How GDPR Applies to Car Park Security Cameras

  • Posted

Security cameras are a common feature of both commercial and residential car parks, but what many people do not know is that the personal information they capture is covered by UK data protection law. This means property owners and management companies have legal obligations in the way they collect and process any personal data captured by their cameras.

In this article, we cover UK data protection rules for security cameras, what property owners and management companies need to do to comply with the rules, the potential penalties for non-compliance and how our legal experts can help.

Need help with data protection and CCTV? Please contact Miranda Mulligan, who will be happy to advise.

Key points businesses need to know about security cameras and GDPR

  • CCTV operators must have a lawful basis for collecting and processing personal data.
  • Personal data must be stored securely and only retained for as long as is needed for the lawful basis for which it was collected.
  • Only such data as is necessary for the chosen lawful basis should be recorded and processed.
  • Appropriate privacy notices should be placed in the area covered by CCTV.
  • The lawful basis and plan for minimising any impact on people’s privacy should be documented.
  • Privacy policies should be created or updated to cover the use of security cameras.
  • Data breaches can result in a fine from the Information Commissioner’s Office of up to a maximum of £17.5 million or 4% of an organisation’s total annual worldwide turnover for the preceding year.

How data protection rules apply to security cameras

The Data Protection Act 2018 is the UK version of the EU-wide General Data Protection Regulation (GDPR). This Act regulates the collection and processing of personal data, including by security cameras. Photographs or car registration details which identify an individual will constitute personal data for this purpose.

There are various important provisions of the Data Protection Act that apply to anyone operating a surveillance system. It is sensible to seek legal advice to ensure you understand how these apply to your situation.

Under the Act, you must identify a lawful basis for collecting and processing personal data. For most private entities, this will typically be on a ‘legitimate interests’ basis, i.e. that the collecting and processing of personal data is necessary to achieve a legitimate interest of yourself or a third party. If you are operating a carpark, this might relate to issues such as protecting vehicles from theft or damage, deterring antisocial behaviour and ensuring only authorised people use the car park.

You must ensure that recorded information is stored securely to maintain its confidentiality and integrity. You will also need to make sure the information is not stored for longer than is necessary for the lawful basis under which it has been collected and processed.

What CCTV operators need to do to comply with UK data protection rules

As above, you must have a lawful basis for collecting and processing personal data, so it is advisable to speak to a legal expert about this. They can advise on what a lawful basis might be and any steps you need to take to meet your legal obligations, for example, how the recorded data should be stored and for how long.

You should not operate CCTV in areas that people would reasonably expect to be private. In most cases, this will not apply to a car park, but it is worth considering exactly what area your cameras cover to make sure they only cover the exact area required for your legitimate interests.

You should only record data that is necessary for the lawful basis you have chosen for operating security cameras. For example, you should only record audio if this is strictly necessary.

You should also place privacy notices around the area covered by your security cameras, informing anyone in the field of view that they are being recorded. These notices need to be clearly readable and in places where they will be clearly seen.

You should document your reasons for needing security cameras and your plan for how to minimise the impact on people’s privacy. If there is the potential for a high risk to people from your collection and processing of data, then you will also need to carry out a Data Protection Impact Assessment (DIPA).

You must also create a privacy policy or update your existing policy to reflect the fact that you are using CCTV. This policy should include key information such as the lawful basis for your use of CCTV, who in your organisation is responsible, what security measures you are using, who the data will be shared with and how long it will be retained.

Penalties for non-compliance with UK data protection laws

The information Commissioner has a wide range of powers including the potential to issue enforcement notices or  fine any organisation that breaches UK data protection law. Depending on the type of breach, the fine can be up to a maximum of £17.5 million or 4% of an organisation’s total annual worldwide turnover for the preceding year.

Given how severe the potential penalties for a data protection breach can be, this is an issue no organisation operating security cameras can afford to overlook.

How Longmores can help employers with CCTV and GDPR

At Longmores, we regularly advise clients on a wide range of data protection issues, including in relation to CCTV. We can assist with understanding your legal position and preparing the required privacy notices for those using CCTV on and around their premises.

For expert support with GDPR and CCTV, please contact Miranda Mulligan, who will be happy to advise.

Please note, the contents of this blog are given for information only and must not be relied upon. Legal advice should always be sought in relation to specific circumstances.