A simple question for you, “Do you have continuous CCTV operating in your organisation’s vehicles?” If you do and it records continuously then you might need to consider and identify, whether this is a breach of the regulations, particularly in the context of recording CCTV in vehicles that belong to your organisation.
You may have a ‘legitimate’, lawful basis for recording CCTV inside or around your organisation’s vehicles perhaps for personnel safety, client safety, demands by your insurers, etc. However, simply running the CCTV recording continuously, may be a breach.
CCTV is considered intrusive and as biometric data, it is classed as Special Category Data under the EU GDPR (General Data Protection Regulation) and the Data Protection Act 2018. The law states that the ‘processing of personal data should be necessary for its purpose and proportionate’ which means that monitoring staff when they are working and might expect to be monitored is reasonable, and monitoring staff when they are on breaks or off-duty might when they might not expect to be monitored, may not be reasonable and may be unlawful, unfair and excessive under data protection legislation and in breach of Article 8 of the Human Rights Act 1998.
Perhaps you have drivers that take the organisation’s vehicles home with them and are permitted to use them for personal and/or domestic purposes i.e., a van or company car, etc. Recording CCTV (this includes dashcams) during these periods of personal or domestic use may be a breach.
Perhaps you have drivers that can only use the organisation’s vehicle for organisation purposes and business however, they take their vehicle home with them but are considered off-duty between the depot and their home. Then recording CCTV in the period between being officially off-duty and getting home may be a breach.
Your organisation may have identified that the safety of personnel and the security of the organisation may need CCTV monitoring and recording however, your organisation needs to fully consider the impact of continuous CCTV monitoring and recording.
You will also need to consider retention periods and who runs the CCTV system if you outsource the project. Where are the servers based? Who has access and more. You will need Data Processor Agreements in place with your CCTV providers. If you run the system in-house, you will need to consider network access and security, hardware disposal and more.
You will need to review all policies and procedures around Personnel and Data Protection to ensure compliance with all the laws and regulations around data privacy, data protection, Use of CCTV, etc.
If you justifiably need CCTV monitoring and recording do not just go and buy a kit or install a CCTV system without carrying out a full project analysis including a Data Protection Impact Assessment.
If you contract an installer, ask them questions about the impact of CCTV and the laws, regulations governing its use. A reputable CCTV provider and installer should be able to outline the issues whilst not being a data specialist.
The Data Protection Act 2018 (including the GDPR) came in to force in the UK on 25th May 2018 and in preparation for compliance with the new law, your organisation should have reviewed and identified all data sources including biometric data like CCTV, data security, etc. If you are unsure about whether you currently breach or are likely to breach the CCTV and Data Protection regulations, seek advice.
By the way, we can help.
Reference material for this article was taken from: article produced by the ICO (Information Commissioner’s Office – the UK’s Data Privacy Regulator) about continuous CCTV in Taxis. (Accessed: 26 August 2018).