DPO: Data Implications of CCTV Usage

Posted  9th February 2022

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 9th of February, with Data Services Team Leader Parminder Nijjar, LLB (Hons), L.P.C., PC.dp GDPR. This session was focused on: CCTV in schools, the school’s CCTV policy and procedures, dealing with SARs (especially parental ones), practical tips, common mistakes and risks and training for key staff.

The Use of CCTV Within a School Setting and How it is Linked to Data Protection

What is CCTV?

CCTV essentially refers to a type of surveillance camera that is a sophisticated operation used to record and store footage within tapes or digital format. Due to the advances in technology, it can be used to identify individuals and keep detailed record of peoples activities.
 
As the technology behind CCTV has advanced so has the concern around public privacy. Footage from CCTV has been used to collect evidence, build conviction cases and inform decision making. The collecting and storage of personal data raises various data protection implications, therefore is falls under the UK GDPR and Data Protection Act.

Where is CCTV?

CCTV cameras can be set up both in external areas (e.g.  the playground, car park, or front & back gates) and internal areas (e.g. reception, corridors or classrooms).

Why use CCTV?

The main reason tends to be safety and security, although this is intertwined with additional concerns, such as theft, vandalism, and antisocial behaviour.

It is important to establish the legal reasoning behind CCTV use to meet with one of the fair processing conditions as highlighted by the ICO. The likelihood is schools will use legitimate interest. However, reasoning behind processes should be reviewed to establish this based on a sound understanding. 
 
CCTV is considered as privacy intrusive, which is why it is linked to data protection. It allows a school to capture and in many cases record images (possibly audio) of everyone who is present on the school site. Those who are caught by CCTV are usually identifiable, therefore this is considered as personal data, hence processing should be in line with the data protection principles.

The ICO also recognise the role of CCTV within data protection and have created a Code of Practice. This is currently being updated and we should see the latest version in a spring 2022.
 
The main position from a data protection perspective is to ensure that the school have considered whether the use of CCTV is Necessary, Justified and Proportionate.
 

The Importance of Considering Whether CCTV is Necessary, Justified and Proportionate 

There is sometimes a belief that since this is school premises, there is an automatic right to CCTV in order to meet security concerns.

There is however a requirement to assess its necessity and proportionality depending on your specific school’s circumstances.

Key things to think about:

  • Decide what are your objectives behind the use of CCTV

  • Establish the advantages of CCTV to achieve those objectives

  • Consider whether there is a less intrusive method that could meet the same needs

  • Weigh the pros and cons

What are the pros? 

  1. School closures – Schools hold a lot of equipment and electronic devices. When schools are closed during term breaks, CCTV offers a certain level of protection. As everyone tends to be aware when schools are closed and therefore empty.

  2. Identifies unauthorised persons

  3. Deters bullying behaviors

  4. Highlights areas of staff and pupil safety

What are the cons?

  1. Data Requests - The use of CCTV and storage of personal data means organisations can be subject to personal data requests.

  2. Fines – One of the biggest fines for CCTV was given to the German electronics retailer NBB for 10.4m Euros. It is important that when using CCTV the reasoning is a legitimate response to a specific problem.

  3. Invasion of privacy – Is it proportionate in the circumstances to implement and maintain a CCTV system.

Data Sharing Important Factors from a Data Protection Perspective 

CCTV Policy 

Have the School adopted a CCTV policy?

This should be detailed and not general. At minimum, it should highlight where all the cameras are placed, levels of authorization, and who is responsible for its operation.

Data Protection Impact Assessments (DPIAs) 

Have you carried out a risk assessment?

  1. New CCTV: If you are considering implementing a CCTV system this is a perfect time to carry out a risk assessment. You will need to cover:

    • the risks associated with CCTV

    • the justifications and the steps taken before deciding upon CCTV

    • the DPO should sign off on this as a priority.

  1. Current CCTV: If your CCTV has been in operation for a number of years and is ready to be upgraded e.g., new software, better system, more cameras we recommend completing a risk assessment.

  2. Current CCTV but no plan to upgrade: There is no duty upon you to carry out a risk assessment in this situation. However, if you have any concerns about how the data is being processed then it is a great way to ensure you are on the right track.

CCTV Log

It would be beneficial to note down who views the recorded footage and when.

It will limit the use of CCTV and allow your school to regulate its use. As mentioned, the amount of data caught by CCTV is vast and therefore it is best to keep exposure to a minimum.

Data Requests

Many schools tend to receive CCTV data requests from the Police. This can be an unsteady area for most organisations, as providing that footage will mean you are sharing the data of all the individuals caught within the image.

Whenever there is a request whether from the police or individuals think about:

  • Whether the request is specific enough?

  • Are individuals identifiable?

  • Does your CCTV have the capability to blur or crop?

  • Is there a different method you can utilise outside of providing the footage?

