GDPR AND SURVEILLANCE SYSTEMS

26 July 2018

• GDPR
• general data protection regulation
• ICO
• Law blog
• GDPR liverpool
• Data processing agreement
• confidentiality
• Data Protection Impact Assessment
• data protection liverpool
• CCTV
• POFA
• Protection of freedom acts
• surveillance systems
• Surveillance camera commissioner
• Unmanned aerial systems
• body worn video
• GDPR Blog
• technology gdpr
• bodycams
• surveillance methods
• cctv liverpool

The legal requirements pertaining to surveillance and personal cameras are contained within the code of practice issued by the ICO.

Surveillance is now a proactive technology which can identify people and keep detailed records of activities.

As a consequence of the greater use of personal surveillance, the Protection of Freedoms Act (POFA) was passed in England and Wales. The POFA has seen the introduction of a new surveillance camera code and appointment of a Surveillance Camera Commissioner, while the ICO's code of practice adds even more enforcement powers.

The ICO sets out good practice guidance for the use of CCTV and other surveillance methods such as bodycams, in order for the user to comply with Data Protection legislation. Unlike POFA, the code of conduct covers all of the UK.

As most surveillance systems monitor and/or record the activities of individuals, they therefore process personal data. Surveillance systems, which are covered by the code, include CCTV, Automatic Number Plate Recognition, Body Worn Video, Unmanned Aerial Systems and others.

Under GDPR, the rules around how personal data is processed have been updated to reflect the changes in technology. The processing of personal data is to be measured against the rights and freedoms of the individual. Therefore, care has to be taken when deciding on whether surveillance cameras should be used.

Ideally, a Data Protection Impact Assessment (DPIA) should be carried out to determine the reasons for the use of surveillance. Things to be considered should include whether there is a wider-public requirement, affordability, problem that it seeks to address, whether it is justifiable and whether there are any Human Rights Acts considerations (where carried out by a public authority).

Once it has been decided that there is adequacy and transparency over the use of surveillance systems, then it needs to be establish responsibility for control of the information. Where more than one organisation is involved, then both parties need to know their roles and responsibilities (these should be contained within a Data Processing Agreement).

Processing personal information includes storing and viewing footage. This needs to be done in a way which maintains Confidentiality, Integrity and Availability. Access should be restricted and secure by necessary encryption. Where encryption is not possible, i.e. because it may have an effect on information which is being processed, then another appropriate method of security should be adopted.

The same applies where there is likely to be large-scale collecting and retention of data. Consideration needs to be given as to how this will be secured.

When the information is no longer required, then there needs to be thought given as to how the data is deleted and properly destroyed.