It's time to review your CCTV policy

The Irish Data Protection Commissioner (ODPC) issued an updated and expanded guidance note in relation to the use of CCTV.

What has changed?

One of the most significant differences between the new and earlier guidance is the requirement that "a written CCTV policy must be in place". Previously the ODPC simply stated the type of information that must be provided to those who are recorded using CCTV.

There is also a new section in the guidance note regarding collection of data.

Section 2(1)(c)(iii) of the Data Protection Acts 1988 to 2003 states that personal data must be collected and processed in a manner that is:

“Adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed.”

Data controllers are now expected to carry out detailed assessments which will show that any use of CCTV is justified and satisfies the relevant statutory obligations.

The guidance note states that data controllers who wish to use CCTV should ensure that they complete the following steps:

  • conduct and document a risk assessment process;
  • conduct and document a Privacy Impact Assessment;
  • prepare a specific data protection policy dealing with CCTV devices, which should include data retention and disposal policies for the CCTV footage recorded;
  • be able to demonstrate, using documentary evidence, previous incidents that have led to security or health and safety concerns that may justify the use of CCTV; and
  • Prepare and display clear signage indicating that there is image recording in operation.

My company uses CCTV, what action should I take?

We recommend that you take action now to comply with the guidance. Firstly assign the designated data controllers in your business, then ensure that they follow the above steps to reduce the likelihood of issues arising in relation to your CCTV use in the future.

While the guidance note from the Data Protection Commissioner is not actually law, it is recommended that businesses adhere to any guidance/instruction issued by the Office of the Data Protection Commissioner. The Commissioner is the regulator charged with upholding and enforcing data protection legislation in Ireland. Those businesses that outsource CCTV to third parties should review their arrangements with these service providers. Employers that monitor employees using CCTV, or the areas in which employees work or congregate, should review their employment policies or staff handbooks to ensure that CCTV use is dealt with in line with the Guidance Note.

If your organisation uses CCTV it is time to review your use, and make the appropriate changes needed to comply with the Data Protection Commissioner's new Guidance Note.

If you require further information or assistance in relation to this topic, please contact