The Irish Data Protection Commissioner recently updated its guidance on the use of CCTV in the workplace. The new guidance puts a higher burden on employers when using and relying on CCTV in workplaces. The updated requirements include a specific risk assessment and privacy impact assessment be carried out. These processes need to be documented and have to demonstrate that CCTV is the appropriate measure in all the circumstances. This includes the need to show previous incidents that have led to the need for CCTV footage to be put in place.
The guidance now provides that a written CCTV policy must also be in place - this could be included in the staff handbook but staff must be made aware of it. This guidance is in line with the data protection developments in Europe which suggest that all potential incursions into a citizen's privacy must be considered and justified in advance by the data controller - data protection by design.
It is unlikely that many employers will have the above documentation in place and we recommend that employers start reviewing their existing CCTV policies to ensure that they are future proofed.
A written CCTV policy must be in place and should include the following information; the identity of the data controller; the purposes for which data are processed; any third parties to whom the data may be supplied. How to make an access request Retention period for CCTV Security arrangements for CCTV Notification of CCTV usage can usually be achieved by placing easily- read and well-lit signs in prominent positions. A sign at all entrances will normally suffice.