Governance (post-deployment)

Click to toggle details

Last updated 24 January 2024

24 January 2024 - We have updated the reference to providing still photographs in response to a SAR. This acknowledges that in some circumstances, a still image may be useful in limited scenarios, but is unlikely to provide full context.

At a glance

You must control any disclosure of information to third parties from your surveillance system and ensure that the disclosure is consistent with the purpose(s) for which you set up the system.

Your staff who operate surveillance systems should be able to recognise a request to access, erase or restrict personal data, and help progress these requests efficiently.

You may need to use specialist software to redact visual and audio data of third parties. Available techniques include blurring, masking, or using a solid fill to completely obscure parts of the footage. The technique most applicable depends on the circumstances of how the footage was created and the quality of the footage.

The design of your surveillance system should allow you to easily locate and extract personal data, specifically in response to subject access requests and FOI requests.

In detail

• Can we disclose information to third parties from our surveillance system?
• How do we comply with the rights of individuals?
• How should we redact information about third parties?
• What about freedom of information legislation?

Can we disclose information to third parties from our surveillance system?

You must ensure that any disclosure of information to third parties from your surveillance system is controlled and that the disclosure itself is consistent with the purpose(s) for which you set up the system. For example, in most cases it is appropriate to disclose video surveillance information to law enforcement when the purpose of the system is to contribute to the prevention and detection of crime. Unless a court order applies, this is not a legal requirement and is often voluntary. But this could be a shopkeeper proactively disclosing CCTV footage of a crime taking place on the premises, to the police.

You should note that even if your surveillance system was not established to prevent and detect crime, it is still acceptable to disclose information to law enforcement agencies, if relevant. Failure to do so could prejudice an ongoing investigation.

You should approach any other requests for information with care, as wider disclosure may be unfair on the individuals concerned. Further, some disclosures to third parties may be unlawful and qualify as an offence under section 170 DPA 2018 if the disclosure was made knowingly or recklessly without the consent of the controller. In some limited circumstances it may be appropriate to release information to a third party in the public interest, where the needs of the disclosure outweigh those of the individuals whose information is recorded. Further guidance about data sharing can be found in our data sharing code.

In the majority of circumstances it may not be appropriate for you to place footage captured by your organisation on the internet to an indefinite audience (eg by uploading it to a video-sharing platform). Placing such information on the internet incorrectly, for incompatible purposes or without full consideration, may cause the unlawful disclosure of personal data. You should also balance such disclosures against Article 85 UK GDPR, the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.

Unauthorised disclosures can cause damage and distress to individuals, and may lead to the ICO taking enforcement action. Other laws that focus on libel, harassment, malicious communications or threatening behaviour may also apply in some circumstances.

As the operator of the surveillance system, any decisions about disclosure are your responsibility. You have discretion to refuse any request unless there is an overriding legal obligation. For example, a court order.

Once you have disclosed information to a third party they become the controller for the copy they hold. It is their responsibility to also comply with the UK GDPR and the DPA 2018 for any further disclosures. It is also important that any method of disclosing information should be secure. This is to ensure the footage is only seen by the intended recipient, and not lost in transit or unintentionally distributed further.

How do we comply with the rights of individuals?

The right of access

You need to ensure that your staff who operate your surveillance system are aware of the rights that individuals have under data protection law, such as the right of access, erasure or restriction. Relevant staff need to be able to recognise these requests from individuals. This means that they can retrieve information in a timely manner, and also help prevent any processing that is likely to cause substantial and unwarranted damage or distress. You also need to be able to provide footage to individual requesters or law enforcement authorities in a commonly used video file format.

Under Article 15 of the UK GDPR, the right of access gives individuals the right to obtain a copy of their personal data from you, as well as other supplementary information. This is a fundamental right for individuals and helps them understand how and why you are using their data, and check you are doing it lawfully. You should ensure that the design of your surveillance system allows you to easily locate and extract personal data in response to subject access requests.

Before you can respond to a subject access request (SAR), you need to be able to decide whether the information you hold is personal data and, if so, whose personal data it is. Individuals can make a request verbally or in writing where needed, or to follow-up a verbal request with a written one. To ensure you comply with your obligations, we suggest for you to keep a log of any verbal requests to ensure a satisfactory record and audit trail.

If you are unsure whether or not the request is valid, you should check with the individual that you have understood their request. This can help avoid later disputes about how you have interpreted it, and prevents delays. Individuals who request access must provide you with supporting details, such as a photo, date or time, that allows you to identify them as the subject of the information and also to help locate the personal data on your system efficiently.

Under the UK GDPR you are required to provide the data subject with a copy of all the information caught by the request that constitutes their personal data, unless an exemption applies. You must supply them with a copy of the information in a permanent form or, if they agree, allow or arrange for them to view the information. If an individual refuses an offer to view the footage or they insist on a copy of the footage, then you must do whatever is reasonable in the circumstances to provide them with a copy of this information.

Under the UK GDPR, there is no longer a standard fee that you can charge to exercise the right of access. You may however refuse to deal with the request or charge a reasonable fee if you feel the request for footage is manifestly unfounded or excessive. As a controller, you need to be able to demonstrate the excessive or manifestly unfounded character of the request. Read further guidance about excessive or manifestly unfounded requests.

