There are at least 500,000 CCTV cameras in London, and most of them are installed on private premises, including workplaces. The deployment of CCTV cameras in the workplace has become routine, but not indiscriminate.
The UK has an ample body of legislation regarding the way CCTV footage can be gathered and used in the workplace. This legislation aims to uphold both a business’ right to protect its interests, and its employees’ basic human rights to privacy and dignity.
How are these rights upheld, and what are the rights and obligations of an employer and its employees? Here’s a bird’s eye view of the subject.
Surveillance-related laws recognize that companies have a right to protect their legitimate interests. What are these legitimate interests that one could protect through video surveillance?
CCTV cameras have been deployed in a very diverse range of working environments, from small offices to busy industrial floors. And the reasons are more specific and, surprisingly enough, more diverse than “security”.
Staff and property security is, nonetheless, the most important reason. CCTV cameras are an effective way to protect your staff against assault and harassment.
CCTV cameras can also be an efficient deterrent against vandalism and property theft. And, if the worst happens, CCTV footage can aid in police investigation and constitute evidence in court.
Improving workplace efficiency is another common reason. CCTV cameras can provide important information regarding the way company resources are used.
They can offer useful metrics about issues like overcrowded areas, or inefficient logistics or maintenance operations, giving management the kind of data they need to optimise day-to-day operation.
Enforcing health and safety or security policies is an unglamorous, but typical use case for CCTV cameras in the workplace. Policies and regulations related to safety or security are notoriously and subtly complicated.
They are often broken unwittingly, and immediate feedback on any breach is the only way to ensure that a momentary slip does not become the rule, rather than the exception.
These applications paint a clear, but somewhat incomplete picture of CCTV deployments today. CCTV technology is versatile and easy to integrate in more advanced systems. That’s why many deployments combine several applications into one system: security cameras installed in reception areas, for example, can also be used to supplement access logs.
The massive adoption of CCTV technology in the mid-1990s prompted government and public authorities to take a more active role in the regulation of video surveillance. UK legislation walks a thin border between recognizing the benefits of CCTV surveillance and limiting its erosion of privacy.
The Human Rights Act (HRA) of 1998 is the broadest, but also the most fundamental piece of legislation that governs the use of CCTV cameras. Article 8 of the HRA outlines a person’s right to privacy, which extends to public spaces and the workplace, not only to their private home.
Overly intrusive CCTV surveillance, without a legitimate security or business purpose, can constitute a breach of this right.
The Protection of Freedoms Act (POFA) of 2012 is primarily concerned with CCTV usage in public spaces, but it’s a useful landmark. The CCTV Code of Practice issued under its auspices is particularly useful, regardless of the deployment environment.
The GDPR clarifies that CCTV footage is personal information, and includes a number of specific requirements regarding how personal information is stored and processed. It also requires those who hold this data (i.e. employers) to disclose it, based on subject access requests (SARs) from employees.
The Data Protection Act (DPA) of 2018 expands upon the surveillance implications of Article 8 of the HRA and the GDPR. It’s an act with a long history: the one we have today replaces another act, whose history goes back to 1998. It details the status of CCTV footage and outlines requirements for the collection, processing and disclosure of CCTV data. Many of the explicit requirements for CCTV deployment originate in this document
UK legislation unambiguously allows employers to deploy CCTV cameras in the workplace. Cameras can be deployed wherever there is a legitimate business or security requirement, as long as their deployment is proportionate, necessary, and addresses a pressing need that cannot be addressed by other means.
The DPA and GDPR outline a number of obligations regarding the use of CCTV in the workplace, including:
Want to make sure that your CCTV system is both legally compliant and highly effective? Take a look at our CCTV installation services in London and contact us to schedule your FREE, on-site survey.
As a matter of policy, data protection laws do not include an exhaustive list of who can view CCTV footage. It is up to the CCTV operator to decide who is authorised to access the recordings.
That being said, the DPA does require that access to the images be restricted only to those who need it in order to fulfil the purpose of the system.
Keeping this list as short as possible is not only a legal requirement – more often than not, it’s also good operational practice.
For example, restricting access to security footage to as few people as possible also decreases the chances of someone leaking information about the placement of security cameras, either accidentally or on purpose.
In addition to designated staff, CCTV footage can be made accessible to others under certain conditions.
By law, anyone can be offered access to CCTV footage in which they appear, upon request. Any employee can ask to see footage of themselves, but cannot be granted access to CCTV footage of someone else.
The officially-recognized way to request access is through a SAR, which an employer has to respond to within 40 days. The procedure through which an employee can request access to CCTV footage of themselves should be transparent and available to everyone, without any unnecessary hurdles.
In addition to granting access when required, the DPA requires you to record all access to CCTV footage, and to document all requests for access, along with the reasons for any denials.
Besides employees, the police can also request to be given CCTV footage. If their request meets the legal requirements, you are indeed obligated to disclose the footage.
