3. Legitimate Interest Assessment
It is the responsibility of the data controller to establish the lawful ground for each processing activity it (and its data processors) carries out.
The lawful grounds are set out in Article 6 of the UK GDPR.
NB: if the processing involves sensitive (special category) personal data, such as health data or biometric data, then the data controller must identify a lawful ground in Article 6 and an additional condition in Article 9 of the Human Rights Act 1998.
Legitimate interest is the most flexible lawful basis for processing personal data, but you cannot assume it will always be the most appropriate.
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact. Or where there is a compelling justification for the processing.
Surveillance and security data may be used for the legitimate interests of:-
- maintaining the security of property and premises;
- preventing and investigating crime; and
- monitoring staff, and of tenants, when carrying out work duties on the premises; and providing evidence of health and safety issues.
The information processed may include (without limitation) names, employment details, security clearance, vehicle registration numbers, images, video and sound recordings featuring the individual records of personal appearance and behaviours. This information may concern staff and other workers present on the premises, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Subject to UK Data Protection Legislation, this information may be shared with the data subjects themselves, tenants and their agents, services providers, police forces and government security agencies and others who have entered into a Data Sharing Agreement with the data controller where it is necessary to achieve the above purposes, or to comply with a legal duty.
Legitimate Interest Assessment (LIA) Template
The legitimate interest grounds for processing is only available to the extent that the data controller’s legitimate interest is not outweighed by the rights and freedoms of the individual whose personal data is being processed. The ICO states that data controllers should carry out a Legitimate Interest Assessment (LIA) in order to document this decision making process.
The following typical LIA has been produced by VeriFi and is applicable to commercial property applications where data processing equipment described in section 12 of this document is employed. Please note: this is a template only. The controller must read the applicable ICO guidance before using this template. The wording should be considered carefully. Customisation to suit the data controller’s particular systems and procedures will be necessary.
IMPORTANT this LIA does not extend to special category data or criminal offence data.
Due to the particular sensitivity of special category data and criminal offence data, we recommend that you read the ICO’s detailed guidance before deciding on a condition to rely upon. Your decision making should be documented in writing. Whether a condition is available to you will depend on the facts of the processing. However, in most cases the condition of explicit consent (in Article 9 of the GDPR) is unlikely to be appropriate for surveillance and security processing of special category data.
You can read more about the requirements for processing criminal offence data (including an explanation of the conditions from Schedule 1 of the Data Protection Act 2018) here:
If you decide to rely upon the legitimate interest lawful basis under Article 6, then an LIA will still be required and the following skeleton wording may be a helpful starting point. Significant amendments are likely to be required however.
Part 1 – Purpose
Purpose of processing the data – Maintaining the security of property and premises; preventing and investigating crime; monitoring staff, and staff of tenants, when carrying out work duties on the premises; providing evidence of health and safety issues.
Benefit – The efficient and cost-effective establishment and maintenance of a safe and secure environment which also allows the data controller to discharge its duty of care to the people on the premises.
Third parties benefiting from the processing – Occupiers and visitors to the premises.
Wider public benefits to the processing – Surveillance of, and to the public perimeter of, the building provides assistance to law enforcement agencies.
Impact if processing does not take place – Lack of evidence of breaches of security and safety rendering it more difficult to investigate and address reported issues. Loss of crime deterrence from having surveillance and security systems.
Data and legal compliance – The data controller carries out the processing in accordance with UK law. This includes applicable data protection law.
Codes of practice – The data controller complies with the SCA and ICO codes of practice relating to CCTV.
Ethical issues – Are governed by the code of conduct set by the business.
Part 2 – Necessity
Efficacy – Past experience in similar situations has clearly demonstrated that the chosen method of securing the premises is effective without being overly intrusive.
Proportionality – The chosen method of securing the premises is proportionate to the perceived risk.
Consideration given to alternatives – Alternative measures (such as physical presence of security personnel) would not be as effective and would be more intrusive than current system.
Minimisation of processing – The amount of data processed goes no further than what is required to achieve the purpose. The data controller has strict data retention policies regarding how long records are archived for. Only footage and records involved in active investigations or legal proceedings are kept for significant amounts of time.
Part 3 – Balancing Test
Nature of Data
Special category data or criminal offence data – None.
Children’s or vulnerable people data –Although children and vulnerable people may be recorded on CCTV along with other visitors to the premises, the personal data processed about them is usually limited to their appearance (as captured in security images/footage) or information about their arrival and departure at the premises. These types of personal data are not sensitive and children’s and vulnerable person’s data is not a focus of the security and surveillance systems.
Existing Relationships – Limited to occupiers of the location, their staff and visitors to the location. The controller and data subjects are linked to one-another by the physical premises.
Collection of data – Individuals are informed of the collection of surveillance data by public information CCTV signs located in and around the premises. Electronic access control and visitor data is obtained by the data controller directly from the individual or their employer.
Reuse of personal data from third parties – Personal data obtained from building occupiers is limited to information about their employees, visitors and contractors which is necessary for the operation of access control equipment, visitor logging and issue and use of the data controller’s assets. Where applicable, the data subjects are notified by the building occupier that their data will be shared in this way. The data is shared with the data controller solely for this purpose and is not repurposed.
Archive retention – The data controller recognises the necessity for the minimisation of data and has adopted the archive retention periods stated elsewhere in this document. These align with industry best practice and would fall within the retention periods reasonably anticipated by the data subjects.
Changes in technology or context, innovations – Where such changes would materially impact on the data subjects’ expectations, these will be communicated to them. This is likely to be the case only where the system undergoes a significant upgrade or is replaced by more advanced technology.
Unexpected processing – No unexpected processing is anticipated.
Possible impacts of the processing on people – It is not foreseen that there would be any negative impact on the data subjects provided that the data controller’s policy and procedures are followed. Staff training ensures that said policies and procedures will be followed in practice.
Control over the use of a person’s data – Personal data will only be shared externally with organisations that are allowed access under UK law, or if the disclosing data controller has entered into a data sharing agreement with a receiving data controller who has demonstrated a reasonable and lawful requirement for having access to the data.
Objections to the processing – This processing is common throughout the commercial property sector and objections are proven to be extremely rare. Data subjects will expect to have their personal data processed in this manner as it has been a stable of premises security and management for over a decade.
Safeguards to minimise impact – The data controller’s processes and procedures provide adequate safeguards to minimise the impact of any operational data breach.
Opt out – The necessity for maintaining a safe and secure environment does not allow for opting out of the use of personal data.