19. FAQ
Data protection law is very technical and turns on the facts of a particular scenario. The guidance given below is for general information only and is not a substitute for professional advice on a given situation.
Q1. A visitor had her car damaged whilst in our car park, she is asking for a copy of CCTV footage of the incident, should we comply with her request?
A. If the visitor can be identified from the footage then her request should be treated as a data subject access request. This means that the data controller will typically need to respond within one month from the date of the request. In practice, as soon as you are informed of the visitor’s cars model, number plate, colour, location or times of arrival/departure (etc.) you will have enough information to link the vehicle to the individual. As a result, CCTV footage showing that vehicle and its movements should be treated as personal data of the visitor. The visitor has a right of access to that footage.
First, check the authenticity of the request and ensure the data subject has properly identified herself as part of the request. If you are in any doubt, ask to see a certified copy of the visitor’s driving licence or passport, and her signature. Alternatively, these can be presented in person. Visitor logs can be checked to ensure the damaged car is indeed the visitor’s.
You should consider if an exemption under the GDPR or Data Protection Act 2018 allows you to withhold the footage. If you decide to refuse to provide the footage then your decision and justification should be clearly explained to the individual in writing. A confidential internal record of the decision should also be made in case you need to justify your actions to the ICO in the future. For example, if the visitor complains about your refusal to comply.
The relevant sections of footage should be isolated from the longer recording. Those sections should be reviewed to determine if any third parties can be identified. If so, the data controller needs to consider whether it is appropriate to disclose those other parties’ personal data (i.e. their presence in the footage). You do not need to request consent from the third parties but if their consent hasn’t been obtained then the data controller can only disclose their personal data to the extent that it’s reasonable to do so in the circumstances.
This means balancing the requesting person’s right of access against each of the third parties’ rights. Often the nature of the footage will mean it is reasonable to disclose the footage, but this is not guaranteed. Your decision should be documented in writing and kept on an internal confidential record.
If you decide it is not reasonable to disclose the isolated footage then you should consider redacting the images to anonymise the third parties. This may be as simple as cropping the footage to show only the individual concerned.
The footage you choose to disclose should be provided in an encrypted format if possible. Ensure you send the password in a separate communication. If the footage cannot be encrypted for practical reasons then it is advisable to explain that to the individual and ask that they collect the footage in person. An internal record should be made of the time the footage is collected.
Q2. A firm of solicitors is requesting CCTV footage relating to a ‘slip & trip’ claim by their client, how should we respond and does the same advice apply to requests by insurers?
A. If the ‘slip & trip’ claim is threatened against your organisation then additional legal rules on disclosure of evidence may apply. You should take immediate legal advice prior to disclosing any footage if so. The same principles apply if the request is made by insurers, on behalf of the data subject.
The requesting party’s authority should be checked in each instance. Having done so, and assuming there are no other legal issues to consider, the process is broadly the same as with Q1 above.
You can ask the requesting party to enter into a Data Sharing Agreement with your organisation but this is not strictly necessary.
Q3. A delivery vehicle tailgated another vehicle through a rising arm barrier at the exit from our service area causing extensive damage. Our insurers are claiming from the delivery firm’s insurer and both parties are asking for video of the incident. How should I respond?
A. Please refer to Q2 above.
Q4. Without reference to me, a security guard has released CCTV footage to a tenant in relation to a time and attendance matter concerning a member of their staff, what should I do?
A. As a general rule, the security guard (acting for the service provider) should not have released the footage without your agreement (although consider if you have given blanket permission in the past). The service provider is a subordinate data processor so cannot share personal data except on the data controller’s instructions. Those instructions could come from you, as lead data processor, if you have been granted that authority under your Processors Service Level Agreement or Data Processing Agreement with the data controller. If you are the data controller then you should check the terms of the Data Processing Agreement with the service provider to ensure they weren’t authorised to share the footage under its terms.
