If you are thinking about installing CCTV at your place of business there are some important issues to consider, including CCTV rules and regulations.
It is perfectly reasonable to have CCTV installed at your workplace. A video surveillance system can provide your company and its employees with many benefits. For example, a camera system can increase the overall security of a site creating a safer workspace for employees. It is however the employers’ responsibility to inform employees of a few basic but very important factors.
CCTV regulations and the ICO CCTV code of practice
Firstly, the system must be registered with the Information Commissioner’s Office (ICO). The ICO is the UK’s independent body set up to uphold information rights. For companies with less than 250 employees the annual cost for data protection fee is £60 (£55 if paid by direct debit).
CCTV and GDPR: rules on CCTV in the workplace
People have the right to privacy – please consider the impact a CCTV camera will have on your employees and visitors, and the reason.
Uses of CCTV cameras in the workplace and CCTV data protection
CCTV should not be installed in ‘private’ areas unless there is a special consideration to justify this. Installing a camera in a reception area or in an open office is generally acceptable because this sort of space is ‘public’.
Meeting rooms are less likely to be deemed as ‘public’ and most people would expect a higher level of privacy but it could be that a meeting room could be required to be monitored – perhaps there is a possible risk if external people are in meetings. Toilets are certain off limits for cameras and there would be very few scenarios where a camera could be justified.
Clearly defining the operational requirement of each camera is important and a very worthwhile exercise. If you can justify each CCTV camera by stating what it is actually doing you will help people understand and find it easier to accept a system in their work environment. A site plan will help decide where issues potential are.
The next step is to state the problems CCTV might be able to help with. Things such as unauthorised entry and theft are two examples of common problems. Stakeholders should, at this stage, have some input if appropriate – are the other businesses that use the space?
A risk assessment should be carried out for each potential problem. A standard matrix of likelihood and severity should be completed. An unauthorised entry might be considered likely but of minor severity in some offices but others might consider this a server breach of security. It is for you to decide.
Again this shows that your organisation has systematically worked through steps that demonstrate accountability and professionalism in its approach to the potential installation of a CCTV system.
The success criteria of a camera should also be considered –
CCTV should be considered as part of a good security solution and should be looked at as part of the overall security measure of a site. You would not leave an office unlocked over night and expect the CCTV system to stop unauthorised persons entering – you would at least lock the doors and set the alarm. This may seem obvious, but it illustrates the point that CCTV is part of the security measures that you should consider making your space as secure as you possibly can.
Before the CCTV is installed, please consult your staff and explain the reason for installation and explain that their personal data is secure and will be deleted after a defined period. The CCTV will not be used to monitor or discipline them without warning. If you do wish to monitor what time staff arrive and leave the office for example, they must clearly be told this and must feel comfortable with the practice.
Please remember that anyone, including your staff, have the right to ask for copies of any personal data you hold on them – this includes CCTV footage that they appear in.
Creating a Data Protection Impact Assessment (DPIA) will help document your reasons for using CCTV and provide support for installing CCTV. A template can be found here.
Where can I point my CCTV cameras?
As part of the DPIA the operational requirement of each camera should be defined and designated as such. This will also help us to ensure that we give you the coverage you require. There are 4 groups that cameras will fall into.
They are detect, observe, recognise and identify. As you will see from the setup of each of these types of camera the personal information will be different. Having said this we would suggest that all CCTV cameras that capture any person would be liable to subject access requests. Here is a general overview of the 4 groups any camera you install will fall into:
Detect
Simply put a camera that is designated to detect shows a general overview view of an area. The accepted technical definition is that an adult would be account for approximately 10% of the image height. At this size you would be able to detect a person, but smaller details would be less detailed or not seen.
A detect camera is sometimes called an overview camera and would be put in a reception area or a car park for example. It would be used to see what going on in a wide area but would not be able to give much more information other than that.
These types of cameras are extremely useful and probably the most common on a site. Additionally, these cameras are probably seen as less intrusive as they are not taking close-up images of people and are generally in ‘public’ areas.
Observe
These cameras provide a more detailed view of an area – with a ratio of an adult being between 25 and 30% of the screen height. At this size more detail about the person is visible and gives a compromise between detail and context.
This type of camera might be used in more sensitive areas such as stock rooms or areas where cash is handled. This camera would be able to provide a greater level of certainty over events in a smaller area. Again, the level of justification for this type of cameras will help provide a narrative to all.
