CCTV footage: a GDPR nightmare?


The leaking of former Health Secretary Matt Hancock’s affair via CCTV footage recently dominated headlines, ultimately resulting in his resignation. However, it also raised questions regarding the GDPR and privacy issues associated with CCTV in the workplace.

So, how can businesses stay on the right side of the law when implementing this technology? Martin Noble, partner and data protection expert at law firm, Shakespeare Martineau explains.

People often associate personal data with details such as phone numbers and email addresses, however images of individuals also fall under the umbrella of personal data. As a result, any business that is recording their employees via CCTV must follow the correct GDPR processes or face serious penalties.

Before installing CCTV, employers should carry out a data protection impact assessment (DPIA) where the use of surveillance camera data is likely to result in a high risk to individual privacy. A DPIA identifies the risks of handling the data, and ways to mitigate these. For example, every individual has a right to privacy, and the use of the CCTV must be justified when balanced against this. Employers should consider minimising the impact on people’s privacy, such as putting cameras outside of offices rather than in them or keeping them to communal areas only and ensuring they don’t capture sound. As a rule of thumb, if there is a way to gain the same information in a less intrusive manner, then that option must be chosen. The DPIA should also identify the legal basis that the employer intends to use for using the CCTV. If this is on the basis of identified “legitimate interests” then they cannot outweigh individual interests, rights and freedoms.

It is not just a case of keeping a DPIA on record though. As part of the overall assessment, it may also be prudent to speak to relevant stakeholders in the business, including employees. Having decided to use CCTV, employers will need to make all employees aware that their data is being captured. Due to the imbalanced nature of the employer-employee relationship, consent cannot be relied upon as a lawful basis for processing such data. Instead, employees should be able to access a privacy policy that sets out the grounds that the business is relying on to handle the data. This should include how it will be used, how it will be stored, how long it will be stored, and who can access it.

Any data collected should only be used in accordance with the privacy policy, such as for health and safety reasons or to monitor employee behaviour to prevent misconduct. Notices should also be clearly placed around the building which notify people that CCTV is in operation, as visitors also need to be made aware that their personal data is being captured.

However, should a business owner have concerns about a specific employee for example, there is no law against the use of covert cameras. Nevertheless, they must still be able to demonstrate that there is a lawful basis for planting a camera, and that this isn’t outweighed by the rights of the individual. A DPIA must be carried out to cover those circumstances.

Matt Hancock appears to have been caught by a covert camera, placed there without the Government’s permission. This was reported as being an ‘outlier’ which meant that it was not on the main CCTV circuit or installed by his employer. Employers do have a duty to look after their employees and this has raised some security issues in terms of how the footage was obtained in the first place. If they could be found, then the person who planted the camera would face a claim for breach of privacy.

Even if fully informed about the use of CCTV in the workplace, employees do still have the right to object if they don’t agree with the way their personal data is being processed. Initially, employers should offer to explain in more detail the reasoning for the CCTV, as clarification regarding its purpose and usage may be all that’s required to put the employee’s mind at ease. However, should they continue to claim that it is overly intrusive, employers will have to consider how best to move forward.

If there is a particular camera that is of concern, removing it may be the simplest option. On the other hand, if it is the concept of CCTV itself that the employee disagrees with, then the employer must consider whether the individual’s rights are likely to override the legitimate interests they seek to protect. If they believe that their grounds do not override the employee’s rights, then they can choose to keep the cameras as they are.

Should the CCTV stay in place, and the employee continues to have concerns, then the business could face a claim by the affected individual for breach of data protection legislation and their right to privacy. The employee also has the option to escalate the complaint to the ICO, which has the power to investigate and issue fines for GDPR breaches. These fines differ depending on the severity of the offence and are capped at a multiple of their overall turnover, meaning they can lead to a significant financial loss for non-compliant businesses. This is why being able to demonstrate the legal basis for using CCTV is vital.

CCTV is more prevalent than ever now that the technology is more affordable, with SMEs as well as large corporates able to install it in the workplace. However, there is no threshold for GDPR compliance, with businesses of any size having to follow the correct procedures. Seeking legal advice before implementing CCTV can help employers to ensure they carry out the necessary checks, avoiding costly fines.