In very limited circumstances the service provider might have a legal obligation to release the personal data without your instructions, or the data controller’s instructions if you are the lead data processor. Usually the service provider will need to notify you of that fact beforehand.
If the security guard acted without proper authority then a data breach may have occurred. The matter should be referred to your data processing officer or line manager immediately. If you are the lead data processor then you may need to report the data breach to the data controller under the terms of your Data Processing Agreement.
Q5. An occupier has not received an expected delivery and the couriers are claiming everything has been delivered. The courier has asked to see a still image from the CCTV system to prove that only one parcel was delivered and not the expected two parcels. I am concerned that by handing them over this image we could somehow be in breach of data protection legislation.
A. Unless the delivery person is identifiable from the footage and the delivery person has submitted (or consented to) the request, this is not a data subject access request. You may still be able to release the footage but you do not have a legal responsibility to do so under data protection law.
If individuals can be identified in the footage then you need to consider whether it is reasonable to share the footage without their consent. If disclosure wouldn’t be reasonable but you still want to provide the footage then you will need to anonymise it.
Often the simplest and cheapest way of dealing with this type of request would be to print off sufficient screen shots to achieve the purpose and using an indelible pen redact any identifying images of persons present, together with any other identifiers such as tattoos and jewellery, etc. The resulting images would be anonymous for data protection purposes.
Q6. Should a data processor register as a data controller?
A. All organisations should complete the ICO self assessment to check if they need to register with the Information Commissioner’s Office (ICO) as a data controller and pay a registration fee.
Organisations which do not decide how personal data is processed and/or process personal data under the instructions of a third party (i.e. data processors) are not data controllers and are therefore generally exempt from paying a fee and registering with the ICO.
However, if the data processor uses CCTV on their business premises for the purpose of crime prevention then they will need to register and pay a fee.
Q7. We have public information CCTV signs displayed, but can a person withdraw permission for their image to be processed and if they can, do we have to blur their image on any footage retained in archive.
A. You are not relying on people’s consent in order to operate your CCTV system. Instead, you have a ‘legitimate interest’ in using CCTV for crime prevention and the protection of people and property. Because their permission is not required, a person cannot withdraw permission for their image to be processed. However, the person may have the right to object to your processing. This is different to withdrawing consent.
The right to object is contained in the GDPR. If a person wishes to exercise this right then they need to give you specific reasons why they are objecting to the processing of their data. These reasons should be based on their particular situation. You can refuse to comply with their request if you can demonstrate compelling legitimate grounds for the processing (which override the interests, rights and freedoms of the person objecting) or the processing is for the establishment, exercise or defence of legal claims.
If you reject their request, you should explain your decision in writing. You must also inform them of their right to make a complaint to the ICO, and their ability to seek to enforce their rights through a judicial remedy. This can be a complicated area of the law. You may wish to obtain legal advice before responding.
Q8. Should our Privacy Policy contain a detailed CCTV Policy?
A. Assuming your Privacy Policy is compliant, it will be sufficient to include a brief statement along the lines of:
We operate CCTV based on our legitimate interest in protecting property and ensuring the safety of visitors, tenants and clients, as well as to assist with the prevention and detection of crime.
You should also identify who that footage is shared with (if applicable).
You should display public information CCTV signs stating the purposes of the CCTV and contact details for further information. You may also include instructions for accessing your Privacy Policy.
Persons making an enquiry via the client’s help desk should be given the VeriFi site reference which when entered at http://www.datasubject.info will give site specific information about CCTV process and procedures and also enable the enquirer to make a data subject access request.
Q9. Who should decide on surveillance & security data management process and procedure policy?
A. It is the responsibility of the data controller to establish processes and procedures. These should be included in the processor’s Service Level Agreement or a separate Data Processing Agreement (see section 17 for further information).
Of course, the data controller could write their own Data Compliance & Process Guidance Policy but a simpler solution would be to adopt this document and refer to the current VeriFi Data Compliance Policy & Procedures Guidance.
