The ICO exists to empower you through information.

At a glance

Under the UK GDPR and DPA 2018, you have an obligation to implement appropriate technical and organisational measures. These show that you have considered and integrated the principles of data protection law into your processing activities. It is also important that you identify an appropriate lawful basis, and justify any processing to be necessary and proportionate.
If you are a controller, and your surveillance system is processing the personal data of identifiable individuals, you are required to notify and pay a data protection fee to the Information Commissioner’s Office (ICO) unless exempt.

The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance. Your accountability obligations are maintained throughout the life of the processing.

Specifically under Article 30 of the UK GDPR, organisations are required to maintain a record of the processing activities taking place. This applies to both controllers and processors that use surveillance systems. The records you keep should cover areas such as the purpose(s) for the lawful use of surveillance, any data sharing agreements you have in place and the retention periods of any personal data.

For surveillance systems, you must take a data protection by design and default approach and perform a Data Protection Impact Assessment (DPIA) for any processing that is likely to result in a high risk to individuals. This includes:

  • processing special category data;
  • monitoring publicly accessible places on a large scale; or
  • monitoring individuals at a workplace.

You should assess whether your use of surveillance is appropriate in the circumstances. As part of your assessment, you should also take into account the reasonable expectations of the individuals whose personal data are processed and the potential impact on their rights and freedoms. You should record your considerations and mitigations in a DPIA prior to any deployment of a surveillance system that is likely to result in a high risk to individuals. If high risks cannot be mitigated, prior consultation with the ICO is required.

In detail

How do we ensure effective control of our surveillance systems?

Checklist

☐ We know who has responsibility for the control of information within our organisation and who makes decisions about how it can be used.

☐ We have notified with the ICO if we are a controller, especially for the use of a surveillance system that processes personal data.

☐ We have agreed responsibilities if more than one controller is jointly involved in the processing, and each know their responsibilities in a transparent manner.

☐ We have written contracts in place that clearly define the responsibilities of organisations that provide processing services for us.

☐ We make sure that information is only processed by others in accordance with our instructions, with guarantees about security, storage and the use of properly trained staff.

It is important that you establish who exercises overall control of the personal data being processed. For example, who decides what is to be recorded, how it should be used and to whom it may be disclosed if needed. If you are the organisation that makes these decisions determining the purpose and means of processing, then you are the controller and you are legally responsible for compliance with data protection law.

If you make joint decisions with another organisation about the purposes for, and operation of, the surveillance system then you are joint controllers for this processing. All joint controllers remain responsible for compliance with the controller obligations under the UK GDPR and DPA 2018. For further information see our guidance on joint controllers.

Organisations may share information from a surveillance system in order to assist with joint running costs. This includes situations where the surveillance system is managed by a third-party on behalf of, or in conjunction with, another organisation. For example, this could be a CCTV server hosted by a council, and a feed could be linked into a local law enforcement control room.

The agreement to share services must have strict guidelines and procedures in place to ensure that the control and use of these systems is appropriate. In a shared service situation you should also make clear who is legally in control of what information at any given time.

As a controller, you need clear procedures to determine how you use the system in practice. You should therefore consider the following questions:

  • Have you clearly defined the specific purposes for the processing of personal data and use of information? Have you communicated these to those who operate the system?
  • Are there clearly documented procedures for how information should be handled in practice? This could include policies and procedures for disclosures and how to keep a record of any data sharing. Are these accessible to the appropriate people?
  • Has responsibility for ensuring that procedures are followed been allocated to a data protection officer (DPO) or to an appropriate named individual? They should ensure that standards are set, procedures are put in place to meet these standards, and that the system complies with this guidance and other legal obligations.
  • Are proactive checks or audits carried out on a regular basis to ensure that procedures are being complied with? This can be done either by you, as the system operator, or a third party.

How do we demonstrate accountability?

The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance. Your accountability obligations are maintained throughout the life of the processing.

Article 24(1) of the UK GDPR says that:

  • you must implement technical and organisational measures to ensure, and demonstrate, compliance with the UK GDPR;
  • the measures should be risk-based and proportionate; and
  • you need to review and update the measures as necessary.

The below headings expand on broader accountability obligations you must adhere to under data protection law.

What is data protection by design and by default?

Data protection by design and default is about considering data protection and privacy issues upfront, from the earliest stages of project planning. You must consider this in a consistent manner, in everything you do, where you are processing personal data. It can help you comply with the UK GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.

Under data protection law, you have an obligation to implement appropriate technical and organisational measures to show that you have considered and integrated the principles of data protection into your processing activities. Data protection by design has broad application. Examples include physical design, or developing organisational policies, processes, business practices or strategies that have privacy implications. This requirement is particularly important for the new or novel use of more intrusive surveillance systems such as ANPR, BWV and Facial Recognition Technology (FRT).

Prior to purchasing any surveillance system, you should make decisions based on its ability to provide a data protection compliant solution to a problem. You should not purchase a system because it is new, available, affordable or in the belief that it will gain public approval. You should also establish criteria for procuring systems and the decisions you make about deployment and configuration.

The Biometrics and Surveillance Camera Commissioner’s Buyers’ Toolkit will also help you when planning and installing surveillance camera systems.

