CCTV Policy

What is a CCTV policy?

The basics: This CCTV policy sets out a business’s reasoning for using CCTV on its premises. It also explains to impacted data subjects (mainly employees) how the company aims to mitigate and reduce the effect CCTV monitoring may or will have on those data subjects’ privacy.

Why does my business need a CCTV policy?

Protect your business: CCTV captures personal data, and therefore data protection laws apply to the use of CCTV. Failure to comply with data protection laws can have a massive impact on your business - you could expose yourself to regulatory investigations, huge fines or claims from data subjects. Data protection issues can also cause big reputational and brand damage, and lose the hard-earned trust of your customers. Having a clear CCTV policy in place can help your business with complying with data protection laws.

What else must my business do to use CCTV lawfully?

Data protection risk assessment (DPIA): As CCTV captures personal data about individuals, there are a number of considerations that a business must take into account when using CCTV. For any processing that is likely to result in a high risk to individuals, you must (to comply with data protection laws) perform a Data Protection Impact Assessment (DPIA). This can include (i) processing special category data; (ii) monitoring publicly accessible places on a large scale; or (iii) monitoring individuals at a workplace.

Legitimate interests assessment (LIA): As CCTV includes the processing of personal data (i.e. people's images), you are required to have a lawful basis for processing under data protection laws. In reality, it can be difficult to obtain genuine and valid consent from individuals for processing their personal data via CCTV, especially in public spaces. A more appropriate lawful basis for using CCTV is therefore often legitimate interests. A legitimate interests assessment (LIA) should be carried out if this lawful basis is being relied upon. Our CCTV policy assumes that your business has considered all other options and that the use of CCTV is necessary to carry out your business operations, following the carrying out of the LIA.

Other policies and procedures: As a result of putting CCTV in place, your business should review and update its other data protection policies, including its privacy policy, to reflect this new way of collecting personal data. The CCTV policy assumes that those policies have been or will be updated. This document assumes that the company is incorporated in the UK and that English law applies.

What does Docue’s CCTV policy include?

Fully customisable: Docue’s dynamic CCTV policy is fully customisable to suit your business operations. It includes the option to include the following sections, amongst others:

1. Who is responsible for the use of CCTV - the person within your business who has overall responsibility for CCTV use;
2. Lawful basis for using CCTV - as CCTV includes the processing of personal data (i.e. people's images), you are required to have a lawful basis for processing under data protection laws. The policy tells individuals what lawful basis is being relied upon;
3. Purpose of using CCTV - the CCTV policy template includes a number of options for why CCTV is being used, and you also have the option to add in your own purpose too if it’s not covered by the standard options;
4. Telling individuals where CCTV is in operation - so that it is clear exactly where individuals will be monitored;
5. Operation and monitoring of CCTV - including the hours of operation and how often the CCTV footage is monitored;
6. Sharing personal data obtained from CCTV - who has access to the CCTV footage (e.g. security companies, cloud providers);
7. Security of personal data gathered by CCTV - what security measures your business has in place to keep the CCTV footage secure;
8. How long the company keeps personal data obtained from CCTV - data protection laws in the UK do not prescribe any specific minimum or maximum retention periods which apply to CCTV footage, so you must consider and set your own retention periods; and
9. Rights in relation to CCTV personal data - so that individuals know what their rights are under data protection laws in relation to the CCTV footage.

Why Docue?

Created by lawyers: Docue’s CCTV policy template has been created by lawyers, and also includes lawyer-drafted guidance notes to help you along the way. Our lawyers are constantly reviewing the CCTV policy to ensure it stays up to date with ever-changing data protection laws.

Super simple to use: To create your CCTV policy, simply click through the intelligent tick box options and text box answers and you’ll have a comprehensive, tailored, and ready-to-use CCTV policy in just minutes.

Tags: cctv notice, cctv policy, cctv data protection, cctv policy template, cctv policy in the workplace, cctv privacy notice