Q10. The landlord does not appear to have registered as a data controller with the ICO.
A. Data controllers must register with the ICO (see Q6 for more information). If the property is owned by a pension fund and not a separate legal entity then the pension fund trustees will probably be the data controllers and must register with the ICO.
Q11. We are managing agents employed by the landlord who is the data controller, what is our position?
A. You are lead data processor following policy and procedures set by the data controller. Other service providers, such as guarding and systems companies, are data processors subordinate to you. From a practical perspective, it will be good practice for the data controller to formally authorise you to decide on the release of data.
OR
If the landlord as data controller has appointed the guarding service provider as data processor the managing agent will have no data processing responsibility if no surveillance and security data is passed up the chain from the security contractor to the managing agent.
However, in practice it is doubtful that a managing agent could do its job without receiving or collecting some personal data such as evidence for insurance claims and health and safety issues, etc. The managing agent can only process such data in accordance with data protection legislation and the landlord’s written instructions from time to time. You will need to check that those instructions allow data to be shared without the managing agent being in the position of data processor.
Q12. A firm of solicitors has requested several hours of video footage from our shopping centre regarding a defendant’s movements on the site. The individual is in police custody and although we were unable to provide evidence of the alleged offence a retailer on the site was able to do so. Should this request be treated as a data subject access request via the defendant’s solicitor?
A. The first step would be to determine whether the solicitors are acting upon the individual’s authority and to obtain proof of that authority (e.g. a written letter).
Before releasing information relating to a criminal investigation, it would be prudent for you to ask the police whether they have any objection to the footage being released. The reason being that this could jeopardise investigations. If that were the case then it may be that the you can rely on one of the exemptions to comply with the DSAR. If you do rely on an exemption then that would need to be communicated to the data subject, (potentially via their solicitors).
Q13. A tenant that has a Data Sharing Agreement with a landlord/managing agent has requested a copy of access control and CCTV data relating to an HR issue with an employee of theirs. Is it OK to allow this?
A. If the Privacy Policies used by each party to the Data Sharing Agreement don’t refer to data being shared for HR purposes then there is a material risk that the transfer won’t comply with the GDPR. This is because the intended purpose of the processing (monitoring staff performance) hasn’t been disclosed to the data subjects beforehand. Unless it can be shown that this new purpose (monitoring of the tenant’s staff) is compatible with an existing purpose noted in the Privacy Policy, the transfer of this data to the tenant could be unlawful. The GDPR refers to this as the ‘purpose limitation’ principle.
This may be the case even if there is a contractual obligation on the landlord/managing agent to disclose the data (e.g. an obligation in a Lease, Licence, etc.). The purpose limitation principle may still apply.
Different rules may apply in the context of litigation or threatened litigation, in which case specialist legal advice should be sought before taking any steps to share personal data.
If a tenant or service provider is an individual (e.g. a sole trader) and the data concerns them personally, the request may constitute a data subject access request and different rules will apply.
Q14. Tenants frequently request access to CCTV recordings is it permissible to allow this?
A. We recommend that a controller to controller Data Sharing Agreement is put in place between the disclosing data controller and receiving data controller. Best practice dictates that the recipient should make a written request identifying its intention for the data. Provided these documents are in place, and there is no overriding legal reason why the disclosing data controller shouldn’t disclose the data, the disclosing data controller may release the data.
Usually the disclosing data controller has discretion over what (if anything) to release. The recipient’s intended purpose for the data will be one factor the disclosing data controller takes into consideration. It may find itself limited by the purpose limitation under the GDPR if the purpose of the transfer is incompatible with the data processing purposes identified in its Privacy Policy (see Q13 for more information).
Different rules may apply in the context of litigation or threatened litigation, in which case specialist legal advice should be sought before taking any steps to share personal data.
If a tenant or service provider is an individual (e.g. a sole trader) and the data concerns them personally, the request may constitute a data subject access request and different rules will apply.
