How can we comply with the data protection principles when using surveillance systems?
At a glance
Article 5 of the UK GDPR sets out seven key principles. These principles should lie at the heart of your approach to processing personal data. When using surveillance systems, you can encounter data protection problems if your focus is on technical capability over the transparency of the processing or the governance of information. Therefore, you need to consider each aspect equally.
For any use of surveillance systems, you need to identify and document a lawful basis under Article 6 of the UK GDPR. In practice, it is often difficult to obtain genuine consent from individuals for processing their personal data in public spaces. Therefore, it is likely the appropriate lawful basis will be either legitimate interests, or a reliance on public task (if you are carrying out your tasks as a public authority in the public interest or under official authority). A legitimate interests assessment (LIA) can help you demonstrate lawfulness of the processing, and can naturally feed into a DPIA.
You need to identify an Article 9 UK GDPR condition, if you are actively processing special category data, such as biometric data (for example when using facial recognition systems to uniquely identify individuals). If you process criminal conviction data, you need to comply with Article 10 UK GDPR.
The type of surveillance system you choose and the location it operates within must achieve the specific purpose(s) for which you are using it.
The information your surveillance system processes must be of good quality and be adequate, relevant and limited to what is necessary. You should identify the minimum amount of personal data you need to fulfil your purpose(s).
The UK GDPR and the DPA 2018 do not prescribe any specific minimum or maximum retention periods which apply to surveillance systems or the information you may process. Rather, it is the purpose of your processing that should determine your necessary retention period.
You should store recorded information securely in a way that maintains its confidentiality, integrity and availability. This is to ensure that you protect the rights of individuals you record by surveillance systems and use the information effectively for your intended purpose.
What should we generally consider when using surveillance systems?
How do we demonstrate lawfulness, fairness and transparency?
How do we comply with the purpose limitation principle?
How should we minimise the information we process, and ensure its quality?
What about the retention of information?
How should we securely store and view the information our surveillance system processes?
What should we generally consider when using surveillance systems?
Modern surveillance systems can offer:
greater clarity of images with high definition picture;
improved capability due to the size and positioning of lenses; and
additional functions to post footage online or share information with others in real time.
As such, surveillance systems can be particularly intrusive. Especially if they impact on the private lives of individuals and process personal data beyond their reasonable expectations.
Some systems are also capable of placing large numbers of people under surveillance as they go about their day-to-day activities. For example, this may include the use of ANPR or facial recognition technology in public spaces.
Regardless of the size of the system, you should initially consider achieving your outcome using alternative, less privacy intrusive methods. You may consider that new technology is an attractive or affordable solution. However, the use of surveillance systems should be a necessary and proportionate response to the problem you are addressing. You should therefore carefully consider whether or not to use a surveillance system, if other options are available.
A disused public space is subject to vandalism and antisocial behaviour, and a local authority installs a surveillance system to try and monitor the area.
In order to reduce the amount of CCTV in the area, the local authority may wish to first consider less intrusive alternatives to surveillance systems. For example, improved lighting, fences and improvements to the area to encourage regeneration. This may also discourage antisocial behaviour if the space is used more often by the wider community.
Both fixed and mobile cameras should be focussed on a relevant space, and where wider surveillance is possible but unnecessary, this should be restricted. This ensures that surveillance does not occur in areas which are not of interest and individuals are not unintentionally made the subject of surveillance.
A café installs a surveillance system which captures the entrance of the premises to improve its security, as there have been reports of break-ins in the local area.
When reviewing the system, the café owner realises that the camera’s field of vision also captures footage of a nearby flat, and can see into the property.
The café owner adjusts the field of vision so that the focus of the recording is restricted only on the café entrance to avoid any unnecessary privacy intrusion to nearby residents.
Article 5 of the UK GDPR sets out seven key principles that should lie at the heart of your approach to processing personal data.
You should carefully consider whether it is appropriate to use a surveillance system, and assess any potential impact this may have on the rights and freedoms individuals have under data protection law.
