When recording CCTV footage there are certain data protection procedures you must adhere to, this includes the people granted access to your CCTV footage.
CCTV systems require a specific person be nominated as responsible for the CCTV footage; they are often referred to as a data controller. If you wish to register as a data controller you must register with the Information Commissioner’s Office (ICO), you will be asked to explain the reasoning behind your CCTV installation. You are also required to educate and familiarise yourself on the laws, legalities and procedures associated with operating CCTV. These include displaying signs to notify subjects that CCTV is operation, disabling audio and placing your CCTV cameras in locations that abide with the law, e.g. not facing your neighbour’s bathroom window.
Footage containing someone else’s image
Should your CCTV installation capture footage of any person, that person possess the right to request and obtain this footage. In order to obtain this footage, said person must complete an official request in writing, addressed to the CCTV operator. This footage must be provided within 1 calendar month.
However, it is worth considering that in certain circumstances the CCTV operator may not be permitted to provide this footage. For instance, if the footage contains images of other people, the CCTV operator is obliged not to share footage of any singular person with a third-party, in compliance with GDPR. The CCTV operator might also possess the right to refuse access to the footage if said footage is currently part of a criminal investigation.
When to refuse footage access
There are certain instances whereby the data controller should refuse access to their CCTV footage. For example, images or footage that contain an identifiable person should not be provided to the media or distributed across the internet. The exception to this rule is in the case of images released as a means of identifying a person involved in criminal activity, these images have usually been released by the police, or the relevant authorities.
As a general rule of thumb, images or footage should not be distributed amongst third parties, unless that third party is present in the image/footage.
Securing your CCTV footage
If storing your CCTV footage on physical copies, these should be kept in a secure, locked premises, only accessible by authorised personnel. Similarly, if your CCTV footage is being stored electronically it should be adequately encrypted and only accessible by authorised personnel. When using a cloud-based service to store your footage you should ensure the service provider uses effective security measures.
Certain CCTV systems offer the ability to transmit footage using WiFi services. In this case, you should make sure the networks being utilised are secure.
Your CCTV footage should also be viewed out of sight from the general public in an area that is restricted to authorised personnel. For instance, consumers within a bar should not be able to see footage of the smoking area from inside the bar.
Storing your CCTV footage
It is stated within the data protection legislation that personal data should not retained for any amount of time that is longer than is necessary for its purpose. Gov.uk dictates that most CCTV footage is deleted 30 days after its initial recording.
In conclusion, you should analyse why the footage was collected and how long it is needed in order to achieve your intentions. It is best practice to create a schedule that follows a specific time limit so you are able to pinpoint when the CCTV footage should be deleted.