Q15. We manage an apartment block, one of the residents has fitted a cloud based door entry-phone that transmits voice and images to her mobile phone. In addition to the intercom facility she has freely admitted that this device also captures and records images of people walking past the door to her apartment. There have been a number complaints from other residents, what is the position under data protection legislation.
A. If the camera is capturing recognisable images of people outside the resident’s dwelling, other than as a function of an intercom camera deliberately triggered by a caller, you must register as a Data Controller with the ICO and abide by data protection laws. This would include a requirement to fit public awareness CCTV signs stating the purpose of the CCTV and contact details. The release of recorded images should be restricted to Police, you could be considered to be in breach of data protection laws were you to circulate images of individuals via social media or any other means of dissemination.
Q16. A school has pupils who frequently visit a local shopping centre and are guilty of antisocial behaviour. The school and the shopping centre management wish to share CCTV footage in order that the school can identify the individuals and address the matter with parents. Is this acceptable under GDPR?
A. It may be possible to share footage with the school if fair processing information has been given beforehand, and an appropriate lawful basis for the processing has been identified.
The fair processing information would be contained in the data controller’s Privacy Policy. It should clearly state the purpose of the footage sharing arrangement, name the school, and identify the appropriate lawful basis for the sharing. The school should, in its Privacy Policy, identify shopping centre management as a source of personal data which it processes. In both cases plain, clear and age-appropriate language must be used. If the data sharing is two-way (i.e. the school provides information to shopping centre management) then the data controller’s Privacy Policy should also identify the school as a source of personal data and explain the purpose and lawful basis for processing that data.
Legitimate interest may be an appropriate lawful basis for sharing the data. A Legitimate Interest Assessment should be conducted as part of the decision making process. If special category data is shared then an additional condition from Article 9 GDPR will need to be identified. If criminal offence data is being shared then an additional condition from Schedule 1 of the Data Protection Act 2018 is required. These conditions should be recorded in the data controller’s Privacy Policy.
It may not be possible to lawfully transfer archive footage which was captured before the data controller updated its Privacy Policy to refer to the data sharing arrangement. That is, unless it can be shown that this new purpose for capturing the footage (sharing with the school) is compatible with a purpose which was already identified in the Privacy Policy’s previous version. The GDPR refers to this as the ‘purpose limitation’ principle.
If the transfer is to go ahead, a controller-to-controller Data Sharing Agreement should be entered into with the school. The data sharing arrangement, and validity of the legitimate interest lawful basis for processing, should be kept under regular review.
The GDPR specifically provides for the protection of children’s data. As such, it would be advisable to seek specialist advice in this area before making a decision.
Q17. A shopping mall wishes to install a CCTV camera inside the security control room for the safety of staff, especially those who are lone workers. Is this acceptable?
A. The key principles regarding CCTV in the workplace are:
- Employees must be made aware of cameras in use;
- Employees should be told why CCTV is being used;
- If an employee asks to see footage of themselves, this must be provided within one month;
- The ICO (Information Commissioner’s Office) must be informed of the presence of CCTV, and the reasons why it has been installed (and the employer must pay a fee);
- If CCTV was installed to detect a crime, it should not be used to monitor workplace productivity.
The same data protection requirements that apply to employee monitoring generally also apply to CCTV surveillance which is a more intrusive form of monitoring. ICO codes and guidance “The ICO’s Employment Practices Code” provides that:
- Where an employer is considering using CCTV it should preferably be using an impact assessment, considering whether the benefits justify the adverse impact. In particular:
- Where possible, monitoring should be targeted at areas of particular risk and confined to areas where expectations of privacy are low.
- Continuous monitoring of particular individuals is only likely to be justifiable in rare circumstances.
- Unless covert monitoring is justified, workers should be given a clear notification that video monitoring is being carried out and should be told where and why it is being carried out.
- There should be adequate notices (or alternative means) to advise people other than workers, such as visitors or customers, who might otherwise be inadvertently caught by it, that monitoring is taking place. The notices should make them aware of why it is taking place.
