Video surveillance systems monitors the behavior, activities, or other changing information, usually, of people from a distance by means of electronic equipment.
Advanced Overwatch offer GDPR assistance with CCTV systems. GDPR regulations will have an impact for companies who have utilise CCTV.
Workplace Surveillance – the basics
Under GDPR, employers are entitled to monitor employee activity if they have a lawful basis for doing so and the purpose of their monitoring is clearly communicated to employees in advance.
Due to the imbalance of power in the employer-employee relationship, employers can no longer rely on consent to process employee data. For businesses, the most appropriate grounds will most likely be the legitimate interest of the employer (data controller).
There are many legitimate business reasons why employers monitor employees using CCTV. Lawful bases of monitoring include keeping employees safe and secure by preventing crime, preventing employee misconduct, ensuring compliance with health and safety procedures, monitoring and improving productivity, and in some cases such as the financial services sector, complying with regulatory requirements.
Employers generally rely on legitimate interests as an appropriate legal basis for processing personal data – it entails organisational accountability and enables the responsible uses of personal data, while protecting employees’ data privacy rights.
Employers relying on legitimate interests as the legal basis for processing need to consider the legitimacy of their stated interest (and potentially the interests of third parties) and must balance that interest against the interests, rights and freedoms of their employees. In addition, employers also need to apply safeguards and compliance steps to ensure that employees’ rights are not prejudiced in any given case. Should an employee object to the use of CCTV cameras in a particular area, the new GDPR test will place the burden on the employer to demonstrate that it has “compelling legitimate grounds” for processing that override the employees’ rights, or for the establishment, exercise or defence of legal claims.
Employee monitoring by CCTV surveillance should be confined to areas where the risk of infringing employees’ privacy rights are low. The use of CCTV cameras that constantly monitor a select group of employees in a particular area are more likely to be deemed intrusive than those that monitor all employees in a general entrance area.
The purpose of CCTV should be clearly communicable to employees by way of Privacy Notice. In line with the GDPR requirements, employers are under a duty to employees to make this clear and unambiguous. The general assumption for CCTV usage in the workplace is for security purposes, but the use for monitoring employee performance or conduct is not an obvious reason. Therefore, employees must be clearly given notice prior to having their personal data recorded for this purpose. The same approach to notice must be adopted if the purpose of CCTV surveillance is also for health and safety reasons.
What’s the risk of CCTV ‘profiling’ under the GDPR?
Under Article 35 GDPR, any excessive use of CCTV monitoring to profile employees is considered “high risk” profiling in line with guidance issued by the Article 29 Working Party. This requires a Data Protection Impact Assessment (“DPIA”). A DPIA considers whether the surveillance is necessary and proportionate to what an employer is seeking to achieve in light of the risks to the rights of data subjects, including consideration of any safeguards or security measures that the controller will put into place.
What should employers consider?
GDPR is a complex subject. Advanced Overwatch specifically assist our customers with the GDPR impact on your organisations CCTV security systems and networks.
Employers should take into account the new GDPR requirements if they plan to install CCTV cameras for any purpose. The rights of employees, potential customers and other parties should be addressed, bearing in mind that monitoring may only be undertaken if there is a lawful basis for doing so. Employers should remember that any personal data collected must be used and kept only to fulfil its original purpose, and GDPR-compliant Notice must be prominently displayed.
It is advisable for employers who do not have the internal expertise of a trained and experienced member of staff to work with a specialist company such as Advanced Overwatch to draft a series of data protection policies relating to the use of CCTV cameras. These policies should address the purposes for which the CCTV surveillance is being carried out, the conditions in which monitoring will take place, the nature of the monitoring, how individuals’ personal data obtained will be used, how long the footage will be retained, as well as the impact on individuals’ rights.
Employers should ensure that they put prominent and adequate signage in areas where CCTV cameras are installed. Employers should also to put in place appropriate technical and organisational measures to mitigate any risk posed to an employee’s privacy rights in the event of a data breach, as required by GDPR. CCTV systems are inherently vulnerable to cyber-attacks when connected to the Internet or the cloud, and the security and privacy of the data held is best ensured by restricting access to them and having robust systems in place to prevent internet-borne attacks like spyware or malware.
In closing, an employer’s use of CCTV in the workplace can raise complex legal issues in light of the new GDPR requirements, depending on the purpose of the surveillance. Where the proportionality of the processing is not clear, specialist advice is recommended to ensure that the usage is GDPR- compliant.
Get certainty on GDPR compliance of CCTV with Advanced Overwatch
Advanced Overwatch holds CCTV and security accreditations in conjunction with ISO:9001 and ISO:27001 and all CCTV integrated security systems are installed, operated and maintained in full compliance with applicable regulatory codes and guidelines. GDPR is certainly going to pose some challenges. The regulations are yet another demonstration of the convergence of physical and digital security.
Advanced Overwatch CCTV and surveillance compliance services help:
- Smaller businesses to meet their obligations while avoiding unnecessary cost and complexity
- Larger businesses to take complete control by understanding and meeting the compliance requirement in full
To find out more about how we can help you to get certainty on GDPR compliance and CCTV, simply get in touch today.
As a business owner or senior manager the new regulations require your organisation to comply with GDPR to avoid hefty fines. Advanced Overwatch will help your organisation achieve compliance.
Advanced Overwatch CCTV and Security Solutions are an ISO:9001 and ISO:27001 certified installers and consultants. Contact us today