- You must register with the Information Commissioner's Office (ICO) as a ‘data controller’.
- You must let people know that they are in an area where CCTV surveillance is being carried out. Displaying signs is the best way of doing this. These should be visible and readable by members of the public and should contain details of the organisation operating the system if it is not obvious.
- Where an individual requests CCTV footage in respect of images of themselves then this is deemed a ‘subject access request’. The premises has a duty to respond to this within 40 days and, on reviewing the CCTV footage, it should be disclosed where it is appropriate and available. It is advisable that this response is made in writing and a copy retained for evidence of a timely response.
- If the images include those of third parties and you do not have the equipment to blur them out then you should not release the CCTV footage, providing these images of a third party could be an unfair intrusion into the privacy of the third party or cause any unwarranted harm or distress. You may charge for the cost of any blurring or redaction required, if you are able to access equipment to do this, but it would be sensible to explain these charges to the individual requesting the CCTV images beforehand.
- Where you are unsure as to your obligations on disclosing CCTV footage, such as where third-party images may be an issue, it is advisable to seek legal advice or contact the ICO for guidance as soon as practicable.
- In the unfortunate event that you become aware that you have breached your obligations as a data controller, you must inform the ICO of this breach.
- The penalty for a breach of your obligations as a data controller can range from a ‘warning letter’ and advice from the ICO to a fine (which can be up to £500,000), though these larger fines are confined to the most serious of breaches.
In summary, it is important to remember that if you operate CCTV your responsibilities go beyond simply ensuring that it works. The ICO provides helpful and detailed advice on its website.
CCTV is covered by the 2018 GDPR regulations.
Cancer patient kicked out of Wetherspoon pub after CCTV flag