You must provide information promptly and within one month of receiving the request. Under the UK GDPR, you can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. Providing information promptly is important, particularly where you may have set retention periods for surveillance footage. This means that the information may be routinely deleted if you take the full month to respond. In such circumstances it is good practice to prevent the premature deletion of any information that falls within the scope of a request.

Providing an individual with a transcript of either the audio or visual information contained in the footage is not enough to comply in most circumstances. This is because a transcript, or even a still photograph in some circumstances, is unlikely to fully communicate all of the contextual information within the footage that could be considered the data subject’s personal data.

A clearly documented process will also help guide staff and operators of the system through these requests.

The right to erasure

Under Article 17 of the UK GDPR individuals have the right to have personal data erased. This is also known as the right to be forgotten. However, the right is not absolute and only applies in certain circumstances. This could, for example, be a request from an individual to request erasure of unnecessarily retained CCTV footage.

In the context of surveillance, this right can apply if:

• the information is no longer necessary for the purpose which you originally collected or processed it for;
• you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their information, and there is no overriding legitimate interest to continue this processing;
• you have processed the personal information unlawfully (ie in breach of the lawfulness requirement); or
• you have to erase it to comply with a specific legal obligation.

There are circumstances where the right to erasure cannot be exercised as certain exemptions apply. In the context of surveillance, this may include but is not limited to:

• processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
• certain research activities; or
• compliance with a specific legal obligation to process surveillance information.

The right to restriction of processing

Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that you use their data. This is an alternative to requesting the erasure of their data.

Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. In the context of surveillance footage, this may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.

The UK GDPR suggests a number of different methods that you could use to restrict data, such as:

• temporarily moving the data to another processing system;
• making the data unavailable to users; or
• temporarily removing published data from a website.

How should we redact information about third parties?

In the context of video surveillance, responding to the right of access may involve providing information that relates both to the requester and another individual. Your obligations under the UK GDPR are to provide a copy of the information about the requester rather than a complete version of footage. But also to ensure doing so does not adversely affect the rights and freedoms of others. Therefore, you may have to consider seeking the consent of third parties where reasonable or alternatively removing or redacting particular footage. You should consider the nature and context of the footage to determine the level of harm that may arise from choosing not to redact. In practice, you need to approach each request for information on a case-by-case basis, and make a reasonable determination based on the particular circumstances.

For example, from Body Worn Video (BWV) or a more traditional CCTV system, available techniques could include blurring, masking, or using a solid fill to completely obscure parts of the footage. You may also wish to consider removing metadata from footage files where necessary. The technique most applicable will depend on the circumstances of how the footage was created and its quality. To do this, you may need to use specialist software to redact visual and audio data.

This software is sometimes provided with commercially available surveillance systems to support back office functions, or through separate products. While professional software requires training and expertise to operate, redaction tools that compliment systems are designed to be easy to use. You should train relevant members of staff to use this software, for example to respond to requests efficiently within the statutory timescales.

When you procure a surveillance system, as part of your DPIA before any processing you should always consider the capabilities the technology offers in terms of governance. You should not choose a product based solely on its ability to capture footage. You should also seek to use products whose manufacturers have built them in line with data protection by design and default considerations. This ensures that you do not adopt a system that does not allow you to comply with your data protection obligations.

It may be necessary for you to contract out the redaction process to a specialist organisation. In this context, the third party is likely to become a processor, so you would need to have a written contract that specifies exactly how the information is to be used and provides you with explicit guarantees in terms of quality and security. See our guidance on controllers and processors for more information.

What about freedom of information legislation?

If you are a public authority, then you may receive requests under the Freedom of Information Act 2000 (FOIA) for information captured by surveillance systems. You should have a member of staff who is responsible for responding to freedom of information requests, and understands your responsibilities. You must respond within 20 working days from receipt of the request.

Section 40 of FOIA contains a two-part exemption relating to information about individuals. If you receive a request for surveillance system information, you should consider the following questions:

• Is the information personal data of the requester? If so, then that information is exempt from FOIA. Instead, you should treat this request as a data protection subject access request.
• Is the information personal data of other people? If it is, then you can only disclose the information if:

First condition: disclosure does not contravene one of the data protection principles.

Second condition: disclosure does not contravene an objection to processing.

Third condition: the information is not exempt from the right of access.

In practical terms, if individuals are capable of being identified from the relevant surveillance footage, then it is personal data about those individuals. Where the information includes personal data of third parties, you should consider applying redaction techniques to obscure images. It may be appropriate to do this rather than exempting the information.

If you are a public authority who has surveillance systems, you may also receive requests for information under FOIA relating to those surveillance systems. For example, requestors may ask for information about the operation of the systems, the siting of them, or the costs of using and maintaining them.

If you hold this information, then you need to consider whether it is appropriate to disclose this information under FOIA. You should provide any information you hold unless you can show that an exemption applies. For example, if providing details of the location of cameras is likely to prejudice the prevention or detection of crime.

This is not an exhaustive guide to handling FOI requests and we have further guidance about handling such requests.

Note: Even where footage is exempt from FOIA, it may be lawful to provide it on a case-by-case basis without infringing data protection legislation if you have taken the reason for the request into account.