Complying with data protection legislation is a fundamental requirement for all housing providers, who hold large amounts of personal and often sensitive information relating to their tenants. If you breach this legislation, you face fines, bad publicity and even criminal sanctions.
What many housing providers may not realise is that data protection legislation also covers CCTV recordings, commonly used to track crime and anti-social behaviour and monitor communal areas, and the same penalties apply.
As we’re frequently asked about this topic, we wanted to be clear on exactly what CCTV systems need to do to comply with current and forthcoming legislation, so we commissioned a briefing note1 from independent solicitors Wright Hassall. They first clarified how the Data Protection Act (DPA) relates to CCTV systems in use at housing providers, and this is the standard you have to meet now. They then considered the even tighter General Data Protection Regulation (GDPR) which comes into effect in 2018, with fines of up to €20 million or 4 per cent of global turnover (whichever is higher) for a serious breach of regulations.
The note sets out five key requirements for DPA compliance:
- A legitimate reason for collecting the data: the use of CCTV must be a “necessary and proportionate response to a real and pressing problem”.
- CCTV data must be used and kept only to fulfil its purpose, so if recordings are used for identification, the quality must be high enough to enable this. This includes the ability to switch the CCTV on and off so that recording is not continuous.
- Recordings must be stored securely to prevent unauthorised access and hacking; this means using encryption wherever possible.
- Individuals have the right to request access and if their request is valid, footage must be provided within 40 days.
- Individuals must be informed that recording is taking place with, for example, notices that CCTV is in use.
These may sound, and in fact are, perfectly reasonable, but they have significant implications for every housing provider using CCTV. Poor image quality, inaccuracy in the time/date stamp and being unable to access recordings easily when requested are problems we hear about frequently when we visit housing providers, and they are all potential DPA breaches.
Some of the housing providers we speak to don’t even know how many CCTV systems they use or whether they are actually working because they’re not managed centrally. But ignorance is no excuse for breaking the law. All your staff who manage, operate or are responsible for maintenance of your CCTV systems need to understand their responsibilities under the DPA, and you should have a documented information-retention policy which they understand and adhere to.
As the Information Commissioner’s Office (ICO) points out, if data is to be recorded then it must be done securely and accurately in order to be used properly, otherwise its capture is unjustified. As a housing provider, if you don’t store your CCTV footage securely to prevent unauthorised access and hacking, you’re at risk of a fine or a more serious penalty. It’s worth noting that in order for data to be considered secure, you should also change the usernames and passwords used to access the information from the default settings and make sure that they’re of a sufficient strength to prevent unauthorised access.
The key to compliance is to treat CCTV footage in exactly the same way as all the other personal data you hold. There are a number of simple steps you can take, starting with a Privacy Impact Assessment (PIA) to identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy. An effective PIA will enable you to identify and fix any problems in how you obtain and store data and ensure you avoid any breaches. For more information on PIAs, the ICO has produced a useful guide2.
For many CCTV systems, adding security to ensure DPA compliance can make them less accessible and usable. Another solution is to use cloud-based CCTV systems, as these by their nature retain data securely offsite. Some also have all the necessary security and encryption features ‘baked’ into them. Cloudview’s cloud-based service works with existing CCTV hardware and can be used to provide control of CCTV systems across multiple sites, with a unified view of all video feeds. Police forces and utility companies are already beginning to use this type of system, and Cloudview has been awarded the ‘Police Preferred Specification’ status, the only CCTV product of any description to have received this accolade.
References
- Is your use of CCTV compliant with data protection legislation? Wright Hassall howtocloudview.com/papers/2016_DPA-briefing-note.pdf
- Conducting privacy impact assessments code of practice, ICO ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
James Wickes is CEO and co-founder of Cloudview.
For more information about Cloudview, visit www.howtocloudview.co
