The use of CCTV systems has greatly expanded in recent years. So has the sophistication of such systems. Systems now on the market have the capacity to recognise faces. They may also be capable of recording both images and sounds.
The expanded use of CCTV systems has society-wide implications. Unless such systems are used with proper care and consideration, they can give rise to concern that the individual’s “private space” is being unreasonably eroded.
Recognisable images captured by CCTV systems are “personal data”. They are therefore subject to the provisions of the Data Protection Acts.
A data controller needs to be able to justify the obtaining and use of personal data by means of a CCTV system. A system used to control the perimeter of a building for security purposes will usually be easy to justify. The use of CCTV systems in other circumstances – for example, to constantly monitor employees, customers or students – can be more difficult to justify and could involve a breach of Data Protection Acts.
Proportionality
Proportionality – is a CCTV system justified?
Section 2(1)(c)(iii) of the Acts require that data is "adequate, relevant, and not excessive" for the purpose for which it is collected. This means that a school/ETB must be able to demonstrate that the serious step involved in installing a system that collects personal data on a continuous basis is justified. The school/ETB will therefore have to ensure that the CCTV recording is justified, reasonable, and proportionate in all the circumstances. Before proceeding with such a system, it should also be certain that it can meet its obligations to provide data subjects, on request, with copies of images captured by the system.
Proportionality –what will the system be used for?
If a data controller is satisfied that it can justify installing a CCTV system, it must consider what it will be used for and if these uses are reasonable in the circumstances.
Security of premises or other property is probably the most common use of a CCTV system. Such a system will typically be intended to capture images of intruders or of individuals damaging property or removing goods without authorisation. Such uses are more likely to meet the test of proportionality.
Other uses may fail the test of proportionality. For example, using a CCTV system to constantly monitor employees is highly intrusive, and may be very difficult to justify save in the most unusual of circumstances. If the monitoring is for health and safety reasons, a data controller would need to demonstrate that the installation of CCTV was proportionate in addressing health and safety issues that had arisen prior to the installation of the system.
Proportionality – what images will be captured?The location of cameras is a key consideration. Use of CCTV to monitor areas where individuals would have a reasonable expectation of privacy would be very difficult to justify. Toilets and rest rooms are an obvious example. To justify use in such an area, a data controller would have to demonstrate that a pattern of security breaches had occurred in the area prior to the installation of the system such as would warrant constant electronic surveillance. Where such use can be justified, the CCTV cameras should never be capable of capturing images from cubicles or urinal areas.
Cameras placed so as to record external areas should be positioned in such a way as to prevent or minimise recording of passers-by or of another person's private property.
Transparency
Section 2D of the Acts requires that certain essential information is supplied to a data subject before any personal data are recorded. This information includes:
• the identity of the data controller;
• the purposes for which data are processed;
• any third parties to whom the data may be supplied.
This can usually be achieved by placing easily-read and well-lit signs in prominent positions. A sign at all entrances will normally suffice.
If the identity of the data controller and the usual purpose for processing – security - is obvious, all that need be placed on the sign is a statement that CCTV is in operation as well as a contact (such as a phone number) for persons wishing to discuss this processing. This contact can be for either the security company operating the cameras or the owner of the premises.
If the purpose or purposes is not obvious, there is a duty on the data controller to make this clear. A CCTV camera in a premises is often assumed to be used for security purposes. Use for monitoring staff performance or conduct is not an obvious purpose and staff must be explicitly informed in writing before any data are recorded for this purpose. Similarly, if the purpose of CCTV is also for health and safety reasons, this should be clearly stated and made known.
Storage and retention
Section 2(1)(c)(iv) of the Data Protection Acts states that data "shall not be kept for longer than is necessary for" the purposes for which they were obtained. A data controller needs to be able to justify this retention period. For a normal security system, it would be difficult to justify retention beyond a month, except where the images identify an issue (e.g. a break-in or theft) and is retained specifically in the context of an investigation of that issue.
