Every employer and business owner aims at protecting their premises, equipment, resources and reputation. To achieve these goals, they may choose to use a CCTV system to monitor the workplace and employees at work. However, this right to protect your own business has to be balanced against your staff’s and clients’ right to privacy.
There are some CCTV regulations and standards you have to comply with, mainly I.S. EN 50132 standard issued by NSAI (National Standards Authority of Ireland) and General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
The Irish standard I.S. EN 50132-7 was adopted in 1999. It sets guidelines for such system and operational criteria as, for example, determining the number and location of cameras, choosing the camera and a video transmission system, installing, testing and commissioning the CCTV system.
It is worth mentioning that I.S. EN 50132-1 (Part 1) identifies more than 100 basic requirements concerning technical specifications, video recording and transmission, access rights and using video surveillance system in high-risk environments.
To provide customers and personnel with a decent level of security and to guarantee your CCTV system is functioning properly, it is necessary to make sure your current video surveillance system is compliant with EN 50132-1.
Furthermore, when an employer collects stores or uses information (emails, Internet use and CCTV footage) about the employees or clients, GDPR and the Irish Protection Act 2018 has to be taken into consideration.
This act describes the rules to follow when monitoring people in the workplace. Businesses of all sizes must be aware of regulatory requirements as the penalties for non-compliance can be up to 4% of global annual turnover.
So, if you are collecting or storing recognizable CCTV images, you are managing ‘personal data’ and acting as a Data Controller. A Data Controller has to justify the use of personal data.
There are a few steps you need to take to comply with GDPR:
Justifying security cameras placed around the perimeter of your premises should not be a problem. Although, if you decide to monitor your employees at work, this can be perceived as an invasion of privacy. Nowadays one of the most popular reasons for such usage is Health & Safety provision, which is quite acceptable.
You must inform your staff members and customers of the video surveillance system in use and explain the purpose. There must be a sign and a contact number to follow up. Additionally, there has to be a written CCTV policy mentioning the company storing the CCTV footage, the reasons for using CCTV footage, how one can request the data, time of retention of the data etc.
As a Data Controller, you need to justify the reasons for retaining data. Usually, this period is limited to 30 days, although you can keep the data longer under some circumstances.
According to GDPR, any person recorded by a CCTV system has a right to request and be supplied with a copy of their data.
Any business has to be aware of the laws associated with video surveillance systems as ignoring the above-mentioned regulations and standards may result in hefty penalties.