Updated: Mar 22
Best practices for use of video-surveillance systems, often called closed-circuit television (CCTV), is a topic of discussion around the world. Well-designed and selectively used video-surveillance systems are powerful tools for tackling security issues. However, badly designed systems merely generate a false sense of security while also potentially causing serious invasions of individual privacy and infringing other fundamental rights and freedoms.
Globally, there were an estimated one billion surveillance cameras in use. These cameras may be used by public authorities or even by individuals for their own purposes. Since video surveillance often contains images of people, this activity is considered to be a use of personal information and could implicate serious privacy risks. Information obtained from video-surveillance footage can be – and often is – used to identify people, either directly or indirectly, when combined with other pieces of information. The personal information may even be sensitive personal information, depending on the context.
In this note, the Office of the Privacy Commissioner (PrivCom) will examine privacy issues surrounding CCTV with examples of how they have been addressed in different countries. We will provide examples of how the Personal Information Protection Act 2016 (PIPA) applies to this use of personal information.
For Comparison: European Union, United Kingdom, United States
Around the world, data protection authorities with similar missions to PrivCom have examined this issue. There are consensus best practices on how to ensure that fundamental rights like privacy are protected.
Examinations of the European Union’s General Data Protection Regulation (GDPR) are useful because the law is substantially similar to Bermuda’s PIPA. GDPR interpretations provide useful, persuasive precedent for issues cropping up under our newer law.
Both the European Data Protection Supervisor and the European Data Protection Board have issued guidance on video-surveillance and on the processing of personal data through video devices, calling the practice an “intrusion” that must be “necessary and proportionate.” According to their analysis:
The images or footage collected are certainly personal data, and may also be considered to be sensitive, biometric data (as defined under the GDPR’s Article 9) if it has been processed in order to contribute to the identification of an individual. (According to the GDPR, there has to be specific technical processing of video surveillance related to the physical, physiognomic, or behavioural characteristics of an individual in order for that information to be considered biometric and therefore subject to additional protections.)
According to the GDPR, in order for video surveillance to be legal, it needs to be based on one of the 6 lawful bases for processing personal data, and a detailed Data Protection Impact Assessment (DPIA) will need to be conducted if the area under surveillance is a public area, if the organisation determines that the use of personal information presents a high risk, or for in other circumstances.
The organisation collecting and using personal information from video surveillance (controller in GDPR terminology) is obligated to implement organisational and technical measures to protect all components of a video surveillance system and data, during storage (data at rest), transmission (data in transit), and processing (data in use). For example, the European Data Protection Supervisor requires all EU institutions to have clear policies regarding the use of video surveillance on their premises, including policies about the storage, retention, and disposal of footage and personal information.
The organisation will also have to comply with the transparency principle and provide information about the surveillance. The notice should be easily visible, with the appropriate camera symbol informing everyone entering the premises about video surveillance.
Under the GDPR, an individual (data subject in GDPR terminology) has a right to obtain information from the organisation about whether their information is processed, access to the personal data, and the information about the purpose of the processing, the categories of processed personal data, who will received the information (including recipients or categories of recipients in third countries), and for what period of time will data be stored (retention period).
Instead of a general privacy law, the US has specific laws that apply to specific circumstances. For example, the Privacy Act of 1974 applies to federal government agencies like the Department of Homeland and Security (DHS).
DHS has developed a template for Privacy Impact Assessment for the Use of CCTV by DHS Programs. It contains a thorough checklist of various privacy risks and concerns, including potential breaches of privacy rights and freedom of speech and association, and contains a privacy impact analysis at every point of the assessment process.
Risk assessments like these help public bodies ensure that they have carefully considered the risk and policy rationales for their decisions, and that they have the appropriate policies and procedures in place.
In addition to the UK version of the GDPR, the Data Protection Act 2018 (DPA), the UK has a specialised role of Surveillance Camera Commissioner (SCC), who oversees the use of CCTV by public bodies. The Home Secretary’s Surveillance Camera Code of Practice applies to the overt use of surveillance camera systems that are operated by relevant authorities only (police forces, local authorities and parish councils) in public places in England and Wales, regardless of whether or not there is any live viewing or recording of images or information or associated data. The SC Code establishes 12 guiding principles ensuring that surveillance camera systems are only operated proportionately, transparently, and effectively.
The SC Code’s 12 principles offer an example of specific best practices for the use of CCTV, even for domestic purposes on a voluntary basis:
1. Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
2. The user of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
3. There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
4. There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
5. Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
6. No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
7. Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
8. Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
9. Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
10. There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
11. When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
12. Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.
CCTV and Bermuda
Since CCTV systems use personal information, organisations must ensure that they have implemented a privacy programme with suitable measures and policies to give effect to its obligations under PIPA. These include steps that align with best practices, such as:
inventorying or mapping what personal information is used,
documenting practices in policies and procedures,
training staff or others with access to personal information,
analysing the privacy risk in context and identifying protective measures,
developing an action plan to respond to incidents or potential breach of security, and
developing procedures to respond to PIPA Rights Requests, if applicable.
In addition, there are some special considerations for CCTV:
Right of Information: Under PIPA’s section 9, organisations must provide individuals with a clear and accessible statement about its practices, taking all reasonably practicable steps to ensure it is provide before or at the time of collection of personal information. This can be difficult in certain circumstances, such as if the camera is covering a wide public area, so must be considered carefully to ensure a true notice is provided. Individuals affected by video-surveillance must be informed about key details, such as the existence of the monitoring, its purpose, and the length of time for which the footage is to be kept and by whom.
Data quality: Cameras should be used thoughtfully, with an identified and quantifiable purpose to be accomplished. For example, cameras should only target specifically identified security problems, thus minimising the gathering of irrelevant footage (a best practice known as data minimisation). A security camera that covers a rear garden need not also capture the neighbours’ house or even the public street. This careful use not only reduces intrusions into privacy but also helps to ensure a more targeted, and ultimately, more efficient, use of video-surveillance.
Retention period: Although the installation of cameras might be justified for security purposes, the timely and automatic deletion of footage is essential to reduce privacy-related risks.
If information meets the definition of sensitive personal information under PIPA’s section 7, the organisation must consider what special risks may be present, and the section 6 conditions of use are more limited.
Organisations should note that PIPA’s section 5(3) is clear that they cannot contract away responsibility: “Where an organisation engages (by contract or otherwise) the services of a third party in connection with the use of personal information, the organisation remains responsible for ensuring compliance with this Act at all times.”
Acting in Good Faith
Two principles of our office’s regulatory strategy are constructive engagement with the community and promotion of interoperable best practices across legal jurisdictions. We seek to encourage good faith efforts by organisations in our community, which is why we have programmes like the Pink Sandbox and a focus on corrective (not punitive) regulation.
At times it may make sense for an organisation to refer to the guidance from other jurisdictions regarding specific practices, like CCTV. If an organisation proactively bases its actions on the CCTV best practices described above, even those from beyond our shores, our office will likewise give credit for such good faith efforts.