EMPLOYMENT CASE LAW / HUMAN RESOURCE MANAGEMENT – CCTV footage in the Workplace and the Data Protection Acts
The use of CCTV systems has greatly expanded in recent years. So has the sophistication of such systems. Recognisable images captured by CCTV systems are personal data. They are therefore subject to the provisions of the Data Protection Acts. A Data Controller (the Employer) needs to be able to justify the obtaining and use of personal data by means of a CCTV system. In order to satisfy the fair collection principle, it is necessary that those people whose images are captured on camera are informed about the identity of the Data Controller and the purpose(s) of processing data.
A system used to control the perimeter of a building for security purposes will usually be easy to justify. The use of CCTV systems in other circumstances e.g. to constantly monitor Employees or customers - can be more difficult to justify and could involve a breach of the Data Protection Acts. Therefore, it is necessary that signs confirming use of CCTV cameras are placed in prominent positions and are easily legible.
The Irish Data Protection Commissioner has issued guidelines in relation to CCTV use in the workplace. These guidelines have included a requirement for a written CCTV policy to be put in place. Employers are required to perform assessments which show that any use of CCTV is justified within their Organisation.
A CCTV policy must include the following:
Data controllers should complete the following steps in line with the guidelines issued by the Data Protection Commissioner:
A system used to control the perimeter of a building for security purposes will usually be easy to justify. The use of CCTV systems in other circumstances e.g. to constantly monitor Employees or customers - can be more difficult to justify and could involve a breach of the Data Protection Acts. Therefore, it is necessary that signs confirming use of CCTV cameras are placed in prominent positions and are easily legible.
The Irish Data Protection Commissioner has issued guidelines in relation to CCTV use in the workplace. These guidelines have included a requirement for a written CCTV policy to be put in place. Employers are required to perform assessments which show that any use of CCTV is justified within their Organisation.
A CCTV policy must include the following:
- The identity of the Data Controller
- The purpose for which data are processed
- Any third party to whom the data may be supplied
- Retention period for CCTV data
- Security arrangements for CCTV.
Data controllers should complete the following steps in line with the guidelines issued by the Data Protection Commissioner:
- Conduct and evaluate a Risk Assessment process
- Complete and review a Privacy Impact Assessment
- Develop a data protection policy dealing with CCTV devices
- Clearly demonstrate previous incidents that have led to security/health and safety concerns that may justify the use of CCTV.