CCTV is generally used in two ways by organisations, a) providing security on their premises for the safety of all that use them and b) to ensure that staff act in a way that matches the terms & conditions and HR policies that an organisation has issued.
If, as an organisation, you only want to comply with a) above, that fine. The consequence is that any time you want to use any footage for monitoring and recording wrong doing by staff it will be inadmissible.
Once you believe that using CCTV is necessary and is the only realistic security measure for your organisation, your need to understand your responsibilities.
You are required to:
- Create and issue a full set of policies and procedures that will identify why it is used.
- Create and issue clear responsibility and accountability on who is responsible for it.
- Provide a contact point for those who want to know what may be held about them.
- Ensure access to information captured is restricted.
- Ensure information captured is stored for the minimum time possible.
You will also need to have completed an assessment to confirm that the surveillance equipment purchased is the most appropriate for your business and that a “privacy by design” approach has been adopted.
As an organisation you need to sign post why you are using CCTV, otherwise it can be viewed as an infringement of human rights (article 8 of the Human Rights Act 1998). Therefore, signs that CCTV is in operation, and what they are being used for, are an important part of your responsibility as an organisation.
It is rare for small organisations to use CCTV for reason b), but it may be prudent where high value goods are present, or where there is a high frequency of alleged acts in contradiction to the disciplinary policy of the organisation. Also when option b) has been chosen, make sure that the HR policies held by the organisation are understood as well as the other segments that relate to the disciplinary process.
The last guidance, released by the ICO in August 2018 related primarily to the use of surveillance equipment that was permanently turned on, but also mentioned the code of conduct for use of CCTV equipment which can be found here:
Use of CCTV by organisations is a developing subject and many matters may still require clarification by the ICO following the completion of a full Data Protection Impact Assessment.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through firstname.lastname@example.org , or visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.