Processing CCTV footage – your obligations for home security systems and for business CCTV.

In public, we have probably all come to expect some level of CCTV surveillance. For instance, you might expect to be recorded on CCTV when withdrawing cash at an ATM or inside a bank. You may also expect to be recorded on public transport or in airports where there may be counter-terrorism security monitoring. But what about everywhere else?

If you are installing CCTV at your home or business, you need to consider data protection and public rights. While you may have the right to use security surveillance, the public also has a right to privacy. When you’re processing CCTV footage – either at home or for your business – there are legal obligations you have to meet.

Home security

In 2014, a case known as the ‘Rynes’ case went to the European Court of Justice. During this case, it was determined that domestic CCTV operators would legally be considered data controllers under data protection legislation.

When installing a home security camera or doorbell camera, you would not be considered a data controller if you are only recording CCTV footage within your property’s boundary. However, if you are capturing images of people outside of your boundary, for instance, if the CCTV captures footage of your neighbour’s garden or public footpaths, you do need to ensure your use of CCTV complies with the Data Protection Act 2018 and GDPR.

What does this mean?

The Data Protection Act and GDPR are there to protect the privacy of others. For example, you could be invading your neighbours’ privacy by recording them working or sunbathing in their garden.

This does not mean you can’t record footage outside the boundary of your property. It just means that if you do, you must comply with the legal obligations of controlling that data.

Here’s what you have to do:

  • Consider whether there are any alternatives to using CCTV outside the boundary of your property. If you’re using CCTV for home security, are there any other ways you could improve home security first that wouldn’t involve recording others? For example, motion lighting, alarm systems or better locks.
  • Consider how you are storing the CCTV footage. You shouldn’t be keeping this footage for any longer than you need to. Delete footage regularly when you no longer need it.
  • Make sure to keep your CCTV secure from anyone who does not need to watch it.
  • Try to use security systems where you can enable privacy zones. These are areas of your footage you can redact by overlaying your digital footage with black squares to cover any areas that you do not need to record. For example, you could redact your neighbour’s garden.
  • If you are using capturing footage outside of your boundary, you should display clear signage to indicate you are using CCTV and why you are using it.
  • Familiarise yourself with subject access requests and the right to erasure. Identifiable images count as personal data, so as a processor of that data you must respond to subject access requests and any requests to delete the footage – provided you do not need it for any legal disputes.

The UK’s Information Commissioner’s Office says:

If you are capturing images beyond your property boundary, you should have a clear and justifiable reason for doing so. In particular, you will need to think why you need these images. If asked by an individual or the ICO, you will need to be able to explain your reasons, so you should write them down now. You should also write down why you think capturing the images is more important than invading the privacy of your neighbours and passers-by”.

What about personal-use dash cams and helmet cams?

Earlier we mentioned the Rynes case. In this case, the European Court of Justice determined that domestic CCTV users would be considered data controllers. However, this only applies to fixed cameras on an individual’s home/property. In the UK, these devices do not have to follow the same rules.

Dashcams and helmet cams tend to record over the footage they capture once the device is full, but it’s always good to be mindful when it comes to recording anywhere in public – especially where there are children or vulnerable people around. Do not keep dashcam footage indefinitely, and erase it when you no longer need it.

While it isn’t against the law, it’s also a good idea to be considerate if you will be driving your car or bicycle near privately-owned land. You can capture footage of private land if it is visible from a public place. However, if you are on private land, you should ask the landowner’s permission to record images. It’s also just nice to be respectful of people’s wishes outside of the law. During the coronavirus pandemic, a lot of PCR testing sites requested drivers to disable their dashcams, as recordings could contain personal and identifiable data about members of the public and their health. This wasn’t mandatory. It was just a respectful way to behave.

It’s also worth bearing in mind that recording someone against their will on private land could amount to harassment. If asked by the police, you may also have to legally surrender your dashcam or helmet cam footage in the event of an incident or collision – regardless of whether or not you were at fault. To delete dashcam footage when it has been legally requested could be considered evidence tampering.

Commercial CCTV

When it comes to using commercial CCTV, the rules are slightly stricter than for domestic CCTV users. The UK’s Information Commissioner’s Office has published detailed guidance on using CCTV commercially, but to sum up your obligations:

  • Consider the public’s right to privacy. The public includes your employees, customers, and anybody else who visits monitored areas of your site.
  • Do not use CCTV in any areas private areas, for instance, lavatories or changing rooms.
  • If you need to use CCTV for security reasons, it may not be appropriate to use CCTV to monitor general staff behaviour or dish out discipline for non-security-related issues. CCTV should be overt and your staff need to know that you’re monitoring them. They should also know why you are monitoring them, and you must have a strong reason for doing so.
  • Use CCTV with the right of access in mind. If an employee requests copies of the personal data you hold about them, you must include any video or audio footage you have of them. Make sure your CCTV systems allow for editing and exporting footage so you can comply with this obligation.
  • Create a Data Protection Impact Assessment for your use of CCTV, detailing the considerations you’ve made for the privacy of your employees and site visitors. You should also update your privacy notices to include the use of CCTV, display signs to show that you are using CCTV on the premises, and, if necessary, create a CCTV policy.
  • Only keep your footage as long as you need it, and keep it secure. Unauthorised access to your CCTV footage could result in a data breach. This includes any dashcam footage used in commercial vehicles or vehicles that are used for commercial use.

UK businesses that use CCTV should also be familiar with the government’s Surveillance Camera Code of Practice.

Disposing of CCTV tapes and recordings when you no longer need them

If you’re recording CCTV directly onto media storage devices, you should destroy these devices when no longer needed. Writing over the recordings may not be enough adequately remove all past footage, so destruction is the safest option to prevent personal information from falling into the wrong hands. Our shredding service for media storage devices such as CCTV tapes, data tapes, CDs, DVDs, flashcards, SD cards and hard drives could be the best solution for you.

Get in touch today to see how we can help!

Sign up for our newsletter here to receive alerts about new blog articles, data protection advice, and Shred Station news.