The new GDPR (General Data Protection Regulation) have been in force since May of 2018 and have far reaching implications for our customers and the wider business community.
Once such implication is for organisations that operate CCTV equipment on their premises. To help organisations easily meet the requirement of the new regulations, Barrow Signs have made GDPR compliant CCTV signs for display on the premises.
This is the link to this sign on our website: https://www.barrowsigns.com/products/gdpr-compliant-cctv-sign
These signs are available in Corriboard, Aluminium or as self adhesive stickers, they are fully laminated and suitable for out door use. At the time of ordering you can advise us of the information to insert into the boxes and we will print them into the sign at the time of manufacture.
Barrow Signs can also supply these with fitting to clamp to posts that are found in Car Parks, etc.
The following is not a legal opinion it is our understanding of the GDPR regulations. In working with GDPR practitioners the signage that we offer is deemed to meet the GDPR regulations.
Background to the Law
CCTV images are classed as “Personal Data” and an organisation operating CCTV on its premises would be categorised as a “data controller” where recognisable images are captured. The collection of these images is regarded as a form of processing of personal data and all use of CCTV images in a commercial environment must therefore be compliant with the current GDPR regulations.
Organisations operating or considering installing CCTV systems should be aware that the system should be operated within these defined parameters:
Images and recordings should only be collected through CCTV for specified, explicit and legitimate purposes (e.g. security, health and safety). They may not be further processed in a manner that is incompatible with those purposes.
Fairness and transparency – the purpose for the CCTV recording must be legally justified as set out under Article 6 of GDPR. This suggests that consent has been obtained, and that any images recorded are handled in a fair and transparent manner and consistent with the purpose for which they are intended.
The use of CCTV must be adequate, relevant and limited to what is necessary in relation to the purposes for which it was installed.
Operators should ensure that CCTV images not altered
Retention and storage
Recordings and images must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Integrity and confidentiality
Appropriate measures must be employed by the organisation to keep CCTV images and recordings secure and protected against unauthorised or access and against accidental or unlawful loss, destruction or alternation.
The organisation operating the CCTV system shall be responsible for, and must be able to demonstrate compliance with the GDPR.
Notification of CCTV
Organisations must inform people of the presence of CCTV in their premises. This can be achieved by placing a clear and easy to read sign in prominent positions. The notice must also state the purpose for CCTV where such purpose is not obvious.
Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage. Images of people other than the person who requests the footage, then the responsibility for pixelating or blocking them for the footage lies with the data controller.
Guideines from the Data Protection Commissioner
In order to show accountability under and compliance with GDPR, it would be appropriate for an organisation to undertake the following actions:
- Complete a Data Protection Impact Assessment – such assessment should include:
- (i) The purpose and legal justification for CCTV.
- (ii) An assessment of the necessity and proportionality of the use of CCTV in the premises in relation to its stated purpose.
- (iii) an assessment of the risks to the rights and freedoms of individuals being recorded.
- (iv) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data, taking into account the rights and legitimate interests of individuals being recorded and other people concerned.
- Collect documentary evidence of previous incidents giving rise to the need for CCTV.
- Have a specific CCTV data protection policy drawn up for use of the devices in a limited and defined set of circumstances that it is in compliance with the GDPR Principles.
- Complete periodic reviews of the use of CCTV to assess whether its use is still justifiable.
- Ensure that the use of CCTV is reasonably sign-posted and that no cameras are placed in locations where people would have a reasonable expectation of privacy.