Did you know that data protection laws now require anyone with a surveillance system, such as Closed-Circuit Television (CCTV), even if it’s just one camera, to now comply and use their systems within the new rules set out in data protection laws?
There are approximately six million surveillance cameras in operation around the UK according to the British Security Industry Association (BSIA). This figure does not account for the number of ‘Ring’ cameras in use in the UK, which qualify as surveillance when they are not being used for a ‘purely personal or household’ purpose.
Just over a year ago (12 October 2021) the Oxford County Court found a homeowner guilty of breaching the Data Protection Act 2018 (DPA 2018) and UK General Data Protection Regulation (UK GDPR) by using ‘Ring’ security cameras on their property. In the court case ‘Dr Mary Fairhurst v Mr Jon Woodard’, the judge ruled that Mr Woodard was guilty of violating the transparency, data minimisation and purpose limitation principles of UK GDPR. While Mr Woodard had a legitimate interest to operate the ‘Ring’ cameras for the use of crime prevention, the judge ruled that he could’ve done so in a less intrusive manner that wouldn’t infringe Dr Fairhurst’s privacy.
Surveillance footage, including CCTV footage, falls within the scope of personal data and special category data (biometric data) if individuals can be identified from the footage. Thus, surveillance systems, including CCTV, must also comply with data protection laws.
These data protection laws include the UK and EU GDPR, and the Biometrics and Surveillance Camera Commissioner Code of Conduct among others. A major element of the new rules includes the use of CCTV signs in public spaces that are clearly visible and include the contact details of the system’s owner so data subjects can exercise their rights and ask for more information. There are also several other measures that need to be implemented to achieve compliance.
A key measure of compliance relies upon the registration of your surveillance camera system (even if it’s only one camera) with the ICO. Failure to do so is a criminal offence. An annual formal notification to the ICO should take place as one of your steps towards maintaining compliance. However, achieving compliance with data protection legislation and the CCTV code of conduct is an ongoing process once a CCTV system has been installed.
If you’d like to find out some top tips on how to achieve compliance, then keep an eye out for a future blog post.
CCTV compliance is often forgotten, and as shown by the Ring court case, it applies to everyone, whether an individual or an organisation.
If you require additional support with demonstrating or achieving CCTV/surveillance system compliance you can contact us at info@dataprivacyadvisory.com or by calling our office at 0203 301 3384.
Related articles: