Subject Access Requests and Domestic CCTV Footage under GDPR

The General Data Protection Regulation (GDPR) introduced significant changes to how personal data is handled, including the processing of CCTV footage. One of the essential rights granted under GDPR is the ability for individuals to make subject access requests (SARs) to access their personal data, which includes video footage captured by surveillance systems. For homeowners and small organizations using domestic CCTV systems, understanding how to comply with SARs is critical. This article explains in detail the obligations and procedures surrounding subject access requests and CCTV footage under GDPR.

What is a Subject Access Request (SAR)?

A subject access request is a formal request made by an individual to access the personal data that an organization or individual holds about them. Under GDPR, individuals have the right to access any data that identifies them, including images and footage recorded by CCTV systems. This right ensures transparency and gives individuals control over their personal information.

The Right to Access CCTV Footage

When it comes to domestic CCTV, the footage may capture identifiable individuals, such as neighbors, visitors, or passers-by. GDPR classifies such recordings as personal data. Therefore, any individual who has been recorded has the right to request access to this footage. This is a fundamental right under GDPR, known as the right of access, which applies to domestic CCTV if the recordings extend beyond the property boundaries, such as public spaces or neighboring properties.

Handling Subject Access Requests for CCTV Footage

When a subject access request is made for CCTV footage, several steps must be followed to ensure compliance with GDPR:

  1. Identifying the Requested Footage: The first step in responding to an SAR is identifying whether the footage requested exists. The individual making the request should provide enough detail to allow the homeowner or system operator to locate the relevant footage, such as the date and time of the recording.
  2. Reasonable Search: The law requires that a “reasonable search” be conducted to locate the requested footage. This means taking appropriate measures to identify the data subject in the recordings and retrieving the necessary footage. Failure to do so could result in non-compliance with GDPR.
  3. Providing Access to the Footage: If the footage is found, it must be made available to the individual requesting access. This can be done by providing a copy of the footage in an accessible format, such as a digital file. However, there are important considerations around protecting the privacy of other individuals who may appear in the footage.
  4. Protecting Third Parties: GDPR places a strong emphasis on safeguarding the privacy of all individuals. When responding to an SAR for CCTV footage, homeowners and organizations must ensure that the rights of third parties (other individuals captured in the footage) are not infringed. This might involve blurring faces or using other methods to anonymize or redact parts of the footage that identify other people.

Timeframe for Responding to a Subject Access Request

Under GDPR, once a subject access request is received, the data controller (which may be the homeowner or an organization) must respond within one month. This deadline applies to the provision of the footage or any decision made regarding the request. In cases where the request is complex, or multiple requests are made, the timeframe can be extended by up to two additional months. However, the individual must be informed of the delay and the reasons for it.

Exemptions to Providing CCTV Footage

There are certain circumstances under which a subject access request for CCTV footage may be denied or limited:

  • Retention Periods: If the requested footage has already been deleted or falls outside the retention period set by the homeowner or organization, it is not required to be provided. Under GDPR, CCTV footage should only be kept for as long as necessary for the intended purpose. Retaining footage for longer than necessary can lead to non-compliance.
  • Public Interest or Law Enforcement: In some cases, footage may be exempt from disclosure if releasing it could interfere with ongoing investigations or compromise public security.

Signage and Transparency for Domestic CCTV Systems

Transparency is a crucial principle under GDPR, and this applies to CCTV systems as well. Individuals must be aware that they are being recorded, especially in cases where the CCTV system covers areas beyond the property boundary. Clear signage indicating the presence of CCTV cameras is one way to fulfill this requirement. The sign should include:

  • A notification that CCTV surveillance is in operation.
  • The purpose of the recording (e.g., for security).
  • Contact information, such as an email address, in case someone wishes to request access to their data.

Retention and Minimization of CCTV Footage

A core principle of GDPR is data minimization, which means that data should only be collected and retained as long as necessary. For CCTV footage, this means that homeowners and organizations should set retention periods for how long they keep recorded footage. Once the footage is no longer required, it should be securely deleted to minimize the risk of unnecessary or excessive data processing. Setting clear retention policies can also reduce the volume of data subject to SARs.

Documenting and Managing SARs

Homeowners or small organizations using CCTV systems should have clear procedures in place for handling subject access requests. This includes keeping records of:

  • The date the request was received.
  • Steps taken to locate and retrieve the footage.
  • Any communications with the data subject regarding the request.
  • The final outcome of the request, such as whether footage was provided or the request was denied.

Having a well-documented procedure ensures that SARs are handled in a timely and efficient manner, reducing the risk of GDPR non-compliance.

The Consequences of Non-Compliance

Non-compliance with GDPR can have serious consequences, including potential fines and legal actions. Failure to properly respond to subject access requests or mishandling personal data could lead to complaints being filed with data protection authorities, such as the Information Commissioner’s Office (ICO) in the UK. To avoid penalties, it is crucial to ensure that CCTV systems are operated in full compliance with GDPR requirements.

Conclusion

Subject access requests under GDPR apply to CCTV footage, even in domestic settings. Homeowners and organizations operating CCTV systems must be prepared to handle SARs effectively and ensure that they comply with GDPR’s strict regulations. This includes securing footage, protecting third-party privacy, and responding within the required timeframe. By following the principles of data minimization, transparency, and security, individuals can ensure that their CCTV systems operate lawfully while respecting the privacy rights of others.