Other than that, the DPA discourages making images widely available in general, but does allow it, as long as the decision can be justified. It also requires that images of individuals be disguised under some circumstances, such as when disclosing images to the media.
Under certain circumstances, a company can monitor its employees without their knowledge. This is called covert or targeted surveillance.
Under current guidelines, it is possible to conduct targeted surveillance, but only as part of a specific investigation, if a company has serious suspicions that employees are breaking the law, and if disclosing the act of surveillance would undermine the investigation.
Furthermore, the terms of the investigation must be as specific as possible. Unless it reveals information that cannot reasonably be ignored, such as evidence of additional crime or gross misconduct, any data obtained through covert surveillance which is not relevant to the investigation has to be disregarded.
For instance, if a retail business engages in covert surveillance because it suspects an employee is stealing items from the shop, it can use footage that captures such theft, or another crime. However, it cannot use this footage for assessing employee performance.
Relevant video footage is generally used as part of a disciplinary hearing. However, at that point, employees have to be granted access to this CCTV footage, and they should be given a chance to explain and contest it.
There are precedents where the use of covert surveillance has been approved by courts (such as the McGowan v Scottish Water case). But covert surveillance is truly an exceptional tool, that’s best saved for truly exceptional situations.
Once again, data protection laws do not mandate a specific retention period. The DPA requires only that images should not be retained for longer than necessary to achieve the purposes of the CCTV system. Once a retention period has expired, images must be retained.
It’s up to you to determine what this retention period is. You should have one that will apply, by default, to any CCTV footage you obtain. 30 days is a typical retention period.
That doesn’t mean all images have to be erased after 30 days, no matter what. You are allowed to retain images for longer – for instance, over the course of an investigation, which can span over longer than 30 days. However, in this case, you have to keep the footage in a secure place, with controlled access, away from routine data.
A contract of employment has an implied term of trust and confidence. An employer and its employees rely on each other to be honest and respectful, and should not conduct themselves in a manner that could damage this mutual relationship.
Unreasonable and unjustified workplace monitoring is a direct breach of this term – in other words, it’s illegal in its own right.
But in more general terms, ensuring that employee rights are protected is not only a direct expression of the implied term of trust and confidence, it’s also a way to ensure that a company’s own legal rights are upheld. For example, CCTV footage that is not obtained in compliance with data protection laws may not be admitted as evidence in court.
So what can a business do to protect the rights of its employees?
Carry Out an Impact Assessment. This is a widespread and efficient practice and is recommended by the ICO.
You should carry out an impact assessment prior to deploying CCTV equipment, and every time cameras are added, moved or removed, when systems are upgraded, when new systems are installed, and when features that include biometric capabilities, such as facial recognition, are added to your system.
An impact assessment should outline the problems that the CCTV system is trying to resolve, explain why deploying CCTV cameras in the workplace is a part of the most effective solution and how it will help solve these problems, and how its success will be measured. The ICO maintains a very comprehensive impact assessment template.
Maintain and make available a written policy which clearly and comprehensively outlines:
Maintain transparency about surveillance measures and purpose. This includes putting up signs wherever relevant, answering questions about procedures and generally being proactive about informing employees about their rights and privacy.
Maintain procedures for allowing access or disclosing CCTV footage. This is not just a good idea, it’s a requirement of the DPA. But having clear procedures in place ensures that everyone receives equal protection, and that a company maintains the level of accountability that makes its workplace surveillance trustworthy.
Actively engage surveillance stakeholders, including employees and senior staff. Companies should ensure that everyone can voice concerns about the use of cameras without fear of apprehension.
In particular, employees should have the opportunity to explain and contest footage used during disciplinary hearings. If they are not allowed to do so, the ICO can prevent the data from being used.
Handle data correctly. Don’t misappropriate it, don’t sell it, keep it secure, and answer SARs in a timely manner. Ultimately, the way a company handles its employees’ data is a part of its employer brand, and it’s as valuable as the way it handles its customers’ data.
Companies that operate in the UK are allowed to monitor their staff at work. However, the use of CCTV in the workplace is governed by extensive privacy and data protection legislation, which aims to ensure that the basic human rights to privacy and dignity are upheld for everyone, regardless of occupation and status.
CCTV cameras can be deployed on a business’ premises, but only for legitimate, justifiable purposes. Certain rights, such as the right to access footage in which they appear, are granted by law to all employees.
It’s up to you to ensure that you comply with surveillance regulations and that you have the technical means to protect your employees’ rights and to respond to their legitimate requests for access to personal data.
Technical requirements range from correct CCTV camera installation to video lookup and indexing software that can help you quickly locate and export relevant footage fragments.
If you want to make sure that your CCTV system is properly installed, is legally compliant and is responding to your needs, you needn’t look any further. ACCL have more than 20 years of experience in installing CCTV and access control systems in London and the surrounding areas.
Give us a call any time and let’s schedule your FREE, no-obligations on-site survey!