CCTV and Data Protection
Increased use of CCTV cameras affords great potential for monitoring of employees in the workplace and of individuals in public areas. However, a balance is required between the legitimate interests of the operators of CCTV and those who are under surveillance. As there are a number of potential privacy infringements that could arise from personal data being processed in such a manner there is clearly a need for strict controls and clear criteria in regard to its use. These issues were raised when the Data Protection (Amendment) Bill, 2003 (now an Act) was debated in the Oireachtas.
The Data Protection (Amendment) Act, 2003 came into operation on 1st July 2003. It implements the 1995 EU Data Protection Directive and amends the Data Protection Act, 1998. The 2003 Act introduces improved rights for individuals and further measures to safeguard personal privacy. The individual’s right to control how their personal data is processed is extended. In essence, the processing of data must be fair; the data subject must be aware or be in a position to learn that such processing is going on, and must be aware of any third parties to whom the data may be transmitted.
Audio-visual data is not explicitly included in the 2003 Act but as the Directive states that its provisions extend to “sound and image data”, CCTV footage is included, provided the data obtained is contained or intended to be stored in a filing system from which personal data is easily retrieved.
While not binding, the Code of Practice issued by the UK Data Protection Act Information Commissioner is of interest. Under the Code operators must make the public aware of the presence of a CCTV system by placing signs on their premises. Various obligations apply to the positioning and operation of the cameras, the purpose of the system should be documented and the system should not be used for other purposes. Only authorised persons should have access to the tapes and the retention of tapes must comply with the law. Operators must inform the Information Commissioner of their system and its purpose. Members of the public who suffer loss for non-compliance with the Code can claim compensation.
In summary, under the Irish Act personal data, which encompasses CCTV must be processed fairly and lawfully. It must be gathered solely for specified legitimate purposes and must be adequate, relevant and not excessive in relation to the purpose for which it is collected. Every Data Controller is now required to register unless exempted. The Act provides for draconian penalties including fines ranging from €3,000 to €100,000. In February 2004, the Data Protection Commissioner successfully prosecuted two law firms for failing to register as Data Controllers as required under Section 16 of the 1988 and 2003 Acts!
For further information contact Judy O’Kane or consult the comprehensive website of the Data Protection Commissioner, www.dataprivacy.ie.
Judy O’Kane and Lasairfhiona Ni Laighin