CCTV and Data Protection
Recognisable facial images captured by CCTV systems are special category personal data and on that basis require appropriate controls and protections around their use, in line with statutory requirements contained in the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (the Acts).
This confers rights to persons under the Acts. Importantly, the Council has duties and obligations as the holder of personal data, as in these cases, and must ensure such data is handled and managed correctly. This policy statement sets out what Kildare County Council, as Data Controller, must do in relation to management of personal data processed using CCTV.
Purposes and locations for CCTV:
Kildare County Council operates as a data controller regarding the use of CCTV for a range of purposes at various locations around the County:
- Security of Council premises and property, including assisting in the safety and security of staff, visitors and customers on our premises throughout the County;
Management of CCTV:
In fulfilling its role as a Data Controller the Council is committed to ensuring that personal data collected via CCTV will be in line with the principles of the GDPR as below;
- Obtained lawfully, fairly and in a transparent manner
- Obtained for only specified, identified and legitimate purposes
- Processed for purposes which we have identified or purposes compatible with the purposes that we have identified.
- Adequate, relevant and limited to what is necessary for purpose for which it was obtained
- Personal data collected and processed must be accurate and (where necessary) kept up to-date.
- Kept only for as long as is necessary for the purposes for which it was obtained.
- Processed in a manner that ensures the appropriate security of the personal data including protection against unauthorised or unlawful processing.
Processing CCTV images lawfully
The Council will identify a primary purpose for each CCTV system and this shall be aligned to a lawful basis, in accordance with Article 6(1) of the GDPR being either
- A task carried out in the public interest
- Exercise of official authority vested in the controller
- Necessary for compliance with a legal obligation to which the controller is subject or
- In exceptional circumstances processing is necessary in order to protect the vital interests of the data subject or of another natural person
The staff approved to access CCTV systems in the course of their duties will primarily do so for the purposes for which the CCTV was approved and installed.
This is without prejudice to the provisions of the Data Protection Act 2018 which in limited circumstances may allow limited access to and use of personal data, for purposes other than those specified related to the CCTV system, where it is necessary and proportionate for the Council to do so.
Processing CCTV images fairly and in a transparent manner.
To ensure compliance the Council will:
- Include reference to CCTV use on its online Data Protection information
- Ensure reference is made in privacy statements to the use of CCTV and its purpose where relevant in relation to a service;
- Where feasible, ensure that signage regarding use of CCTV is easily- read and well-lit and in prominent positions, for example at the entrance to a facility where used at a property of the Council or at reception areas, or close to internal cameras, if used in rooms:
Ensure that the signage: - States the name of Data Controller - Kildare County Council
- States purpose for CCTV use, where this is not readily obvious and includes an icon or statement that CCTV is in use
- Provides contact details of the DPO – 045 980 200 or dataprotection@kildarecoco.ie
- Ensure customers are advised of the use of CCTV using Video and Audio Recording in meeting rooms, where applicable. These rooms should also display signs as above.
More information on privacy statements for CCTV use is available
Ensuring data minimisation and compliance with retention standards.
Article 5(1)(e) of the GDPR states that personal data shall be:
”..kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed..”
- In accordance with this the normal retention period shall be not greater than one month.
- Where, in response to an access request from An Garda Síochána or other agencies or processors (such as legal representatives), footage is downloaded and provided it shall be deleted from the CCTV system upon transmission to An Garda Síochána.
- In line with principles of data minimisation, use of CCTV to monitor areas where individuals would have a reasonable expectation of privacy will not take place. Cameras placed so as to record external areas shall be positioned in such a way as to prevent or minimise recording of passers-by or of another person's private property. Compliance with this requirement must be demonstrated at installation and reviewed periodically by persons authorised to access images.
Processed in a manner that ensures the appropriate security of the personal data
- Recorded images will be stored in a secure environment, will be restricted to authorised individuals and access controls will be in place to ensure they are secure (practical measures include remote feeds to secure locations/servers, password controlled/encrypted access to data, locked storage rooms);
- Security companies that place and operate cameras on behalf of clients may be considered to be "Data Processors", depending on the nature of their access to footage. As data processors, they operate under the instruction of data controllers (Kildare County Council). Where any aspect of the services provided by a data processor involves processing of personal data obtained through CCTV the processor must be subject to a data processing agreement that sets out their obligation to the Council as controller, in detail.