CCTV Cameras in the Workplace and Employees Rights
Why Are CCTV Cameras Used in Workplaces?
Surveillance-related laws recognise that companies have a right to protect their legitimate interests. What are these legitimate interests that one could protect through video surveillance?
CCTV cameras have been deployed in a very diverse range of working environments, from small offices to busy industrial floors. And the reasons are more specific and, surprisingly enough, more diverse than “security”.
Staff and property security is, nonetheless, the most important reason. CCTV cameras are an effective way to protect your staff against assault and harassment.
CCTV cameras can also be an efficient deterrent against vandalism and property theft. And, if the worst happens, CCTV footage can aid in police investigation and constitute evidence in court.
Improving workplace efficiency is another common reason. CCTV cameras can provide important information regarding the way company resources are used.
They can offer useful metrics about issues like overcrowded areas, or inefficient logistics or maintenance operations, giving management the kind of data they need to optimise day-to-day operation.
Enforcing health and safety or security policies is unglamorous, but the typical use case for CCTV cameras in the workplace. Policies and regulations related to safety or security are notoriously and subtly complicated.
They are often broken unwittingly, and immediate feedback on any breach is the only way to ensure that a momentary slip does not become the rule, rather than the exception.
These applications paint a clear, but somewhat incomplete picture of CCTV deployments today. CCTV technology is versatile and easy to integrate in more advanced systems. That’s why many deployments combine several applications into one system: security cameras installed in reception areas, for example, can also be used to supplement access logs.
CCTV Rules for Business
The massive adoption of CCTV technology in the mid-1990s prompted the government and public authorities to take a more active role in the regulation of video surveillance. UK legislation walks a thin border between recognising the benefits of CCTV surveillance and limiting its erosion of privacy.
The Human Rights Act (HRA) of 1998 is the broadest, but also the most fundamental piece of legislation that governs the use of CCTV cameras. Article 8 of the HRA outlines a person’s right to privacy, which extends to public spaces and the workplace, not only to their private home.
Overly intrusive CCTV surveillance, without legitimate security or business purpose, can constitute a breach of this right.
​
The Protection of Freedoms Act (POFA) of 2012 is primarily concerned with CCTV usage in public spaces, but it’s a useful landmark. The CCTV Code of Practice issued under its auspices is particularly useful, regardless of the deployment environment.
The GDPR clarifies that CCTV footage is personal information, and includes a number of specific requirements regarding how personal information is stored and processed. It also requires those who hold this data (i.e. employers) to disclose it, based on subject access requests (SARs) from employees.
The Data Protection Act (DPA) of 2018 expands upon the surveillance implications of Article 8 of the HRA and the GDPR. It’s an act with a long history: the one we have today replaces another act, whose history goes back to 1998. It details the status of CCTV footage and outlines requirements for the collection, processing and disclosure of CCTV data. Many of the explicit requirements for CCTV deployment originate in this document
What Rights and Obligations Do Employers Have with Regards to CCTVs?
UK legislation unambiguously allows employers to deploy CCTV cameras in the workplace. Cameras can be deployed wherever there is a legitimate business or security requirement, as long as their deployment is proportionate, necessary, and addresses a pressing need that cannot be addressed by other means.
The DPA and GDPR outline a number of obligations regarding the use of CCTV in the workplace, including:
-
Informing anyone who might come under surveillance about the CCTV cameras. The most straightforward way to do it is by putting up signs which clearly inform readers that they are being monitored.
-
Maintaining and making available a clear policy about the purpose and extent of the monitoring
-
Supplying anyone who asks with all footage in which they appear
-
Ensuring that footage is secured from theft and accessible only by designated personnel
-
Ensuring that footage is securely deleted after it is no longer needed
-
Ensuring that any data transfer is done in compliance with data transfer law.
Who can view CCTV footage at work?
As a matter of policy, data protection laws do not include an exhaustive list of who can view CCTV footage. It is up to the CCTV operator to decide who is authorised to access the recordings.
That being said, the DPA does require that access to the images be restricted only to those who need it in order to fulfil the purpose of the system.
When it comes to who can view CCTV footage at work – keeping this list as short as possible is not only a legal requirement – more often than not, it’s also good operational practice.
For example when it comes to who can see CCTV footage, restricting access to security footage to as few people as possible also decreases the chances of someone leaking information about the placement of security cameras, either accidentally or on purpose.
Can Employees Request Access to CCTV Footage?
In addition to designated staff, CCTV footage can be made accessible to others under certain conditions.
By law, anyone can be offered access to CCTV footage in which they appear, upon request. Any employee can ask to see footage of themselves, but cannot be granted access to CCTV footage of someone else.
