GDPR and CCTV in the Workplace: A Complete Guide
Here is a comprehensive guide to understanding how the General Data Protection Regulation (GDPR) applies to Closed Circuit Television (CCTV) in the workplace.
EU GDPR and UK GDPR are alike in how they specify compliance for employers and the rights of employees and members of the public.
Why is workplace CCTV monitoring useful?
CCTV monitoring needs vary for each organisation. If you have storage units that contain valuable items or sensitive information, CCTV may be useful to monitor access.
In some instances, CCTV may be installed for health and safety reasons, in high-risk work environments.
Remote locations and lone-workers may also be monitored on CCTV to generate ‘man down’ alerts when assistance may not be close at hand.
Workplace CCTV surveillance – basic concepts
Owing to the imbalance of power in the employer-employee relationship, employers can no longer rely on employee consent to process employee data.
For businesses, the most appropriate grounds for CCTV use is likely be the legitimate interest of the employer (data controller).
Employee monitoring by CCTV surveillance should be confined to areas where the risk of infringing employees’ privacy rights is low.
The use of CCTV cameras that constantly monitor a select group of employees in a particular area is more likely to be considered intrusive, for example, than those that monitor all employees in a general entrance area.
Understanding GDPR
The GDPR is a regulation in EU and UK law on data protection and privacy that concerns the processing, movement and sharing of personal data.
GDPR applies to any organisation, small or large, that processes personal data of individuals residing in the European Union and the UK, regardless of where the organisation is based.
CCTV and GDPR
CCTV systems in the workplace often capture images of individuals, which are considered personal data under the GDPR if the individuals are identifiable from those images.
Personal data includes any personally identifiable information (PII), including car licence plates and location signs.
Do your research with a DPIA
Before you set up CCTV cameras, you must complete a DPIA (data protection impact assessment).
DPIAs help organisations to identify and minimise risks that result from data processing activities that are ‘likely to result in a high risk’ to the rights and freedoms of individuals.
DPIAs are also useful for employers that are considering significant changes to their CCTV systems, especially if the system involves the monitoring of a publicly accessible area on a large scale.
A DPIA will help you determine solutions to compliance issues.
Lawful basis for processing
Employers must have a lawful basis for processing personal data captured by CCTV.
The most common lawful bases for processing CCTV footage in the workplace are legitimate interests and compliance with a legal obligation.
CCTV: Legitimate interest
Employers may have a legitimate interest in using CCTV to:
Ensure the safety and security of their premises
Protect their assets
Protect staff
Monitor for unlawful activity
Compliance with legal obligations
In some cases, employers may be required by law to use CCTV for specific purposes, such as health and safety regulations or industry standards.
Transparency and notice
Employers must inform employees and visitors that CCTV is in operation and provide clear signage to indicate that CCTV is operating.
Transparency is an essential requirement for GDPR compliance.
Data minimisation
Employers should only collect and retain CCTV footage for as long as necessary to achieve the purpose for which it was collected.
Excessive retention of CCTV footage could breach the principle of data minimisation under the GDPR.
Most organisations have a retention period for CCTV footage, because it is impractical to keep the information indefinitely.
The GDPR states that you can only store information for as long as it is necessary for the purpose for which it was collected, and the timeframe should be clear before you start processing.
Establish a system to make sure that you delete information once the data retention deadline passes.
The term ‘as long as necessary’ is interpreted based on why you are collecting the information. However, if no incident is captured on CCTV, it is unlikely that you need to keep the data for more than a week or two.
How long should CCTV footage be retained?
The length of time CCTV footage should be retained depends on factors such as legal requirements, industry standards and the specific needs of the organisation.
Data protection regulations such as GDPR in Europe specify that CCTV footage should only be retained for as long as necessary for the purpose for which it was collected. This typically ranges from a few days to a month unless a specific incident requires longer retention.
Industry CCTV retention standards vary. For example, retail and hospitality CCTV footage is generally retained for 30 days, as 30 days typically covers potential incidents like theft or disputes. However, financial Institutions may retain footage for 90 days or more owing to the potential for fraud or other crimes. Healthcare facilities generally retain footage for 30 to 90 days in order to balance privacy concerns with security needs.
The most common retention periods
7 to 30 Days are the most common CCTV retention periods. However, up to 90 days retention is common in higher-risk environments or industries with higher compliance requirements. In specific cases, such as ongoing investigations or for compliance purposes, CCTV footage may be retained for several months or even years.
If footage is required for legal proceedings or ongoing investigations, it should be retained until the matter is resolved, even if this exceeds the typical retention period.
Regularly reviewing and setting retention policies in line with these factors ensures that your CCTV system is both compliant and effective.
CCTV security measures
Employers must implement appropriate security measures to protect CCTV footage from unauthorised access, loss or destruction.
CCTV security measures include encryption, permission-based access controls, and secure storage systems.
CCTV: Data access requests
Individuals have the right to request access to CCTV footage that features them.
Employers must have procedures in place to respond to data subject access requests (DSARs) within the timelines specified by the GDPR, usually 30 days.
Data subject rights
In addition to DSARs, individuals have other rights under the GDPR, including the right to request the erasure of data or rectification of inaccurate CCTV footage.
Cross-border data transfers
If CCTV footage is transferred outside the European Economic Area (EU GDPR) or outside the UK (UK GDPR), employers must ensure that appropriate safeguards are in place to protect personal data, as required by the GDPR.
Employee monitoring
Employers should be cautious about using CCTV for monitoring employees' behaviour in the workplace, as this may infringe employees' privacy rights.
Any monitoring should be proportionate and justified by legitimate business interests or legal requirements.
The fact of monitoring and the reasons for employee monitoring must be clear to employees. Employees must also be informed about any changes in monitoring practices.
By adhering to these compliance guidelines, employers can ensure that their use of CCTV in the workplace complies with the requirements of GDPR and respects individuals' rights to privacy and data protection.
The penalties for non-compliance
Your organisation might violate the GDPR and incur heavy fines if the collected data is not adequately protected.
Breaching GDPR could damage your organisation’s reputation and put it at significant financial risk.
Sharing CCTV footage of employees
Whenever CCTV footage is shared, all but the subject of interest of interest must be redacted (masked, blurred or removed) in order to prevent the breach of anyone else’s privacy rights.
Facit provides automated redaction software to enable CCTV operators to share video footage compliantly.