Is CCTV covered under the Data Protection Act (DPA)?
Absolutely, the DPA indeed covers CCTV usage. While domestic CCTV systems that only capture video footage within the boundaries of the homeowner’s property may be exempt, any system that records areas beyond these boundaries, such as communal areas, public footpaths, or neighbours’ properties, must comply with the DPA. This means that businesses and individuals using CCTV must ensure their systems are compliant with data protection regulations.
Before the CCTV is installed, please consult your staff and explain the reason for installation, ensuring them that their personal data is secure and will be deleted after a defined period. The CCTV will not be used to monitor or discipline them without warning. If you do wish to monitor what time staff arrive and leave the office, for example, they must clearly be told this and must feel comfortable with the practice.
Balancing Monitoring with Privacy
Using CCTV to watch staff can be a delicate matter. As an employer, it’s crucial to ensure that any monitoring is justified and doesn’t infringe on employees’ privacy rights. Clearly communicate the purpose of the surveillance to your team. This means providing clear signs that indicate CCTV is in operation and developing a comprehensive CCTV policy for all staff to access and understand.
Ensuring Transparency and Trust
Transparency is key. Let your employees know that they are being monitored and why. This not only builds trust but also ensures compliance with legal guidelines. Make sure to incorporate feedback from your staff during consultations and reassure them of the security and temporary nature of the data collected.
By carefully balancing the need for security with respect for privacy, you can create a safer and more transparent workplace environment.
Please remember that anyone, including your staff, has the right to ask for copies of any personal data you hold on them – this includes CCTV footage that they appear in.
Creating a Data Protection Impact Assessment (DPIA) will help document your reasons for using CCTV and provide support for installing CCTV.
Commercial CCTV Rules and Regulations FAQs
Where can I point my CCTV cameras?
As part of the DPIA, the operational requirement of each camera should be defined and designated as such. This will also help us to ensure that we give you the coverage you require. There are 4 groups that cameras will fall into.
They are detect, observe, recognise and identify. As you will see from the setup of each of these types of cameras, the personal information will be different. Having said this, we would suggest that all CCTV cameras that capture any person would be liable to subject access requests. Here is a general overview of the 4 groups any camera you install will fall into:
Simply put, a camera that is designated to detect shows a general overview of an area. The accepted technical definition is that an adult would account for approximately 10% of the image height. At this size, you would be able to detect a person, but smaller details would be less detailed or not seen.
A detect camera is sometimes called an overview camera and would be put in a reception area or a car park, for example. It would be used to see what is going on in a wide area but would not be able to give much more information other than that.
These types of cameras are extremely useful and probably the most common on a site. Additionally, these cameras are probably seen as less intrusive as they are not taking close-up images of people and are generally in ‘public’ areas.
These cameras provide a more detailed view of an area, with the ratio of an adult being between 25 and 30% of the screen height. At this size, more detail about the person is visible and gives a compromise between detail and context.
This type of camera might be used in more sensitive areas such as stock rooms or areas where cash is handled. This camera would be able to provide a greater level of certainty over events in a smaller area. Again, the level of justification for this type of camera will help provide a narrative to all.
If you were looking to put this type of camera in the general office overlooking your staff, they would probably find this unacceptable and without a good reason, they would probably be right to be concerned. If, however, an observation camera was placed inside a cage where company IT equipment was stored, they would probably be more understanding.
This type of camera is less common and would only be used in limited scenarios.
A recognised camera provides an image of an adult of approximately 50% of the screen height. These cameras provide very good details of an individual and would allow identification rates to be very good.
These cameras are good for wider entry points to an area. A set of double doors leading into a reception could be covered with a recognised camera and allow easy identification of an individual, whether it be live or via a retrospective review of footage.
These cameras are often used at wider egress points into an area. Depending on your egress points, these cameras will be needed.
These cameras provide a close-up image of a person, with the individual taking up 100% of the screen height.
A camera of this type would provide an extremely detailed image of a person, and it would be expected to provide an image that would establish, beyond reasonable doubt, the identity of an individual. Very little context would be given with this type of camera, and it would require a choke point such as a single door width opening.
Multiple cameras can also be used to cover wider areas, with each camera viewing a section of the egress point. The entrance to a bank would have one or more of these cameras to record ID images of everyone that enters the branch, for example.
With an identifiable image of every person that enters the CCTV covered area, any activity captured on the subsequent observer or detect cameras would then be able to be tracked back to an individual that would be easily identifiable. The addition of an identify camera can hugely increase the effectiveness of any investigation.
These groups are based on general concepts, and as CCTV technology improves, more detail can be gained from detect and observe cameras – in some cases, an observe camera can give the same level of detail as an identify camera. In some cases, this is desirable, but in others, maybe not.
We are able to make sure that the cameras capture the right amount of information – not too little or too much. It might be thought that you should capture as much as you are able to, but if you are able to observe cameras and see what someone is texting on their phone, you might want to reconsider the ability of that device and use a different one.
The system should be proportionate – this is for everyone’s good. If you have a system that does what you set out to do – no more or no less – then you have succeeded, and you can be confident that you are treating everyone lawfully. Understanding and defining each camera’s requirements will go a long way to helping you attain a compliant system.
Creating a company CCTV policy based on the steps discussed above will help you communicate to and safeguard your company and its employees. The policy does not need to be overly complex but should detail what the system is being used for, reassuring staff that their data is being lawfully, safely used and stored, being deleted after an agreed period, who to contact if they have a question and what to do if they wish to see footage that they are in.