Closed-circuit television (CCTV) surveillance has become ubiquitous in everyday life. Their employment is commonplace in a variety of areas to which members of the public have access. While walking down Republic Street, visiting a shop or bank or sipping a cup of coffee, we are caught on camera.
One feels compelled to recall one of George Orwell’s most famous novels of the twentieth century, titled ‘Nineteen Eighty-Four’, where Orwell sets in an imaginary totalitarian future with each person being subjected to round the clock surveillance. He makes use of bold phrases, the most notorious of which being, ‘Big Brother is watching you’.
The now ageing catch-phrase has intrigued producers to create reality television shows featuring a group people living together, isolated from the outside world, but continuously captured on camera for the endless pleasure of televiewers.
Over the past years, installation of CCTV cameras has mushroomed all around the globe, particularly in those countries where terroristic threats and attacks have undermined national and public security. Installing a CCTV camera is certainly not prohibited by data protection authorities. However, similar to other sectors, the activity of video surveillance must be regulated by the principles and obligations emanating from the privacy Directive to ensure an unconditional respect for the rights and fundamental freedoms of individuals in a democratic society.
The capturing and recording of images by means of a CCTV camera, leading to the identification of a natural person, constitutes processing of personal data. Therefore, by definition, this processing falls within the parameters of the local Data Protection Act.
As a first step, the data controller is required to notify the Data Protection Commissioner with the processing operation prior to physically installing the cameras. A clear and specific purpose has to be defined and which shall be deemed proportionate with the rights to privacy of individuals. CCTV cameras may serve a number of different purposes. Whereas most systems are installed for a legitimate security purpose, this Office has investigated cases relating to flagrant abuse where the relevant data protection prerequisites and requirements were actually sidelined or ignored.
Individuals have the inherent right to be informed about the processing of personal data by means of a surveillance camera. The general practice is to provide the information by way of notices affixed in prominent and easily visible places within the monitored area. In certain cases, notices are also required to be affixed even before approaching the monitored area. The notice should include the designation of the data controller, the purpose for processing and a clear sign indicating the camera.
Limitations to the information requirements may only be allowed in cases relating to the prevention, investigation, detection and prosecution of criminal offences or the right of defence, for as long as provision of the information may jeopardise achievement of the specific purposes sought.
A data controller is not allowed to use the images of the camera for a purpose different from the one notified with Commissioner. For instance, if an organisation would have notified the purpose for deploying the cameras as being for the security of premises, the controller cannot take the liberty to use such images to control employees’ assiduity at the workplace. This may only be legitimised subject to a prior notification of the additional purpose to the Commissioner and, most importantly, subject to providing prior information to all the employees.
Any person has the right to request access to the personal information processed by the CCTV system. Albeit the data controller is not obliged to provide direct physical access to the recordings, the process may be facilitated by inviting the individuals to view the relevant footage without disclosing the identity of third parties. Blurring is always recommended.
Deploying CCTV cameras in dressing rooms and bathrooms may lead to an inappropriate invasion of the individual’s private sphere and is strictly prohibited. The purpose may still be achieved by, for instance, installing the cameras outside the entrance of the room, thus adopting adequate and less intrusive means of processing.
Covert cameras are also subject to privacy considerations. No person shall use covert cameras and assume law enforcement powers in an endeavour to uncover an illicit activity, such as theft or pilfering, without involving the Police. Law enforcement authorities are the competent authorities vested with executive powers to investigate these offences and prosecute accordingly. Similarly, in case of an activity captured by a camera and which might lead to criminal charges, the relevant extract of the camera’s footage shall only be disclosed to law enforcement authorities and this subsequent to the filing of a Police report.
Under normal circumstances, a retention period of seven days is considered to be a sufficient and reasonable time for the keeping of CCTV camera recordings. After the lapse of this period, images are automatically deleted or overwritten by new images. However, this depends on various technical characteristics of the system and other factors.
When the security company retains the images on behalf of the data controller, the controller is obliged to govern the relationship by means of a legally binding agreement. The agreement must specify that the security company shall only act upon the instructions of the controller and shall implement all the necessary technical and organisational safeguards against accidental and unlawful forms of processing.
Although the law provides for a household exemption in cases where a CCTV system is installed within the boundaries of a home, the legitimate rights and interests of neighbouring tenants and other third parties should still be respected.