The continuous increase in the use of video surveillance systems in both the public and private sectors has increased the social acceptability of both fixed and mobile cameras. As video surveillance technology becomes more ubiquitous and affordable, technologies such as smart doorbells and wireless cameras are becoming more prevalent. Traditional closed-circuit television (CCTV) continues to evolve into increasingly complex surveillance systems based on artificial intelligence (AI). These can analyse more sensitive personal data categories.
Data protection laws have had a significant impact on the use of CCTV in private and public places. These laws aim to protect the privacy of individuals by regulating the use of personal data, which includes the images captured by CCTV cameras. In general, the use of CCTV in public places is regulated by laws and regulations that vary from country to country. In many countries, CCTV is subject to data protection laws that require organisations and individuals to provide clear and transparent information about the use of CCTV cameras and the processing of personal data captured by these cameras. In addition, data protection laws require that CCTV footage is stored securely and is only used for specific purposes, such as crime prevention or public safety.
Organisations that use CCTV must also ensure that they have a legitimate reason for using it and that the use of CCTV is proportionate to the risk. In the case of private places, such as homes and businesses, the use of CCTV is also subject to data protection laws. Overall, data protection laws have had a significant impact on the use of CCTV in both private and public places, with the aim of protecting the privacy and rights of individuals.
Data controllers and data processors must be aware that CCTV footage or images containing identifiable individuals are personal data for purposes of data protection law. As a matter of best practice, data controllers should articulate their stance on the issues surrounding their use of CCTV in the form of a CCTV Policy. Employees should be made aware of any CCTV policy that pertains to their workplace. The CCTV policy can also be published on an official website to inform individuals who may visit the premises. Additionally, a notice or signage indicating there is CCTV in operation should be placed at premises.
Data Protection Compliance in CCTV
Data Protection compliance in CCTV is the process of ensuring that your CCTV system complies with the applicable data protection regulations. Data protection laws require organisations to be transparent about how they manage personal data and to obtain data subject consent before collecting such data, or inform data subjects about the collection or processing of personal data.
CCTV installation consideration
Before installing a CCTV system, the following questions should be considered:
Purpose: Have you explicitly defined the reason for installing CCTV? What exactly are you attempting to observe? Is the CCTV system to be used solely for security? Can you justify the other purposes, if any? Will the use of the personal information collected by CCTV be restricted to its original intent?
Lawfulness: What is your legal justification for using CCTV? Is the legal premise upon which you are relying the most applicable?
Necessity: Can you demonstrate that CCTV is required to accomplish your objective? Have you considered alternatives that do not acquire individuals’ personal information by continuously recording their movements and actions?
Proportionality: If you intend to use your CCTV system for purposes other than security, can you demonstrate that these other uses are proportionate? Will your CCTV recording have a proportionate and legitimate impact on the individuals being recorded? Will you be recording consumers, employees, and the general public? Can you justify the use of CCTV in light of the impact it will have on others? You may need to carry out a Data Protection Impact Assessment to adequately make these assessments.
Security: What measures will you put in place to ensure that CCTV recordings are safe and secure, both technically and organisationally? Who will have access to CCTV recordings in your company, and how will this be managed and documented?
Retention: For how long will you retain recordings, considering that they should be kept for no longer than is necessary for your original purpose?
Transparency: How will you inform people that you are recording their images and provide them with other information required under transparency obligations? Have you considered how they can contact you for more information, or to request a copy of a recording?
Security of personal data
When the owner/occupier of a property justifies the installation of a CCTV system as a necessary and proportionate measure, they become a data controller under data protection law. Data controllers must carefully consider the secure storage of personal information and the implementation of appropriate security measures. Data administrators are required to implement technical and organisational safeguards to protect personal data from unauthorised or illegal processing as well as accidental loss, destruction or alteration. For CCTV systems, this may involve limiting access to footage and encrypting and password-protecting devices that store CCTV footage.
Retention of personal data
Data protection law mandates that personal data be kept for no longer than is required to fulfil the purpose for which it was collected. The law does not specify specific storage periods. A data controller must be able to substantiate a specified retention period; data may not be kept ‘just in case’. A data controller may wish to consider any previous incidents or circumstances that necessitated access to CCTV footage in order to achieve a goal that may impact the appropriate retention period.
Disclosure of footage CCTV to third parties
Occasionally, a data controller may be required to disclose CCTV recordings to third parties for a purpose other than the one for which they were obtained. This may occur, for instance, if a law enforcement agency requests footage to aid in the investigation of a crime. Under these conditions, it is suggested that requests for copies of CCTV footage should only be granted if the controller receives a formal written request indicating that a law enforcement agency is investigating a criminal matter. For practical reasons and to expedite a request quickly in exigent situations, a verbal request may suffice for the release of the requested footage. Any such verbal request must, however, be followed by a formal written request. For accountability purposes, data controllers and processors must maintain a record of all requests detailing any footage provided to any law enforcement agency.
Providing access to CCTV footage to data subjects
Individuals have the right to access their personal data under data protection law. This applies to anyone whose recognisable image was captured by a CCTV system. When a data controller receives a request to access CCTV data from an individual, they must typically respond within a certain period depending on the jurisdiction’s data protection law. In Ghana, according to Act 843, this could be either 21 days or up to 40 days if other personal data are involved. In order to expedite the processing of the request, the controller may ask the individual to provide a reasonable indication of the date and time of the desired footage. If the recording has been deleted by the time the request is received due to the expiration of the retention period, the individual should be informed that the footage no longer exists. If a request for access has been received, the footage should not be purged until the request is met.
The writer is a Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner at Information Governance Solutions. For comments, contact author [email protected] or Mobile: +233-243913077
