On-site CCTV recording
All businesses must put a risk assessment in place to state the purpose of any CCTV cameras on site, and to record if you have placed cameras around the perimeter of your site to detect intruders. If you have cameras monitoring employees, you must prove that this is for health and safety reasons. You may need to highlight past incidences as grounds for installing the cameras.
The right to be informed
Where CCTV is in place, signage must be visible to all persons on site, informing them that cameras are in place, stating the purpose for collecting the data, and providing a contact number for further information. If it is for employee monitoring or health and safety, this needs to be highlighted to persons being captured by the cameras.
Most businesses with CCTV cameras will typically retain data on site for 30 days. For longer periods, you need to carry out a further risk assessment which states the reason for holding the data and the planned timeframe. During the setup process, we will ensure you follow best practice in this area.
Subject access requests
Anyone captured on CCTV footage on your site has the right to request their personal data and to ask how you use their data after gathering it. You must provide a copy of the personal data free of charge and in electronic format if requested. If other individuals are visible in the footage, you should have a way of blurring out their identifying features.
The Gardaí may request footage from you in writing. Gardaí will often just want to view the footage on the premises of the data controller or processor; this action does not raise any data protection concerns.
Security companies act as data processors under GDPR. “Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.” Any subcontractors working on your behalf, such as security companies or CCTV engineers, must follow this procedure.
Know your obligations
All companies must review their security arrangements to ensure they comply with GDPR. It’s quick and easy to buy and install your own passive CCTV system, but without proper guidance from a professional security service provider, you could be leaving yourself open to prosecution and fines. For more information, see the Data Protection Commission’s overview of responsibilities for organisations.