The ICO has published new guidance to help organisations in the public and private sector who use video surveillance systems to collect and process personal data - Video Surveillance | ICO.
Although the ICO's guidance relates to the application of existing legal frameworks including the UK GDPR and DPA 2018, it provides important recommendations on how compliance can be best achieved by organisations.
The scope of the ICO's guidance is broad and covers where personal data is processed by the operation of traditional video surveillance systems that view or record individuals such as CCTV, in addition to the use of other surveillance systems such as Automatic Number Plate Recognition (ANPR), drones (UAVs), dashcams and smart doorbell cameras, as well as emerging capabilities that assist human decision making such as Facial Recognition Technology (FRT). The ICO's guidance, of course, does not cover processing purely in the context of personal or household activities, such as household CCTV (which falls outside of the scope of the UK GDPR).
Key takeaway points from the ICO's guidance include:
- The importance of demonstrating accountability when undertaking processing of this nature (including the need to maintain a record of the processing activities taking place, the purposes for the lawful use of surveillance, any data sharing agreement(s) in place and the retention period of any personal data captured);
- The need to take a data protection by design and default approach towards surveillance systems and perform a DPIA for any processing that is likely to result in a high risk to individuals;
- The requirement to identify and document a lawful basis under Article 6 of the UK GDPR (and if relying on legitimate interests, the importance of undertaking an LIA), as well as identifying an Article 9 UK GDPR condition if actively processing special category data;
- The need to ensure that the type of surveillance system in use and the location it operates in achieve the specific purpose(s) for which it is being used;
- Ensuring that data the surveillance system processes is of good quality, adequate, relevant and limited to what is necessary – identifying the minimum amount of personal data needed to fulfil the processing purpose(s) and considering if the outcomes can be achieved using less intrusive methods;
- The need to consider the context in which recording is taking place and whether individuals have a heightened expectation of privacy in the circumstances – in which case surveillance systems should only be used on an exceptional basis;
- The need to store recorded information securely and in a way that maintains the confidentiality, integrity and availability of the data;
- The importance of transparency and providing individuals with information about the surveillance if they are in an area where they are being recorded – the ICO suggests an effective way to achieve this is to place signs prominently before the entrance to the system's field of vision, with further signs inside the area to reinforce this.
- The need to take caution in relation to undertaking audio recordings when using surveillance systems, as this is highly intrusive and unlikely to be justifiable in most circumstances.
Please contact us in respect of the changes this guidance brings, along with our expert support for conducting DPIAs, assessing the appropriate lawful basis of processing and much more.
Authors: Simon Davis