Data Protection and CCTV
The use of CCTV systems has greatly expanded in recent years. So has the sophistication of such systems. Systems now on the market have the capacity to recognise faces. They may also be capable of recording both images and sounds.
The expanded use of CCTV systems has society-wide implications. Unless such systems are used with proper care and consideration, they can give rise to concern that the individual's "private space" is being unreasonably eroded.
A data controller needs to be able to justify the obtaining and use of personal data by means of a CCTV system. A system used to control the perimeter of a building for security purposes will usually be easy to justify. The use of CCTV systems in other circumstances - for example, to constantly monitor employees, customers or students - can be more difficult to justify and could involve a breach of the Data Protection Acts.
Proportionality - is a CCTV system justified?
Section 2(1)(c)(iii) of the Acts require that data are "adequate, relevant and not excessive" for the purpose for which they are collected. This means that an organisation must be able to demonstrate that the serious step involved in installing a system that collects personal data on a continuous basis is justified. Before proceeding with such a system, it should also be certain that it can meet its obligations to provide data subjects, on request, with copies of images captured by the system.
Proportionality - what will the system be used for?
If a data controller is satisfied that it can justify installing a CCTV system, it must consider what it will be used for and if these uses are reasonable in the circumstances.
Security of premises or other property is probably the most common use of a CCTV system. Such a system will typically be intended to capture images of intruders or of individuals damaging property or removing goods without authorisation. Such uses are more likely to meet the test of proportionality.
Other uses may fail the test of proportionality. For example, using a CCTV system to constantly monitor employees is highly intrusive and would need to be justified by reference to special circumstances. If the monitoring is for health and safety reasons, a data controller would need to demonstrate that the installation of CCTV was proportionate in addressing health and safety issues that had arisen prior to the installation of the system.
Proportionality - what images will be captured?
The location of cameras is a key consideration. Use of CCTV to monitor areas where individuals would have a reasonable expectation of privacy would be difficult to justify. Toilets and rest rooms are an obvious example. To justify use in such an area, a data controller would have to demonstrate that a pattern of security breaches had occurred in the area prior to the installation of the system such as would warrant constant electronic surveillance. Where such use can be justified, the CCTV cameras should never be capable of capturing images from cubicles or urinal areas.
Cameras placed so as to record external areas should be positioned in such a way as to prevent or minimise recording of passers-by or of another person's private property.
Section 2D of the Acts requires that certain essential information is supplied to a data subject before any personal data are recorded. This information includes:
the identity of the data controller;
the purposes for which data are processed;
any third parties to whom the data may be supplied.
This can usually be achieved by placing easily- read and well-lit signs in prominent positions. A sign at all entrances will normally suffice.
If the identity of the data controller and the usual purpose for processing - security - is obvious, all that need be placed on the sign is a statement that CCTV is in operation as well as a contact (such as a phone number) for persons wishing to discuss this processing. This contact can be for either the security company operating the cameras or the owner of the premises.
If the purpose or purposes is not obvious, there is a duty on the data controller to make this clear. A CCTV camera in a premises is often assumed to be used for security purposes. Use for monitoring staff performance or conduct is not an obvious purpose and staff must be informed before any data are recorded for this purpose. Similarly, if the purpose of CCTV is also for health and safety reasons, this should be clearly stated and made known.
Storage and retention.
Section 2(1)(c)(iv) of the Data Protection Acts states that data "shall not be kept for longer than is necessary for" the purposes for which they were obtained. A data controller needs to be able to justify this retention period. For a normal security system, it would be difficult to justify retention beyond a month, except where the images identify an issue - such as a break-in or theft - and is retained specifically in the context of an investigation of that issue.
The storage medium should be stored in a secure environment with a log of access kept. Access should be restricted to authorised personnel.
Supply of CCTV Images to An Garda Síochána
If the Gardaí want CCTV images for a specific investigation, it is up to the data controller to satisfy himself that there is a genuine investigation underway. For practical purposes, a phone call to the requesting Garda's station may be sufficient, provided that you speak to a member in the District Office, the station sergeant or a higher ranking officer, as all may be assumed to be acting with the authority of a District/Divisional officer in confirming that an investigation is authorised.
Any person whose image has been recorded has a right to be given a copy of the information recorded. To exercise that right, a person must make an application in writing. A data controller may charge up to ?6.35 for responding to such a request and must respond within 40 days.
Practically, a person should provide necessary information to a data controller, such as the date, time and location of the recording. If the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data.
In giving a person a copy of his/her data, the data controller may provide a still/series of still pictures, a tape or a disk with relevant images. However, other people's images should be obscured before the data are released.
The use of recording mechanisms to obtain data without an individual's knowledge is generally unlawful. Covert surveillance is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies an actual involvement of An Garda Síochána or an intention to provide this evidence to An Garda Síochána.
Covert surveillance must be focused and of short duration. Only specific (and relevant) individuals/locations should be recorded. If no evidence is obtained within a reasonable period, the surveillance should cease.
If the surveillance is intended to prevent crime, overt cameras may be considered to be a more appropriate measure, and less invasive of individual privacy.
Responsibilities of security companies.
Security companies that place and operate cameras on behalf of clients are considered to be "Data Processors". As data processors, they operate under the instruction of data controllers (their clients). Sections 2(2) and 2C of the Data Protection Acts place a number of obligations on data processors.
These include having appropriate security measures in place to prevent unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all unlawful forms of processing. This obligation can be met by having appropriate access controls to image storage or having robust encryption where remote access to live recording is permitted.
Staff of the security company must be made aware of their obligations relating to the security of data.
Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.
Furthermore, section 16 of the Data Protection Acts 1988 & 2003 requires that certain data processors must have an entry in the public register maintained by the Data Protection Commissioner. For further information, please refer to our Guidance notes on Registration. Those parties who are required to be registered and process data whilst not registered are committing a criminal offence and may face prosecution by this office. (This provision may only apply where the data controller can identify the persons whose images are captured.)
Domestic use of CCTV systems.
The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Acts. This exemption would generally apply to the use of CCTVs in a domestic environment. However, the exemption may not apply if the occupant works from home. [ Where the exemption does apply, a person who objects to the use of a CCTV system - for example, a neighbour who objects to images of her/his property being recorded - may be able to take a civil legal action based on the Constitutional and Common Law right to privacy.]
Community CCTV Schemes
Section 38 of the Garda Síochána Act 2005, provides for the installation of CCTV systems for public security purposes under the authority of the Garda Commissioner.
Comprehensive guidelines in relation to Community based CCTV schemes are available on the Department of Justice Website at the following link: http://www.justice.ie/en/JELR/Pages/Community_CCTV
Some Case Studies relevant to this topic:
The following Case Studies, which have appeared in Annual reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.
CASE STUDY 3/07 - Inappropriate use of CCTV footage by Leisure Club
CASE STUDY 6/07 - Data Controller breaches Data Protection Law in regard to covert use of CCTV footage
CASE STUDY 11/06 - Failure to comply with an Access Request for CCTV footage
CASE STUDY 8/05 - CCTV cameras on the Luas line
» Permanent Link