If you were looking to put this type of camera in the general office overlooking your staff, they would probably find this unacceptable and without a good reason they would probably be right to be concerned. If, however, an observe camera was placed inside a cage where company IT equipment was stored, they would probably be more understanding.
This type of camera is less common and would only be used in limited scenarios.
Recognise
A recognise camera provides an image of an adult of approximately 50% of the screen height. These cameras provide very good details of an individual and would allow identification rates to be very good.
These cameras are good for wider entry points to an area. A set of double doors leading into a reception could be covered with a recognise camera and allow easy identification of an individual, whether it be live or via a retrospective review of footage.
These cameras are often used at wider egress points into an area. Depending on your egress points these cameras will be needed.
Identify
These cameras provide a close-up image of a person – with the individual taking up 100% of the screen height.
A camera of this type would provide an extremely detailed image of a person and it would be expected to provide an image that would establish beyond reasonable doubt the identity of an individual. Very little context would be given with this type of camera and it would require a choke point such a single door width opening.
Multiple cameras can also be used to cover wider areas, with each camera viewing a section of the egress point. The entrance to a bank would have one or more of these cameras to record id images of everyone that enters the branch for example.
With an identifiable image of every person that enters the CCTV covered area, any activity captured on the subsequent observer or detect cameras would then be able to be tracked back to an individual that would be easily identifiable. The addition of an identify camera can hugely increase the effectiveness of any investigation.
These groups are based on general concepts and as CCTV technology improves more detail can be gained from detect and observe cameras – in some cases an observe camera can give the same level of detail as an identify camera. In some cases, this is desirable but in others maybe not.
We are able to make sure that the cameras capture the right amount of information – not too little or too much. It might be thought that you should capture as much as you are able too but if you are able from an observe cameras see what someone is texting on their phone you might want to reconsider the ability of that device and use a different one.
The system should be proportionate – this is for everyone’s good. If you have a system that does what you set out to do – no more or no less – then you have succeeded, and you can be confident that you are treating everyone lawfully. Understanding and defining each camera’s requirements will go a long way to help you attain a compliant system.
Creating a company CCTV policy based on the steps discussed above will help you communicate to and safeguard your company and its employees. The policy does not need to be overly complex but should detail what the system is being used for, reassuring staff that their data is being lawfully, safely used and stored, being deleted after an agreed period, who to contact if they have a question and what to do if they wish to see footage that they are in.
Who can view CCTV footage?
Everyone has the right to access their personal data and to some extent, the right to view CCTV images of themselves. With CCTV footage this can become difficult – if an employee has an altercation with another member of staff the footage that they are in will most likely contain other people’s personal data too – which they are not able to see without the express permission of all recorded individuals. This creates a dilemma that can be difficult to resolve.
Firstly there is a limit to what an individual can request to see – you are within your rights to ask why they would like to see any footage and the bar should be low to start with but if they ask for more and more footage for no particular reason you can refuse.
Secondly, there are ways to mask footage and provide redacted footage to staff with only their information in. There are automated systems that we provide that can redact CCTV footage automatically and there are services to redact footage after the fact.
Please talk to us if you have any questions relating to the release of images – it is a complex issue that we are here to help with.
Do you need a sign if you have CCTV? Are CCTV signs are legal requirement?
Controlling who has access to the recorded CCTV data is extremely important and will help ensure that everyone is comfortable with its use. Proper signage is also very important. We will be able to help ensure that cameras do not inadvertently capture images that they shouldn’t – collateral intrusion is sometimes unavoidable but should be acknowledged and documented.
We will also make sure that recorded footage is automatically deleted after an appropriate time. The is no exact amount of time that CCTV must be deleted after – legally the retention period should be justifiable. 30 days is considered the norm – this came from the days of VHS tapes – one tape for each day of the month – you would put in tape 1 on the 1st, tape 2 on the 2nd etc. It made things simple when you needed to find out what happened on the 15th of last month.
With modern systems this is irrelevant, but the practice has remained. In reality, you can overwrite the data after 10 days or 100 days – it really does not matter. If you have a site that is empty for 3 months you might want to keep the information for 100 days to give you the ability to check back over the period when it was empty. If you have site where people are in everyday the time between identifying an issue and potentially reviewing recorded footage is less. Having said this, 30 days is considered the standard retention period for CCTV images.
If you follow these steps you and your company will have gone a long way to comply with the data protection act, the human rights act and GDPR and have a compliant security system that is fit for purpose.
Please contact us at ACCL if you would like to discuss having a lawful and professionally installed CCTV system at your office.