It is also important that you identify an appropriate lawful basis under the UK GDPR and DPA 2018. You should clearly document and justify your reliance on a particular lawful basis in conjunction with the principles of data protection law prior to any deployments.
As previously mentioned, for the use of surveillance systems you must perform a DPIA for any type of processing that is likely to result in a high risk to individuals. This is a legal requirement and applies in most cases, due to the inherent privacy risks involved in the use of surveillance systems as a type of processing. See section on DPIAs.
How do we demonstrate lawfulness, fairness and transparency?
☐ We have identified an Article 6 lawful basis for the processing of personal data under UK GDPR.
☐ We have also identified an Article 9 UK GDPR condition for the processing of any special category data, especially where the unique identification of individuals occurs.
☐ We have identified an appropriate DPA 2018 Schedule 1 condition where specifically required for the processing of special categories of personal data or criminal conviction data.
☐ Where relevant, we have identified our authority for any processing of criminal offence data under Article 10 UK GDPR.
☐ Where required, we have a readily available appropriate policy document (APD) that demonstrates the above.
For any use of surveillance systems you need to identify and document a lawful basis for processing under Article 6 of the UK GDPR. In practice, it is difficult to obtain genuine consent from individuals that are subject to video surveillance in public spaces. Therefore, it is likely the appropriate lawful basis will be either legitimate interests, or a reliance on public task (if you are carrying out your tasks as a public authority in the public interest or under official authority). A legitimate interests assessment (LIA) can help you demonstrate lawfulness of the processing, especially if you are not carrying out a DPIA. You must however independently identify an appropriate lawful basis that best suits your organisation or method of processing.
You need an Article 9 UK GDPR condition, if you are actively processing special category data, such as biometric data (for example when using facial recognition systems to uniquely identify individuals). There are 10 conditions for processing special category data in Article 9 of the UK GDPR. Five of these require you to meet additional conditions and safeguards set out in UK law, at Section 10 and in Schedule 1 of the DPA 2018. If you record footage involving criminal offence data, you also need to comply with Article 10 of the UK GDPR, Section 10(5) of the DPA 2018 and identify an appropriate condition under Schedule 1 of the DPA 2018. For more information see our guidance on criminal offence data.
A shop manager suspects an employee of stealing money from the till. The manager compiles a report showing the shifts of the individual and collects CCTV footage of them at the till during those shifts.
This personal data is criminal offence data as it relates to the alleged commission of an offence which is unproven and requires compliance with Article 10 UK GDPR.
In some circumstances, the UK GDPR and DPA 2018 also require you to have supporting documentation that explains how you demonstrate lawfulness, in the form of an ‘appropriate policy document’. Read further guidance about documentation.
Processing of personal data must always be fair as well as lawful. If any aspect of your surveillance is unfair you will be in breach of this principle – even if you can show that you have a lawful basis for the processing.
In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.
Naturally, there are places where individuals have a heightened expectation of privacy, such as private property. But also in public toilets and changing rooms, where the use of visual or audio recording would not be expected and often difficult to justify. If you are considering surveillance systems in these environments, you should only use them in the most exceptional circumstances, where it is necessary to deal with very serious concerns.
An individual walks down a public shopping precinct and expects to be captured on CCTV that is installed for the prevention or detection of crime. When entering a shop, the shop also has a CCTV system installed for similar reasons. But the individual may not expect there to be a camera in the changing rooms where there is often a heightened expectation of personal privacy.
You always need to ensure that those under surveillance are clearly aware that they are being recorded. You should provide individuals with appropriate information about how they can exercise their rights, and that appropriate restrictions on viewing and disclosing images are in place for those using the system.
You need to assess whether the individual can reasonably expect the processing. In particular, you need to take into account when and how you collect the information. This is an objective test. The question is not whether a particular individual actually expects the processing, but whether on balance a person should reasonably expect the processing in the overall set of circumstances.
In terms of the use of surveillance systems, you need to recognise whether you are using a new technology or processing data in a new way that an individual may not reasonably anticipate. Or conversely, whether there are any developments in technology or updates to services that individuals have come to expect. Again, you should reflect this risk assessment in a DPIA prior to any deployment of a surveillance system.
By installing surveillance systems in areas where people have greater expectations of privacy, you may inadvertently increase the intrusion on their private life, especially where their behaviour is not modified. The use of surveillance systems in public spaces may also have a chilling effect on the way in which people behave, interact with each other, or the places that they choose to move freely. It is important that you also consider these issues when planning to use new or existing systems and whether they can be justifiable set against the purpose(s) for the processing.
A business responsible for managing a public multi-storey car park wishes to use CCTV cameras around the premises and in the elevators, to ensure the safety and security of individuals using them. Those using the car park are likely to expect CCTV cameras for general safety reasons, but also in areas where a crime could possibly occur.
The owners of the car park should ensure that there is appropriate signage that people can read within, and prior to entering, the premises. It should include details of the organisation operating the system, the purpose for using it and who to directly contact in the event of a query.
A school wishes to install CCTV cameras in the toilets in order to prevent vandalism.
The school would have to make a rigorous assessment based on necessity and proportionality in order to justify the processing. This is because the cameras would be recording children, particularly in an environment where there would be a natural and heightened expectation of privacy by both students and parents. Given the potential level of intrusion, this use is unlikely to be proportionate in most circumstances. The school should seek less privacy intrusive measures in order to solve a particular problem.
☐ We have signs that accompany our surveillance system that are clearly visible and readable, explaining that its use is in operation.
☐ We include details of the organisation operating the system, the purpose for using the system and who to directly contact about its use.
☐ We include as a minimum basic contact details such as a website, telephone number or email address.
☐ We have signs that are an appropriate size depending on the context of the systems use. For example, whether the signs are viewed easily by pedestrians or drivers.
The need for transparency is a fundamental aspect of data protection law. You must tell people when you are capturing their personal data, where appropriate. However, it is recognised that the use of surveillance systems often presents challenges for providing individuals with privacy information. For example, it could prove difficult to ensure that an individual is fully informed of recording taking place if:
you are using a drone at altitude;
the surveillance system is attached to a person’s uniform; or
the system is fixed in a location that individuals would not reasonably expect.
If you operate a surveillance system you are likely to collect personal data directly from the individuals you monitor. As a result you need to comply with data protection law, in particular Article 13 of the UK GDPR. This means you need to find a way to provide them with information about the surveillance. In any case, you must let people know when they are in an area where a surveillance system is in operation. You can also back up messages with an audio announcement, if public announcements are already used, such as in a train station or onboard public transport.
An effective way to provide transparent information is to place signs prominently before the entrance to the system’s field of vision and reinforce this with further signs inside the area. You should position information at a reasonable distance from the places monitored, and in such a way that individuals can easily recognise the circumstances of the surveillance before entering the monitored area. For example, it is not considered fair for an individual to read a sign that warns them about particularly intrusive surveillance technology in the area, if the system has already captured them whilst reading it.
It may be useful to use websites or social media to inform individuals that certain types of surveillance systems are in operation at a specific time and in a specific area. It is important to note however that publishing information on a website, by itself, is not enough to comply. You have to draw the individuals’ attention to the information. Therefore, you could use physical signage with linked information, so that individuals can find out more if they are interested. This would essentially function as a layered privacy notice.
As a general rule, signs should be more prominent and frequent in areas where people are less likely to expect that they will be monitored by a surveillance system. For example, this is particularly important when you are using a system to cover a large public area and capture a large amount of personal data.
A construction company uses traditional CCTV alongside security guards within the perimeters of a building site. This is to protect the site operatives, and nearby members of the public from any harm. The CCTV system provides extensive monitoring across the site, and the footage records the activity of the members of staff stationed there.
The site includes large, prominent notices to inform individuals:
about the CCTV system;
that the cameras are there for the purposes of safety and security; and
who to contact directly in the event of a query.
Signs do not need to say who is operating the system if this is obvious. If a surveillance system is installed within a shop, for example, it may be obvious that the shop is responsible. All relevant staff within an organisation should know what to do or who to contact if a member of the public makes an enquiry about a surveillance system.
