Following recent events, involving closed-circuit television (CCTV) footage capturing a certain ex-Health Secretary and his aide being leaked to the press, resulting in red faces all around, we present to you our top three Do’s and Don’ts of using CCTV to monitor your employees.
DO: Inform your employees of the monitoring
Whilst it is still unclear whether the aforementioned individuals knew that there was CCTV in operation, or that their office antics were being recorded on said CCTV, the general rule is that you must inform your employees if you are planning to use CCTV on your premises.
Informing your employees of CCTV monitoring is part of complying with your Fairness and Transparency requirements. The first principle of the GDPR states that Information which relates to an identified or identifiable natural person. processing must be lawful, fair and transparent. In their guidance, the The United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (The United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) states that processing is unfair “if anyone is deceived or misled when the personal data is obtained.” This also links very much to transparency, which is about being open and honest about how you collect and A series of actions or steps taken in order to achieve a particular end. individuals’ personal data and for what purposes. Therefore, informing employees that their personal data is being collected through the use of CCTV cameras, and for what purposes, is very important. This information should be provided in an employee A clear, open and honest explanation of how an organisation processes personal data., as well as through signage around the areas in which the monitoring is taking place.
Although informing your employees of the use of CCTV monitoring is a key ‘DO’ on this list, the ICO does highlight that in some situations it may be lawful to use covert CCTV surveillance. However, this will only be justifiable in “exceptional circumstances”, for example, if you as the employer have genuine suspicions that criminal activity is taking place. In reality though, this exception will apply in very few cases because the personal data processing must not be disproportionate to, or unnecessary for, achieving your stated purposes.
DON’T: Use CCTV when it is disproportionate or unnecessary
Before embarking on the setup and installation of your CCTV system to monitor your employees, it is essential to consider the The purpose of the personal data processing activity must not be able to be achieved by a less intrusive method. and A balance must be struck between the means used and the intended aim to ensure that a processing activity is proportionate. of this data processing. This can be achieved through completing a A formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA). A DPIA should be completed for any processing activity that is likely to result in a high risk to the rights and freedoms of individuals, and in its guidance on DPIAs, the ICO lists tracking at the workplace as a processing operation that would fall into this category.
The wider purpose of performing a DPIA on a processing operation is to identify and assess any risks that the processing may present and how they can be mitigated. However, prior to this, a DPIA requires a An entity (such as an organisation) which determines the purposes and means of the processing of personal data. to determine the necessity and proportionality of the processing operation. Necessity requires you to consider whether the planned processing will actually help you to achieve your purpose for processing. Proportionality then asks whether you can achieve that purpose by processing in another, less intrusive way.
If your purpose can be achieved in a less privacy intrusive manner, it will be hard to justify the processing. This is clearly exemplified by covert CCTV monitoring which is very difficult to justify because, in most cases, the less intrusive method of using CCTV that employees are informed about will achieve the same, or even better, results. After all, if employees know that they are being filmed on CCTV, this is likely to deter poor performance or bad behaviour in the first place; when compared to catching employees red-handed in the act, the former seems preferable.
DO: Have a CCTV Policy
If, based upon your completed DPIA, you have determined that you will go ahead with using CCTV to monitor your employees, you need to ensure that you have a CCTV policy in place to govern its use. Your policy should cover:
Having a comprehensive CCTV policy in place and ensuring that staff are aware of and adhering to it is a key part of demonstrating compliance with the GDPR’s Perhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. principle.
There are many data protection considerations to take into account when thinking about using CCTV to monitor your employees. Following our top three Do’s and Don’ts should help you to assess whether CCTV employee monitoring is right for your organisation, and to begin to comply with the data protection obligations borne out of using CCTV in this way.
For more guidance on complying with your data protection obligations when using CCTV, download our free white paper.
Fill in your details below and we’ll get back to you as soon as possible