You should also ensure that the design of your surveillance system allows you to easily locate and extract personal data in response to individuals exercising their rights. For example, in response to subject access requests or for disclosures to authorised third parties such as law enforcement.

Example

An ambulance service wishes for staff to use a BWV system, so that staff can capture any abusive behaviour towards them when they are on duty. Prior to using the technology, the service should conduct a DPIA to assess whether the use of this technology is a necessary and proportionate response to a problem. The service should not purchase the system just because it is new or useful technology, but because the use of the system is justifiable in the circumstances.

It is also important that there is sufficient focus on the governance of the information that is collected, rather than the technical capability of the cameras. For example, how the information is safely stored, retained or edited if needed. Again, the service should have appropriate policies and procedures for the use of the technology and information collected, with appropriate training for staff who actually wear the cameras or subsequently process the information.

You may also wish to refer to the Biometrics and Surveillance Camera Commissioner’s secure by design, secure by default scheme which outlines requirements for manufacturers of surveillance camera systems and components.

How do we carry out a Data Protection Impact Assessment (DPIA)?

To identify and help mitigate risks at an early stage you should perform a DPIA prior to any processing. This is a legal requirement and applies in most cases relating to video surveillance given the inherent privacy risks involved in the use of these systems. This includes systematically monitoring publicly accessible places on a large scale.

For surveillance systems in particular, you must perform a DPIA with balanced consideration for any type of processing that is likely to result in a high risk to individuals. To assess the level of risk, you should consider both the likelihood and the severity of any impact on individuals. High risk could result from either a high probability of some harm, or a lower possibility of serious harm. For example this could involve unexpected or unfair monitoring, or particular decision making against an individual. We have further guidance about the types of risks that DPIAs address.

Your DPIA must:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to individuals; and
  • identify any additional measures to mitigate those risks.

If you decide to not do a DPIA you need to document your reasons and be prepared to justify why the processing is not of a type likely to result in high risk. You can use our screening checklists to help you decide.

  • You need to consider the privacy issues involved with using new surveillance systems, such as lawfulness and transparency. You should assess whether the use is necessary and proportionate and appropriately solves a problem. You should always consider less privacy intrusive methods of achieving this need where possible, or explain why these alternatives are not suitable or sustainable.
  • You should also look at the problem the surveillance system is supposed to address, and show whether or not the system will meet this need. You should base your assessment on reliable evidence and show whether the proposed surveillance system can be justified as proportionate to the problem identified.

The Biometrics and Surveillance Camera Commissioner’s predecessor and the ICO jointly published the SCC DPIA template and associated guidance notes for surveillance systems. The ICO has also produced detailed guidance for conducting DPIAs.

For the purposes of using surveillance systems, you may encounter data protection problems if you fail to take a data protection by design and default approach and do not conduct a DPIA where required. You could avoid these problems by acting at an early stage.

There are also wider benefits in terms of identifying problems early and avoiding unnecessary costs and reputational damage. Further, a failure to carry out a DPIA when required in itself infringes the UK GDPR and may leave you open to enforcement action.

If you have carried out a DPIA that identifies a high residual risk after mitigation measures, you are required to consult with the ICO under data protection law. You cannot go ahead with the processing until you have consulted us. If you have established methods to reduce or mitigate the risk so it is no longer high, you do not need to consult us.

What about documentation?

Checklist

☐ If we are a controller for the personal data we process using surveillance systems, we document all the applicable information under Article 30(1) of the UK GDPR.

☐ If we are a processor for the personal data we process using surveillance systems, we document all the applicable information under Article 30(2) of the UK GDPR.

☐ We conduct regular reviews of the personal data we process and update our documentation accordingly.

☐ Our documentation is readily available if it is requested by the ICO, or another regulatory authority.

Documenting your processing activities is a legal requirement under data protection law. It can support good data governance and help you demonstrate your compliance with the UK GDPR and DPA 2018. Knowing what information you have, where it is and what you do with it makes it much easier for you to comply with other aspects of the law. For example, making sure that the information you hold about people is accurate, relevant and secure.

Under Article 30 of the UK GDPR, most organisations are required to maintain a record of their processing activities. This also applies to controllers and processors that use surveillance systems. The records you keep should cover areas such as the purpose(s) for the use of surveillance, data sharing and retention.

Further guidance and templates about documentation are on our webpages.

The UK GDPR and DPA 2018 also outline the legal requirement for an appropriate policy document to be in place when processing special category and criminal offence data under certain specified conditions.

This document should demonstrate that the processing of any special category and criminal offence data is compliant with the requirements of the UK GDPR Article 5 principles.

Read further guidance about appropriate policy documents and special category and criminal offence data.

Do we need to pay a data protection fee?

If you are acting as a controller, and your surveillance system is processing the personal data of identifiable individuals, you are required to notify and pay a data protection fee to the ICO, unless exempt.

The Data Protection (Charges and Information) Regulations 2018 outline the different tiers of fee controllers are expected to pay. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers.

In the context of video surveillance, if you are processing images of identifiable individuals outside of purely personal, family or household use, then you may be required to pay a data protection fee and notify with the ICO as a controller.

Read further guidance about the data protection fee.