Banking and finance dispute resolution
For the latest news and comment on banking and finance disputes.
For the latest news and comment on banking and finance disputes.
For all the latest news and comment in clinical negligence healthcare law
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
For all the latest new and comment in tax law.
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
Published On: 1 February 2016
In recent years, the capabilities of CCTV have greatly improved and in addition to recording images may also have face recognition and/or voice recording capabilities. While there are many benefits to such systems, they do give rise to concern that an individual's "private space" is being unreasonably invaded.
In its updated guidance note issued on 22 December 2015 (Guidance Note) the Office of the Data Protection Commissioner (ODPC) reaffirmed the position that recognisable images (including facial images and car registrations) captured by CCTV systems are personal data and are subject to the Data Protection Acts 1988 and 2003 (the Acts).
A data controller needs to be able to justify the obtaining and use of personal data by means of a CCTV system. Section 2(1)(c)(iii) of the Acts requires data to be "adequate, relevant and not excessive" for the purpose for which they are collected. A data controller must be able to demonstrate the following:
1. The collection of personal data on a continuous basis is justified
A CCTV system operating in order to secure premises (for instance to capture images of intruders) is likely to meet the proportionality test. However, a system which constantly monitors employees or members of the public would need to be justified by reference to special circumstances. For example, if the monitoring is for health and safety reasons, a data controller would need to demonstrate that the installation of CCTV was proportionate in addressing specific health and safety issues that had arisen prior to the installation of the system.
2. Images that are captured by the system are reasonable in the circumstances
The location of cameras should also be a key consideration for data controllers. In order to justify the use of CCTV to monitor areas where individuals would normally have a reasonable expectation of privacy, a data controller would have to demonstrate that a pattern of security breaches had occurred in the area prior to the installation of CCTV such as would warrant constant surveillance. CCTV placed to record external areas should be positioned in such a way as to prevent or minimise recording of passers-by or of another person's private property. Importantly, there are some areas that the use of CCTV would never by justified such as bathroom cubicles or urinals.
3. Detailed assessments validate the use of the CCTV system
The ODPC confirmed that they would expect a data controller to have carried out detailed assessments which support the use of CCTV in that particular area and for the collection of likely images. In particular, data controllers should be able to evidence that they carried out the following steps: a risk assessment, a privacy impact assessment, a specific data protection policy (this policy should include a documented data retention and disposal policy for the footage), documentary evidence of previous incidents giving rise to security and/or health and safety concerns, and clear signage indicating image recording in operation.
Section 2D of the Acts requires that certain essential information is supplied to a data subject before personal data is recorded. The Guidance Note recommends data controllers to have a written CCTV policy in place setting out the following:
i. the identity of the data controller;
ii. the purposes for which data is processed;
iii. any third parties to whom the data may be supplied;
iv. how to make an access request;
v. the retention period for CCTV footage; and
vi. security arrangements for the footage.
Notification of CCTV usage is usually achieved by placing easily-read and well-lit signs at all entrances. If the identity of the data controller and the usual purpose for processing is obvious (e.g. security), the sign can simply confirm that CCTV is in operation and provide contact details of the security firm operating the CCTV or the owner of the premises for persons wishing to discuss the processing. If, however, the purpose of CCTV is not obvious (e.g. to monitor staff performance or conduct) there is a duty on the data controller to make the purpose clear before any data is recorded.
Section 2(1)(c)(iv) of the Acts states that data "shall not be kept for longer than is necessary" for the purposes for which it was obtained. A data controller needs to be able to justify the retention period. For a normal security system, it would be difficult to justify retention beyond one month, except where the images identify an issue (such as a break-in or theft) and is retained specifically in the context of an investigation of that issue. The storage facility should be stored in a secure environment and access by authorised personnel should be maintained in a log.
The ODPC has confirmed that a request by An Garda Síochána (the Irish Police Force) (the Police) to view footage on the premises of a data controller or processor would not raise any specific concerns from a data protection perspective. If, however, the Police wish to download footage, it is best practice to obtain a formal written request stating that they are investigating a criminal matter. For practical purposes, and to expedite requests speedily in urgent situations, a verbal request may be sufficient once that request is followed up in writing. It is also recommended that a log of all requests is maintained by data controllers and processors.
An organisation may have to provide copies of all personal images captured by CCTV if served with a data access request. It is therefore important that the CCTV system in use allows a data controller to make copies of footage or stills. The ODPC will not accept claims that a system is unable to do so in the context of dealing with an access request.
Covert surveillance is generally unlawful and can only be used in specific and limited purposes and must be focused and of short duration.
Security companies that place and operate cameras on behalf of clients are considered to be data processors. As data processors, they operate under the instruction of data controllers (their clients).
The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Acts. However the exemption may not apply if the occupant works from home or if images of public roads or neighbouring property have been captured.
Section 38 of the Garda Síochána Act 2005 provides for the installation of CCTV systems for public security purposes under the authority of the Garda Commissioner.
To view the Guidance Note on Data Protection and CCTV, please click here.
Article submitted by Rowena McCormack, Associate – DAC Beachcroft Dublin
We recommend that organisations in Ireland, in their role as data controller, review their use of CCTV and ensure they are compliant with the Guidance Note. In particular, data controllers should be able to evidence detailed assessments confirming that the use of CCTV is justified, proportionate, reasonable and transparent. In order to do so, data controllers should ensure that they: