The Surveillance Camera Code of Practice Principle 2 states that; “The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified” (source).
The best way to ensure compliance with Principle 2? Conduct a Privacy Impact Assessment (PIA). The one provided by the Surveillance Camera Commissioner (available here) should serve as your primary resource. Conducting a PIA allows surveillance systems operators to dissect risks to compliance with GDPR and the ICO CCTV code of practice.
A PIA should take into account the purpose for such a system and the impact that recording may have on an individual’s privacy. Decide whether the proposed system can be justified as proportionate to the reason it is required. Read on to find out if you need to conduct such an assessment….
The Surveillance Camera Commission recommends that a privacy impact assessment is carried out when any of the following apply:
Cameras are added or removed from systems
- When conducting a review of your system to ensure that it is justified (in accordance with Principle 10 of the Surveillance Camera Code of Practice and with the ICO CCTV code of practice). It is recommended that businesses conduct this review once a year.
Cameras are moved or change position
- When you are changing the location or field of view of a camera or any such similar changes
- When you increase the area captured by your surveillance camera systems
Whole or parts of systems are upgraded
- The activity or change will engage heightened privacy concerns such as voice recording and biometric recognition such as facial and gait recognition
- When you change the way in which the recorded images and information is handled, used, or disclosed.
- If you are considering the capture of an additional identifier such as vehicle registration mark to enable automatic number plate recognition (ANPR).
New systems are installed
- Considering introducing new or additional technology that may affect privacy (for example body worn cameras, drones, or multi sensor extremely high resolution cameras)
- If your system involves any form of cross referencing to other collections of personal information
- If your system involves more than one company or agency undertaking activities either on your behalf or in their own right
- When you change or add an end user or recipient for the recorded information or information derived from it
In summary; if in doubt over whether to conduct a PIA, consider the nature and scope of the surveillance camera activities and the potential to impact upon an individual’s privacy. Make sure you are redacting CCTV images when releasing them as part of a Subject Access Request (SAR). Pixelate by Ocucon is an easy to use video redaction software, learn more about it here.
Scroll down to view the checklist we created and right click to save so that you can use this checklist for your own business!