Regulations around CCTV cameras and your requirements under the Data Protection Act

Many premises now have CCTV cameras for security purposes and it is estimated there is 1 camera for every 32 UK citizens. But it is important to consider the regulations around CCTV cameras and your requirements under the Data Protection Act. If your business is contacted by a member of the public to provide a copy of CCTV footage, in which they appear in their own vehicle at a specific time, as captured by your company surveillance cameras. Are you required to provide a copy?

Subject Access Request

This request would be considered a Subject Access Request as stipulated by the Data Protection Act 2018. In principle, it means this information would have to be provided if it relates to the individual subject. The Act outlines that such information should be provided ‘without delay, and at the latest, within one month of receipt of the request.’ You can request to extend the deadline for complying with the request by up to two months if the request is complex in nature and that this is communicated to the individual. It should also be noted that under the new GDPR guidelines you can no longer charge a £10 administration fee for providing such footage.

Issues to Consider

There are a few other issues to consider here with regards to releasing the footage. The request does, of course, have to relate to information concerning the subject personally and their vehicle so, you will need to identify the person making the request e.g. seeing their driving licence to make sure you are not releasing information they are not entitled to. The ICO (Information Commissioners Office) provides a Code of Practice outlining requirements for CCTV systems. It outlines that surveillance systems used should ‘allow[s] you to easily locate and extract personal data in response to subject access requests. They should also be designed to allow for the redaction of third party data where this is deemed necessary’. The ICO Code of Practice also outlines that data itself should be provided in a permanent form unless the subject agrees to receive the information in another way, such as by viewing the footage. It would also be advisable to consider undertaking a Privacy Impact Assessment as a means to minimalise any overall data protection risks.

Conclusion

Whilst the request would require your response it would be recommended that you identify the individual (and his vehicle) first so that you are confident that you are responding to the person entitled to receive the information. In the meantime, you should check the footage to ascertain whether or not the individual has actually been captured. If any other subject is captured by the footage then measures need to be taken to obscure the identity of those individuals/vehicles before the footage is released. For further advice please call Ashley Sutherland at Hegarty Solicitors on 01733 295 553 or email ashley.sutherland@hegarty.co.uk