Where processing is not obvious to an individual, a sign could read “Images are being monitored and recorded for the purposes of crime prevention and public safety. This system is controlled by XXXXX. For more information, visit our website at (web address) or call 01234 567890.”
How do we comply with the purpose limitation principle?
☐ We have initially considered achieving our outcome using alternative, less privacy intrusive methods without the need for surveillance systems.
☐ If we need to use a surveillance system, we only use it in locations where it achieves our specific purpose(s).
☐ We have assessed any potential impact the use of surveillance may have on the rights and freedoms individuals have under data protection law.
☐ We only use audio recording where there is an evidenced and justified need.
☐ Any audio capabilities in our system are switched off by default.
☐ We take additional steps to make it clear to individuals that audio recording is taking place, over and above any visual recording which is already occurring.
You must be clear about what your purposes for processing personal data are from the start under the UK GDPR and DPA 2018. You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
When using surveillance systems, you can only use the personal data for a new purpose if:
this is compatible with your original purpose;
you get consent from individuals; or
you have a clear obligation or function set out in law.
You should not normally use surveillance systems to directly record conversations between members of the public. This is highly intrusive and unlikely to be justifiable in most circumstances. In most situations, the use of audio recording, particularly where it is continuous, is considered more privacy intrusive than purely visual recording. Its use will therefore require a much greater justification and you should switch off by default any capability to record audio. You should only use it in exceptional circumstances, for example by a trigger switch.
If your system comes equipped with an independent sound recording facility, then you should turn this off or disable it in some other way, unless you can clearly justify and evidence its use. If you cannot control sound recording separately you need to consider how privacy intrusive the system is as a whole, including the recording of sound.
You should only use audio recordings when you have:
identified a particular need or issue and can evidence that this need must be addressed by audio recording;
considered other less privacy intrusive methods of achieving this need;
reviewed the other less privacy intrusive methods and concluded that these will not appropriately address the identified issue and the only way to do so is through the use of audio recording.
You should take additional steps to make it clear to individuals that audio recording is taking place, over and above any visual recording which is already occurring.
Surveillance in the workplace
If you are an employer, there may be cause for you to consider using overt surveillance systems to monitor staff, for reasons of health and safety, public health or security.
This could involve installing traditional CCTV cameras that record staff performing a particular task, or installing systems to record employees entering or exiting a secure premises. However, it is likely that employees would not always reasonably expect to be monitored by video or audio surveillance systems in their day-to-day roles. In the case of audio monitoring, this guidance focuses on the recording of face-to-face or private conversations, rather than business telephone calls commonly used for monitoring or training purposes.
It is therefore important if you are using surveillance systems in the workplace, especially any use of audio recording, that you use them in rare circumstances. In addition, you must:
consult with your workforce (eg staff and/or trade unions), especially during the DPIA process;
ensure that there are adequate notices, or other means, to clearly inform employees about the nature and extent of surveillance and its purpose(s);
ensure that you make people other than workers, such as visitors or customers, who may inadvertently be caught by monitoring, aware of its operation and why you are carrying it out;
target any video or audio monitoring at areas of particular risk and confine it to areas where expectations of privacy are low;
consider that continuous video or audio monitoring of particular individuals is only likely to be justified in the rarest of circumstances, and may involve other legal requirements outside data protection law for targeted monitoring;
respect the individual rights staff have about their personal data, and provide a mechanism for them to raise complaints or concerns directly with you as their employer.
An employer records incoming calls taken by employees in a call centre for training purposes, and this is known and accepted by staff. However, the employer also wishes to install video recording in a separate rest area, where staff can take breaks from work and interact.
This use of surveillance would not generally be expected by staff, and would be difficult to justify as a necessary or appropriate use by the employer. Such surveillance may also prevent staff from using the rest area, and may affect the way in which people behave and interact with each other. The employer should rethink the purposes of the recording, and should not install the system if there is no compelling justification for its use. Conducting a DPIA prior to any installation would also be a useful exercise to help identify a genuine need for monitoring and any associated risks.