The ICO has also produced a code of practice on the use of surveillance systems, “Surveillance Camera Code”. The Surveillance Camera Code operates using the following 12 guiding principles:
- Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
- The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
- There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
- There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
- Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
- No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
- Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
- Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
- Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
- There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
- When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
- Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.
The ICO’s codes of practice do not have legal effect and compliance with their recommendations is not mandatory. However, the ICO may refer to recommendations set out in a code of practice in connection with any enforcement action under data protection legislation.
ICO checklist
Please see the ICO’s checklist which organisations need to complete before installing CCTV:
https://ico.org.uk/for-organisations/data-protection-self-assessment/cctv-checklist/
Right to Privacy
The right to privacy under Article 8 of the European Convention on Human Rights (ECHR) has been invoked in cases brought by employees who have been monitored using CCTV in their workplaces, even where the filming took place in public areas.
The case of Lopez Ribalda V Spain set out the following guidance on factors to be considered in deciding whether employee surveillance is proportionate under Article 8 ECHR:
- Whether the employee has been notified of the possibility of video-surveillance measures being adopted by the employer and of the implementation of such measures. While in practice employees may be notified in various ways, depending on the particular factual circumstances of each case, the notification should normally be clear about the nature of the monitoring and be given prior to implementation.
- The extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy. In this connection, the level of privacy in the area being monitored should be taken into account, together with any limitations in time and space and the number of people who have access to the results.
- Whether the employer has provided legitimate reasons to justify monitoring and the extent of the monitoring. The more intrusive the monitoring, the weightier the justification that will be required.
- Whether it would have been possible to set up a monitoring system based on less intrusive methods and measures. In this connection, there should be an assessment in the light of the particular circumstances of each case as to whether the aim pursued by the employer could have been achieved through a lesser degree of interference with the employee’s privacy.
- The consequences of the monitoring for the employee subjected to it. Account should be taken, in particular, of the use made by the employer of the results of the monitoring and whether such results have been used to achieve the stated aim of the measure.
- Whether the employee has been provided with appropriate safeguards, especially where the employer’s monitoring operations are of an intrusive nature. Such safeguards may take the form, among others, of the provision of information to the employees concerned or the staff representatives as to the installation and extent of the monitoring, a declaration of such a measure to an independent body or the possibility of making a complaint.
Under the Data Protection Act, employees are entitled to make a “data subject access request” regarding personal data about themselves. This includes the right to see CCTV recordings. Any such requests need to be handled appropriately and in accordance with the timings set out in the GDPR.
Suggested documents
The guidance suggests that employers should have in place (if they use or plan to use CCTV):
- A CCTV policy to be inserted into the staff handbook;
- Data protection impact assessment regarding the use of CCTV;
- Make sure employee privacy notice (and general data protection policy) covers the use of CCTV and if not, update this.
Q18. How do we make sure our collection and sharing of data is lawful when maintaining records for the Coronavirus contact tracing scheme?
A. Before collecting personal data for contact tracing, check the government guidelines about whether your business is required to collect customer contact information. This is because the rules vary for England, Wales, Scotland and Northern Ireland. Your lawful basis for processing the information will also depend on the type of your organisation and whether the government has made it a legal requirement for you to collect contact tracing information.
What lawful basis am I relying on?
Each of the following lawful bases allows you to collect customer and visitor contact details for contact tracing:
- Legal obligation: This will apply if you need to collect personal information to comply with the law, i.e. because the government makes it a legal requirement for your business to collect data for contact tracing.
- Legitimate interest: This will usually apply where you are a private organisation and there is no legal requirement to collect contact tracing data. You have decided that collecting the data is in the interests of the individual, organisation, and national public health efforts to tackle coronavirus (so long as data protection principles are followed and individuals’ rights are protected).
- Public task: If you are a public authority, this basis allows you to identify a task, power or function with a clear basis in law (for example a council with clear legal responsibilities around public health) which requires you to process this data.
