniques will be likely to lead to the processing of personal data (and in some cases even biometric data). As such, any processing will be covered by the UK GDPR and Data Protection Act 2018 (“DPA 2018”). Additionally, the Surveillance Camera code of practice provides some great guidance on best practice where organisations wish to utilise surveillance systems within the workplace.
It is essential to ensure that any surveillance data that you process meets the above requirements, which in itself can be problematic in a number of ways. To explain, where you are documenting a lawful basis to process information, it will often be hard to obtain any genuine consent from individuals to record them. As a result, it is likely that the reliance on legitimate interest may need to be the lawful basis relied on for this type of processing…and before looking to rely on legitimate interest, you should always consider conducting a legitimate interest assessment to ensure that it is the correct approach to take under the circumstances. Remember, you should consider any surveillance (or data processing generally) on a case-by-case basis, a broad brush approach to data compliance is unlikely to be effective!
With the above in mind, it is recommended that prior to purchasing any surveillance technology, you consider alternative methods in which you could achieve the same outcome and complete a Data Protection Impact Assessment (DPIA) to ensure that any surveillance activities are necessary and fit for purpose. Undertaking a DPIA should stand you in good stead should you be required to demonstrate why your surveillance of individuals is required to the ICO.
You should also consider the capabilities of the surveillance systems, it would be a mistake to purchase the latest surveillance system with the best technical capability if it has little in the way of governance capabilities and is unable to comply with the stringent requirements of UK GDPR and DPA 2018 when a data subject wishes to exercise any of their rights!
A brief synopsis of the key takeaways from the ICO guidance with respect to surveillance in the workplace are as follows:
- It should only be used in rare circumstances and where required;
- You should consult with your workforce first;
- Ensure that there are adequate notices or other means to inform employees (and external visitors) of the nature and extent of the surveillance;
- Only target the areas of particular risk and keep surveillance in those areas where people do not expect a great deal of privacy (e.g. public areas); and
- Respect the rights your staff have over their personal data and allow them methods in which they can raise complaints or concerns.
It would be prudent to review your UK policies and procedures in light of the ICO’s guidance and if appropriate make use of the checklist for limited CCTV systems. The Surveillance Camera code of practice also provides some guidance on best practice. If you operate internationally it is important to remember different countries have different attitudes to the use of CCTV in the workplace and it is important to seek local advice to ensure compliance (see our contribution to Ius Laboris’ article - An international view on video surveillance of employees - Ius Laboris), as well as our recent blog post on the Hungarian car shop’s use of CCTV where the DPA levied a fine and required corrective measures be taken.
"We have developed this guidance to help organisations in the public and private sector, who use video surveillance systems to collect and process personal data."