12.9 Covert Surveillance
Right to be Informed – a data controller can only avoid providing the processing information set out in Article 13 GDPR in limited circumstances. Those circumstances are set out in Schedule 2 of the DPA 2018.
The most relevant one will be Schedule 2 Part 1 Paragraph 2 whereby the disclosure would jeopardise the prevention or detection of crime.
Consent – consent is not usually relevant to covert surveillance.
Archive Retention – recordings should be reviewed on a frequent basis and only retained if relevant to the purpose of the surveillance. The archive must be deleted or otherwise destroyed once the case is closed.
Privacy – cameras should not view areas where individuals have a reasonable expectation of privacy, including, but not limited to:-
- residential housing including external areas not in public view;
- commercial property neither in public view or associated with the purpose of the surveillance; and
- changing rooms or toilets.
Access to recordings shall be password protected and managed on computer devices identified by unique reference numbers logged in a Controlled Data Register. The recording must be deleted at the end of the archive period.
Process – covert CCTV surveillance will not be undertaken unless under exceptional circumstances when specifically agreed in writing, by the data controller.
Such schemes shall be for specified and reasonable purposes and deployed only for the duration of a specific case. The following issues should be considered and documented, potentially as part of a wider Data Privacy Impact Assessment (DPIA):-
- cause for considering implementation of covert surveillance;
- area(s) of surveillance;
- justification for voice recording;
- the initial term of the scheme;
- routine review frequency; and
- date of decommissioning.