CCTV is a vital security measure for businesses up and down the country. By using CCTV cameras in the workplace, you can safeguard your property and employees from the threat of crime. However, without the right CCTV policy in place, you could also find yourself infringing strict privacy laws that protect the rights of individual people. Keep reading our guide to the laws of CCTV in the workplace for everything you need to know to ensure your business stays on the right side of UK CCTV laws, including GDPR.
If employers wish to install any types of CCTV cameras in the workplace, they must take the following actions in order to adhere to UK privacy and data protection laws (GDPR):
Yes, cameras that monitor the activities of people constitute a processing of personal data. Therefore, this activity falls under the UK Data Protection Act 2018, which incorporates the EU-wide General Data Protection Regulations (GDPR).
All surveillance carried out away from a person’s domestic property is subject to the act, including recording from CCTV cameras in the workplace. A core principle of GDPR is that personal data, in this case video, should only be kept for as long as necessary.
Processing limits and the period of time footage can be kept for is flexible under the act. This is to take into account the differing aims and challenges each company has when introducing the cameras. The laws of CCTV do however insist upon complete transparency when it comes to the following:
UK employers must consider the following risks when putting CCTV in place at their premises:
Somebody in your organisation needs to be made responsible for managing your CCTV system and become the data controller. They need to outline a clear CCTV policy in the workplace that is in line with GDPR.
Once the system has been registered with the ICO, the first step is to make a GDPR compliant company CCTV policy statement. This should explain to all individuals in the organisation why the cameras have been installed, how long the video data will be kept for and how it will be made secure.
A Data Protection Impact Assessment (DPIA) should be carried out to identify and manage the risks of processing video data and ensure the security of that personal data. Your procedure should be reviewed periodically to make sure that the risks continue to be managed effectively.
We have rounded up the most commonly asked questions from business owners across the UK below. If you have any other questions about CCTV systems and their relation to GDPR and the Human Rights Act, please contact our friendly security experts.
Business owners need to display GDPR compliant CCTV signage if they install surveillance cameras in the workplace. CCTV signage requirements are simple. Signs should be clearly visible in all the areas where surveillance is taking place and they should be readable to anybody working in the vicinity.
If it isn’t already obvious, signs should make it clear which company is operating the cameras.
Employers must have a clear policy stating how long they intend to store video footage for. This should be in line with the purpose of recording the images.
For example, if you are using surveillance to protect your industrial property from crime, it would not be acceptable to store the footage for longer than six months. There is a reasonable expectation that any crimes committed at your property would have been detected and investigated in this timeframe.
Yes. Regardless of the reason why monitoring has been implemented, staff must be informed that they are being recorded. If you choose not to inform them then, depending on the location of the cameras, you could be violating their right to privacy under the Human Rights Act 1998.
Recording can only be legally kept secret in exceptional circumstances. For example, if disclosure would jeopardise a criminal investigation.
CCTV monitoring can be legally used to monitor staff as long as you have made them aware of this in writing and explained the reasons why. It is only acceptable to monitor staff secretly in rare circumstances.
For example, if you suspect a staff member of committing a crime at work, it could make it hard to prove this if they were aware of the surveillance. This is only acceptable in specific investigations. Recording should cease once the investigation is concluded.
All footage should be secured by a nominated data controller. They need to ensure that nobody else views the video data, without good reason to do so. Anybody who has been caught on camera has the right to see the footage, in which they are identifiable.
Under the 2018 Data Protection Act (GDPR), they are permitted to do this by submitting a subject access request for the relevant personal data. The data controller must respond within one calendar month and provide access to the footage.
CCTV audio recording laws state that conversations between members of the public are not allowed to be recorded. The only exceptions to this rule include panic buttons in a taxi or monitoring carried out in a private area of a police custody room.
It is only acceptable to introduce audio recording at your workplace if the purpose is justifiable. All employees also need to be made aware that both video and sound are being captured by cameras.
Businesswatch are NSI Gold approved and design, install and manage bespoke CCTV systems for all industries. Our expert team of CCTV specialists are very knowledgeable in the legal requirements associated with CCTV systems in the workplace and will make sure yours is compliant with all rules, laws and regulations when they carry out the design and installation. Get in touch for a free quote today. Call us on 0330 094 7404 or fill out our online contact form here.