Data protection impact assessment must be performed. You must identify and document any possible impacts on individuals’ privacy. This must be taken into account when installing and operating a CCTV system. Regular reviews must be carried out in order to assess whether CCTV is still the best security solution. If your business processes any types of personal data, you must pay the ICO a data protection fee unless you are exempt. If you use non-domestic CCTV systems for your business, it is highly likely that you will need to pay a fee. There are three different types of fees, which amounts are between £40 and £2900. The fee amount you would have to pay would depend on the size of your business, turnover and sometimes the type of business that you are.
It is extremely important for your business to have a policy or a procedure which covers the use of CCTV and should have an appointed individual who is responsible for the operation of the CCTV system. This policy should cover the purposes for which you are using CCTV and how you will use this information, which includes guidance on recording and disclosures.
Your business may receive a Subject Access Request (SAR) from an individual, this would mean that you would have a legal duty to comply with this request within 30 days under GDPR and shouldn’t ignore these requests. If ignored, you will fail to comply with the requirements of GDPR and may as a result face fines imposed by ICO for non-compliance. Your business must have a process in place to recognise and reply to individuals who request copies of the images on your CCTV footage. You must promptly seek guidance from the Information Commissioner if there is any uncertainty. It is important for your business to be aware of people’s right to request a copy of image and be prepared to handle such requests. Before releasing any video footage you must ensure that images of any present third parties in the footage are redacted; which can be done by Advanced Overwatch. It is important that every staff member is made aware of the CCTV policy and procedures and must be trained for each area that is necessary.
Data within your business must be retained for the minimum time necessary for its purpose and then must be disposed of appropriately, when no longer required. The ICO’s guidance on retention period of data is that this time frame should reflect how long your business needs the data for its purposes. The ICO advises that your business should undertake systematic checks in order to ensure compliance with the retention period in practice. Long retention periods can affect the quality of the footage with modern cameras recording to hard disks. You must ensure that the CCTV images are clear and of high quality. It is important to select a system which provides high quality, clear images. As advised by the ICO, CCTV cameras should be placed in the best location that’s possible, to ensure that it provides clear images. It’s important for your business to ensure that CCTV images are securely stored, access is limited to only authorised individuals and that checks and services are regularly carried out on the CCTV system to ensure that it is working properly.
The public should be well informed of your use of CCTV for your business, which can be done in many different ways such as by displaying signs in clear view which show that CCTV is in operation. Your company website should also outline the use and benefits of CCTV systems and their purpose.