CCTV in the workplace | Paycheck Plus Data Protection
Personal data can be captured using CCTV in the workplace – any video, images or audio that can be used to identify an individual is subject to the Data Protection Acts. If you use a CCTV system for your business you are likely considered a data controller and therefore have significant responsibilities. So businesses using CCTV cameras must make themselves aware of their data protection obligations. Read on for more details and recommendations / expectations that will help you comply with data protection regulations.
In previous articles we gave insights and tips on how to ensure security and comply with data protection regulations. In this article we’re focusing on CCTV and data protection obligations for businesses but our other articles that may be of interest to you are:
- 11 non-tech tips to help ensure payroll security and confidentiality
- 6 important steps to securing your company Wi-Fi
- Avoid falling victim to email and SMS scams purporting to be from Revenue
- 5 Quick GDPR Wins
- Payroll and the cloud
Before introducing a CCTV system on your business premises you need to be able to justify its presence and consider what will actually be captured.
Can you justify the CCTV system and what data will be captured?
Businesses must be able to justify obtaining personal data through a CCTV system and also justify the use of the personal data. This can be easily done if the system is for security reasons however it gets a lot more difficult if it’s used to monitor employees or customers etc. as this is more intrusive.
All of the data captured needs to be considered, including the data that’s not relevant to the intended purpose of the CCTV system. A case study provided by the Data Protection Commissioner highlights a case where Luas CCTV cameras overlooked private property; this was outside of the intended purpose of the system and had to be rectified (details here). You should ask yourself if people in the areas captured by the CCTV system have an expectation of privacy and are you capturing no more than appropriate for the purpose of the system.
Data Protection Commissioner Recommendations / Expectations
The Data Protection Commissioner expects / recommends the following to be carried out and documented:
- A Risk Assessment
- A Privacy Impact Assessment
- A Specific Data Protection policy drawn up for use of the devices in a limited and defined set of circumstances only (this policy should include documented data retention and disposal policy for the footage)
- Documentary evidence of previous incidents giving rise to security/health and safety concerns
- Clear signage indicating image recording in operation.
Before recording, certain information must be supplied to data subjects. The Data Protection Commissioner details that:
A written CCTV policy must be in place and should include the following information;
- the identity of the data controller;
- the purposes for which data are processed;
- any third parties to whom the data may be supplied.
- How to make an access request
- Retention period for CCTV
- Security arrangements for CCTV
Notification of CCTV usage can usually be achieved by placing easily- read and well-lit signs in prominent positions. A sign at all entrances will normally suffice.
If the purpose of the CCTV system is obvious, e.g. for security reasons, all that is required is a sign noting contact details and highlighting that CCTV is in operation. However if the reason is less obvious, e.g. for monitoring employee conduct, then the data subjects must be made clear of the existence and purpose of the CCTV system. A case study provided by the Data Protection Commissioner highlights a case where covert recording and out-of-scope data use caused issues for a business and their employee, click here for details.
Other expectations / recommendations
- Don’t keep the data longer than necessary for the intended purpose
- Store the data securely
- Maintain an access log
- Only allow authorised access
- Be prepared for access requests
- Be prepared to obscure (e.g. pixelate) other individuals
- If a security company is used, ensure that appropriate contracts are in place (e.g. an SLA that ensures that your data is processed appropriately in the event of a request being made etc.)
Crucially, data protection legislation is going through radical changes, be sure that you’re prepared. Find details of the changes and what impact they will have on payroll personnel, along with details on how to prepare here.
For more on CCTV in the workplace read:
Paycheck Plus, Your Outsourced Payroll Provider
Paycheck Plus is an award-winning outsourced payroll provider, serving businesses across Ireland and the UK. With industry-leading accuracy levels, strict levels of confidentiality and top-rated payroll processes. We provide comprehensive, ISO and ISAE 3402 accredited, payroll outsourcing services to organisations of all sizes.
Our highly experienced payroll processing experts can help you to navigate all aspects payroll processing including payroll consultancy, payroll audits, payroll reporting, payroll training, company set-up & wind-down, and special projects.