  • Remember this is still considered to be a subject access request, therefore schools must follow the ICO guidance, so speak to your DPO.

      Good Practice Tips

      1. How long should we keep CCTV footage? 

      There is not a legal time frame for how long to maintain footage. Essentially the guidance is that you should only keep footage for as long as necessary.

      Practically speaking, most footage should be kept for no longer than 30 days and your retention limit should be outlines in your Data Retention Policy and CCTV Policy.
       
      The only time you may hold footage for longer is when there is a concern, such as, someone has made a data request. 

      2. Is it okay to fit CCTV cameras in any location? 

      Location of cameras will be key.

      External cameras:

      • To the best of your ability, these should not cover peoples houses or public footpaths.

      • This is not always possible when cameras are facing the front/back gate.

      • Some overspill is okay, just as long as it is not facing into another property.

      3. How can we cover the data protection principle of Transparency? 

          Make sure staff, parents and pupils are aware that CCTV is in operation.

          This can be done through appropriate signage in areas where CCTV is located and recording, meaning it should be clear that CCTV is in operation, there should be named contact and a method to contact that individual e.g. a phone call.

           Where CCTV is yet to be implemented, informing the various stakeholders in the school either via letters, briefings sessions or consultations is a great way to field any concerns early.

          4. Can we disclose the contents of CCTV footage? 

          Yes, as CCTV is personal data, it will fall within the scope of a subject access requests. However, this is not an automatic right. Each request should be judged on its own merits as the footage shouldn’t be released automatically.

          Understanding the features of your CCTV systems may help deal with requests. This means understanding their capabilities when it comes to blurring images and cropping footage. Having these features are not a necessity, but they may make dealing with requests easier.

           

          Future for CCTV Developments

            Organisations require their DPO to be proactive rather than reactive.

            Example: CCTV in the toilet area.

            There is still a trend amongst some organisations to fit CCTV cameras within toilet areas. Sometimes, this will cover the sink areas, others, a view of the entrance, and in smaller situations an overall view.

            We found the ICO guidance wasn’t clear on this. So as a DPO provider to number schools we contacted the Information Commissioner’s Office regarding to highlight what we perceive to be the risk to privacy over safety.

            The ICO have since indicated to us that they will cover this particular grey area within their new Code of Practice. They will provide further guidance to those schools that still have CCTV in sensitive areas and those who are considering it.

            As for CCTV outside of sensitive areas, on the whole this is not an issue - so long as schools can show they have correctly assessed the risks associated with CCTV and taken steps to raise awareness.

            Privacy within bathroom areas will continue to be problematic. Ofsted and ISI have also flagged this as they feel CCTV in bathrooms could be a sign of poor safeguarding culture within a school.

            Key Points to Take Away: 

            1. Consult your DPO if you are thinking of implementing and/or updating your current CCTV system.

            2. If you already have CCTV in place, consult with your DPO whether a DPIA is necessary.

            1. Consider where your cameras are placed and whether there is appropriate awareness.

            1. Make sure there is a CCTV policy in place, and it is specific to the way the CCTV system operates.

            1. When you receive a data request, speak to your DPO.

            Helpful Information: 

            ICO CCTV Code of Practice: https://ico.org.uk/media/1542/cctv-code-of-practice.pdf

            Our School DPO service assists schools and Multi Academy Trusts (MATs). Offering a dedicated Data Protection Officer, Judicium Education can act as the DPO for your school or MAT.

            Experts in GDPR and Data Protection - Receive a designated consultant to manage your account and Data Protection. Offering Advice and GDPR Training - Advising through Reports, Information sheets, and GDPR training for all employees. On call support - For school and MAT leaders, your consultant can offer support by phone or email.

            If you would like more information of how we can support you or more information regarding our DPO service, please see more details regarding the service here.

            If you require any support in any of these steps or would like to talk to someone about how we can help your School, please do not hesitate to call us on 0345 548 7000  or email enquiries@judicium.com

            If you’d like to review Judicium’s forthcoming sofa sessions please click here

             


            The Rise of Internal SARs from Staff and How it Affects HR Processes
              October 02 2024

            This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 2nd October, with our Data Protection Consultant Sam Hall.

            Read more

            Get your Data Protection Ready for Summer Holidays
              July 10 2024

            This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 10th July, with our Data Protection Consultant Lane Baker.

            Read more

            6 Years On: Why Your Data Protection Culture Matters
              June 05 2024

            This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 5th June, with our Data Protection Consultant Bethany Parker.

            Read more

            Data Protection: Demystifying Data Mapping
              May 08 2024

            This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 8th May, with our Data Protection Consultant Jessica Gant.

            Read more

            Data Protection: What is a Lawful Basis?
              March 20 2024

            This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 20th of March with Data Services Consultant Patrick Ballantine.

            Read more

            Tricky Subject Access Requests
              February 14 2024

            This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 14th of February with Data Services Consultant Sam Hall.

            Read more