The storage medium should be stored in a secure environment with a log of access kept. Access should be restricted to authorised personnel.
Supply of CCTV Images to An Garda Síochána
If the Gardaí want CCTV images for a specific investigation it is up to the data controller to satisfy himself that there is a genuine investigation under way. For practical purposes, a phone-call to the requesting Garda’s station may be sufficient, provided that you speak to a member in the District Office, the station sergeant or a higher ranking officer, as all may be assumed to be acting with the authority of a District/Divisional officer in confirming that an investigation is authorised.
Access Requests
Any person whose image has been recorded has a right to be given a copy of the information recorded. To exercise that right, a person must make an application in writing. A data controller may charge up to €6.35 for responding to such a request and must respond within 40 days.
Practically, a person should provide necessary information to a data controller, such as the date, time, and location of the recording. If the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data.
In giving a person a copy of their data, the data controller may provide a still/series of still pictures, a tape or a disk with relevant images. However, other people's images should be obscured before the data are released.
Covert surveillance
The use of recording mechanisms by a school/ETB to obtain data without an individual's knowledge is generally unlawful. Covert surveillance is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies an actual involvement of An Garda Síochána or an intention to provide this evidence to An Garda Síochána.
Covert surveillance must be focused and of short duration. Only specific (and relevant) individuals/locations should be recorded. If no evidence is obtained within a reasonable period, the surveillance should cease.
If the surveillance is intended to prevent crime, overt cameras may be considered to be a more appropriate measure, and less invasive of individual privacy.
Responsibilities of security companies
Security companies that place and operate cameras on behalf of clients are considered to be "Data Processors". As data processors, they operate under the instruction of data controllers (their clients). Sections 2(2) and 2C of the Data Protection Acts place a number of obligations on data processors.
These include having appropriate security measures in place to prevent unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all unlawful forms of processing. This obligation can be met by having appropriate access controls to image storage or having robust encryption where remote access to live recording is permitted.
Staff of the security company must be made aware of their obligations relating to the security of data.
Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.
Furthermore, Section 16 of the Data Protection Acts 1988 & 2003 requires that certain data processors must have an entry in the public register maintained by the Data Protection Commissioner. For further information, please refer to our website for Guidance notes on Registration. Those parties who are required to be registered and process data whilst not registered are committing a criminal offence and may face prosecution by [the Data Protection Commissioner’s] office. (This provision may only apply where the data controller can identify the persons whose images are captured.)
What if An Garda Siochána, Department of Social Welfare, HSE or some other state authority requests access to the school’s data?
An Garda Siochana
If a law enforcement authority, such as An Garda Síochána, is seeking a recording for a specific investigation, any such request made by An Garda Síochána should be made in writing specifically stating that the request relates to a particular investigation and that the recordings are required for the purposes of that investigation. On receipt of such a request, the school/ETB should immediately seek legal advice to ensure that furnishing a copy of the recording or allowing the Gardaí to view it complies with Section 8(b) of the Data Protection Acts. In certain circumstances a warrant may be required.
Transfers to other state agencies (Department of Social Protection, Revenue, HSE etc)
If a state agency requests information/data from the school/ETB, the school/ETB will need to satisfy itself that the state agency has a legal basis for requesting the school provide such data, and that the school/ETB is obliged to disclose the requested information on the basis of that legal requirement. The Office of the Data Protection Commissioner has drawn a distinction between situations where the school/ETB is under a legal obligation to disclose personal data (which would take precedence over the individual’s right to privacy under the Data Protection Acts) and situations where the school has a statutory discretion as to whether or not to make the information available. The Data Protection Commissioner has advised:
“All data controller, and particularly those in the public sector, should note that a statutory discretion to make personal data publicly available is not the same as a statutory requirement to do so. It is only the latter that takes priority over the normal application of data protection principles”.
Source: Office of the Data Protection Commissioner’s Case study 6/1998.
If the school/ETB is in any doubt, advice should be sought before complying with the request.