CCTV in the workplace – I’ve got my eye on you

It’s a controversial subject. Has your employer installed any surveillance technologies, such as CCTV cameras, in the workplace? If so, where are these located and for what purpose? Were you notified in advance and provided with a corresponding CCTV policy? Who has access to the data obtained from the surveillance, where is this held and for how long? These are all questions that you may agree need answering.

Employers can often be secretive about installing CCTV in the workplace; the logic behind this being that if they suspect wrongdoing amongst staff, covert recording should enable them to ‘catch out’ the offenders. However, when staff are made aware of the existence of CCTV arguably this risks defeating the object of installing it in the first place and, at best, could be simply a deterrent against wrong-doing. With that in mind, the central debate on this topic tends to focus on whether employers have an obligation to inform staff of their intention/decision to install CCTV beforehand and what their duties are during any period of surveillance.

The Information Commissioner’s Office (ICO) has published a code of practice on the use of surveillance systems entitled “In the picture: A data protection code of practice for surveillance cameras and personal information”. This sets out the following key principles that organisations should adopt when operating surveillance systems:

  • Use of a surveillance camera system must always be for a specified purpose, which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
  • The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
  • There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
  • There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
  • Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
  • No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
  • Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted. The disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
  • Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
  • Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
  • There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with, and regular reports should be published.
  • When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
  • Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

Employers should note that the above code of practice sets out recommendations only. It is not legally binding and hence compliance is not mandatory. However, it is still worth noting that the Information Commissioner can cite relevant recommendations in connection with any enforcement action should it deem it necessary, in which case employers should endeavour to adhere to these recommendations for best practice.

In order to ensure and demonstrate compliance with the ICO’s guidance we suggest that employers take the following practical steps:

  • Be transparent and don’t let colleagues feel spied on. No-one likes a peeping Tom. Implement a suitable CCTV/surveillance policy with the requisite information to be made readily available to all staff and appoint an individual who will be responsible for keeping the policy up to date. This should specifically notify staff if there will be any covert monitoring (which must be justified and only done in exceptional circumstances).
  • Update existing data protection policies and/or privacy notices as appropriate and to reflect the data that will be held and where;
  • Display prominently placed signs at the entrance to the surveillance zone and reinforce this with further signs inside the area, including communal areas and those accessed by members of the public.

This article is designed to be for general information only and not a comprehensive guide on workplace monitoring. For detailed advice please contact Louise Rogers at [email protected] or by telephone on 020 7408 8888.