- Consent: If you are not covered by one of the above bases, then your lawful basis is likely to be consent. Consent is a less convenient ground for processing because the data subject can withdraw their consent, and stop your processing activities, at any time. Consent might be your only choice if you collect information in a situation which might reveal sensitive personal information about visitors. E.g. if you collect contact tracing records at a place of worship where those records would reveal visitors’ religion.
What do I need to tell people?
You must be clear, open and honest with people about the reason you are collecting their data when they visit. This includes telling people what your lawful basis is, who you will share their information with and how long you will keep it. You may do this by putting signs up, telling people in person, or directing people to information online.
Be mindful of the age, literacy and mental capacity of your visitors to ensure your explanations are easily understood.
Who can I share the information with?
Generally you should only share the information with the government contact tracing scheme, having first checked that you have received a genuine request for information. You should not share the information with any other person without first carefully checking that you have a lawful basis to do so. This includes sharing information with the police.
You cannot use any of the data collected for contact tracing for marketing or other business purposes.
How much information should I collect?
Please note that you do not need to collect data where people scan an official QR code issued by the government for the NHS Covid-19 app.
You should only collect the personal information required for you to maintain records which are sufficient for contact tracing purposes. You should check the relevant government guidance for your area, but the main elements will usually be the person’s name (or the name of the ‘lead member’ of a group), contact telephone number, and the date and time they were there.
Depending on the rules for your area, you may not need to collect information for children under a certain age even if they aren’t with a family group. If you are unsure of a child’s age then you should ask them. It usually won’t be appropriate to ask them for ID except in circumstances where you’d be asking for ID anyway (e.g. on the door to a pub).
What if people give false information?
Some visitors may provide false information. Provided you accurately record the information given, you should still comply with the accuracy principle under data protection law. Data protection law does not require you to challenge people if you suspect they have given false information.
How long should I keep the records for?
You can only keep this personal data for as long as it is needed. It is usually recommended to retain this data for 21 days but you should check government guidance for your specific area to see if you need to keep the records for longer.
Records should be securely destroyed or deleted at the end of the retention period.
How should I protect the records?
You must put in place rules and staff training to ensure that this data is not lost, stolen or destroyed whilst in your possession. Ideally you should collect information in a way whereby visitors can’t see each other’s information. Using a locked ballot-box is one way to do this. Previous days’ records should be locked away or (if digital) password-protected. Access should be restricted to those in your organisation who need access to carry out their duties.
Can we require visitors to use the government app?
Use of the government’s contact tracing app is optional. Your organisation is expected to have an alternate way of recording information if a visitor doesn’t have the app or doesn’t want to use it.
Q19. Why is a 90 day archive suggested for Key Management?
A. The recommended archive retention period for key management data is 90 days. This time period allows the party archiving the data sufficient time for the following:
- To confirm and/or prove that obligations to the various parties have been fulfilled.
- It enables time for investigations and/or fact finding exercises where keys may have been flagged as overdue for return, or where there is any other anomaly.
- It ensures that contact data for repeat transactions is maintained. Repeat customers/visitors who require keys after the 90 day archive period will need to re-supply their data to ensure their personal details are not kept on file for an excessive length of time.
Requests for a right to erasure of data within the 90 day period should be considered, whilst bearing in mind the legitimate interests for keeping data which are listed above.
Q20. Is it necessary to redact CCTV footage requested by a legal representative or insurer?
When sharing footage which identifies individuals (either directly, due to their faces or identifiable appearance being visible in the footage or indirectly, such as identifying somebody’s location via the presence of their vehicle) the agent needs to ensure it complies with the data protection principles. One of the principles is data minimisation which states that the agent should only share the minimum amount of personal data necessary for the purpose for which the data is being shared. If the request for the footage is motivated by a legal dispute between a set number of parties then the data minimisation principle suggests that any unrelated parties should be redacted from footage. This is because the footage of the unrelated parties is not necessary for the purpose of resolving the dispute.
