 |
By *9XAYNOR69Man
over a year ago
Centralised he/him/his From the land of cocksuckers |
GDPR & workplace CCTV: What employers need to know?
DataGuard
DataGuard
The General Data Protection Regulation (GDPR) extends beyond written records of personal data. The rules of the UK GDPR are also applicable to video surveillance that might include personally identifiable images and footage. It is mandatory to comply with the UK GDPR, as loss or unlawful distribution of personal information can result in heavy fines.
In this article, learn how to ensure CCTV is GDPR compliant, as well as the risks associated with setting up CCTV monitoring at your workplace.
In this article
What is GDPR compliant CCTV?
Why might workplace CCTV monitoring be useful for your organisation?
How can you ensure your CCTV is GDPR Compliant?
What are the risks associated with workplace CCTV monitoring?
What is the penalty for non-compliance?
Conclusion
What is GDPR compliant CCTV?
GDPR compliance in CCTV is the process of ensuring that your CCTV system complies with the UK GDPR. The UK GDPR requires transparency about how organisations handle personal data, and requires consent from users before collecting their personal information. To comply with UK GDPR, you must also make sure your CCTV system meets these basic requirements:
It has a clear purpose statement describing why it is being used by the organisation (i.e., safety, and security purposes).
The footage from cameras should only be retrieved if there is suspicion that an individual may have committed an offence (i.e., if it matches existing video footage from other sources).
Any footage collected must be stored securely so that it cannot be accessed by unauthorised individuals or third parties without consent from those individuals (i.e., via a password or biometric identifier).
Why might workplace CCTV monitoring be useful for your organisation?
The need for CCTV monitoring depends on each organisation. If you have storage units containing valuable items and sensitive information, CCTV may be useful in monitoring access and maintaining a log of activities around these areas. Other organisations may choose to only install CCTV following previous security incidents.
The monitoring of employees through video surveillance isn't required by the GDPR. It is left to the discretion of the data controller (your organisation) to identify a need for CCTV and reach a decision.
How can you ensure your CCTV is GDPR Compliant?
When we think about personal information, our first thought is often written documentation, such as banking details and forms of identification. However, images and videos can also contain personally identifiable information, and this is where CCTV is concerned when navigating the GDPR.
To ensure compliance, it is important to consider the following when using and distributing CCTV footage:
Maintain transparency around how/why CCTV is used
The GDPR is rooted in transparency, and you are required to inform people that they are under surveillance using visible signs. Signs should also include the following details:
Why this data is being collected/its purpose, for example: “CCTV currently in operation to ensure public safety”
Contact details of the data protection officer (DPO)
Information about your organisation (data controller)
Means to access other details upon request (via QR code, for example)
Aim to collect minimal data
Article 5(1)(c) of the GDPR stipulates that data collection should be “adequate, relevant and limited to what is necessary” in line with its stated purpose. Be sure to regularly review your CCTV practices and delete unnecessary footage.
Ensure access to footage is limited to certain individuals
Only those who need access to surveillance footage should be allowed access, i.e. those in management roles and others who require this data to perform their duties. To facilitate this, cloud-based systems can be used to securely store CCTV footage in an encrypted format that can be accessed by those with permission.
Conduct a data protection impact assessment (DPIA)
Before you set up your CCTV cameras and begin surveillance, you should identify and minimise any potential data processing risks. Gather this information through a DPIA - learn more about carrying out a DPIA and download a DPIA template here.
A DPIA should be conducted whenever CCTV equipment is newly installed or moved.
Comply with reasonable access requests
Individuals should be allowed access to CCTV footage that concerns them. These requests can be formal or informal, and you are expected to respond to requests within one month. The requested footage should be provided in a secure and easily accessible way, with the identities of other subjects blurred to ensure their privacy.
When done effectively, CCTV can be a valuable tool in maintaining workplace security and protecting the confidentiality, availability and integrity of sensitive information. However, there are a few risks you should consider before choosing to install CCTV.
What are the risks associated with workplace CCTV monitoring?
Though not inherently risky, there are a few things you should aim to avoid before choosing to install CCTV at your workplace:
Breach of employee-employer trust
Monitoring workplace activities may damage your relationship with your employees, so it is very important that they are informed of any and all CCTV devices. Uninformed/non-consensual surveillance may result in complaints and staffing issues.
GDPR infringement
If the collected data isn’t properly protected, your organisation might be in violation of the GDPR and incur heavy fines. This could damage your organisation’s reputation and put it at great financial risk.
Human Rights Act violation
Ensure that the means of surveillance is not overly intrusive so as to not violate the privacy of your employees. Such violations can result in legal action.
What is the penalty for non-compliance?
The ICO takes data privacy violations very seriously, and this extends to poor CCTV practices. GDPR violations can result in fines amounting to €20 million or 4% of an organisation’s annual global turnover – whichever is greater, however, it is unlikely that CCTV malpractice will result in fines of such a scale.
Nevertheless, be sure to maintain GDPR compliance when carrying out CCTV monitoring by regulating its use and distribution.
Conclusion
Video surveillance can contain personally identifiable images and therefore, should not be ignored when reviewing your organisation’s handling of personal information. Complying with the GDPR protects your organisation from the unauthorised dissemination of sensitive information, data breaches and incurring heavy fines.
|
I feel like my personal space has been violated & I'm actually really upset about it...thank God I actually had clothes on!!! I've raised this with my manager to take it higher. God knows if that thing has captured any other images in the 2 years I've worked here!! 
they wouldn't be laughing if it was them. Whoever saw it first should have reported it and had a quiet word with you, not let everyone else see. They should apologise to you.