How Long is CCTV Footage Kept in the UK?
One of the most common questions regarding CCTV footage is “how long is CCTV footage kept in the UK?” The officially-recognized way to request access is through a SAR, which an employer has to respond to within 40 days. The procedure through which an employee can request access to CCTV footage of themselves should be transparent and available to everyone, without any unnecessary hurdles.
In addition to granting access when required, the DPA requires you to record all access to CCTV footage, and to document all requests for access, along with the reasons for any denials.
Who Else Can Be Given Access to CCTV Footage?
Besides employees, the police can also request to be given CCTV footage. If their request meets the legal requirements, you are indeed obligated to disclose the footage.
Other than that, the DPA discourages making images widely available in general, but does allow it, as long as the decision can be justified. It also requires that images of individuals be disguised under some circumstances, such as when disclosing images to the media.
​
Is it illegal to monitor employees on CCTV?
Under certain circumstances, a company can monitor its employees without their knowledge. This is called covert or targeted surveillance.
Under current guidelines, it is possible to conduct targeted surveillance, but only as part of a specific investigation, if a company has serious suspicions that employees are breaking the law, and if disclosing the act of surveillance would undermine the investigation.
Prior to conducting covert surveillance, you should carry out a privacy audit and ensure that covert surveillance impacts as few people as possible. The possibility of such monitoring should also be mentioned as a possibility in the company’s data protection or privacy policy.
Furthermore, the terms of the investigation must be as specific as possible. Unless it reveals information that cannot reasonably be ignored, such as evidence of additional crime or gross misconduct, any data obtained through covert surveillance which is not relevant to the investigation has to be disregarded.
For instance, if a retail business engages in covert surveillance because it suspects an employee is stealing items from the shop, it can use footage that captures such theft, or another crime. However, it cannot use this footage for assessing employee performance.
Relevant video footage is generally used as part of a disciplinary hearing. However, at that point, employees have to be granted access to this CCTV footage, and they should be given a chance to explain and contest it.
There are precedents where the use of covert surveillance has been approved by courts (such as the McGowan v Scottish Water case). But covert surveillance is truly an exceptional tool, that’s best saved for truly exceptional situations.
How Long Can CCTV Data Be Retained for?
We’ve taken a look at how long is CCTV footage kept in the UK – but how long can data be retained? Once again, data protection laws do not mandate a specific retention period. The DPA requires only that images should not be retained for longer than necessary to achieve the purposes of the CCTV system. Once a retention period has expired, images must be deleted.
It’s up to you to determine what this retention period is. You should have one that will apply, by default, to any CCTV footage you obtain. 30 days is a typical retention period.
That doesn’t mean all images have to be erased after 30 days, no matter what. You are allowed to retain images for longer – for instance, over the course of an investigation, which can span over longer than 30 days. However, in this case, you have to keep the footage in a secure place, with controlled access, away from routine data.
How and Why Should Employers Protect Employee Rights?
A contract of employment has an implied term of trust and confidence. An employer and its employees rely on each other to be honest and respectful, and should not conduct themselves in a manner that could damage this mutual relationship.
Unreasonable and unjustified workplace monitoring is a direct breach of this term – in other words, it’s illegal in its own right.
But in more general terms, ensuring that employee rights are protected is not only a direct expression of the implied term of trust and confidence, it’s also a way to ensure that a company’s own legal rights are upheld. For example, CCTV footage that is not obtained in compliance with data protection laws may not be admitted as evidence in court.
So what can a business do to protect the rights of its employees?
Carry Out an Impact Assessment. This is a widespread and efficient practice and is recommended by the ICO.
You should carry out an impact assessment prior to deploying CCTV equipment, and every time surveillance cameras are added, moved or removed, when systems are upgraded, when new systems are installed, and when features that include biometric capabilities, such as facial recognition, are added to your system.
An impact assessment should outline the problems that the CCTV system is trying to resolve, explain why deploying CCTV cameras in the workplace is a part of the most effective solution and how it will help solve these problems, and how its success will be measured. The ICO maintains a very comprehensive impact assessment template.
Maintain and make available a written policy which clearly and comprehensively outlines:
-
What privacy expectations your employees should have
-
The extent and purpose of any surveillance that you conduct, either permanently or occasionally
-
The rights and obligations that the company and employees have with regard to CCTV use in the workplace
Do you have to display signs if you have CCTV?
Maintain transparency about surveillance measures and purpose. This includes putting up signs wherever relevant, answering questions about procedures and generally being proactive about informing employees about their rights and privacy.
​
Maintain procedures for allowing access or disclosing CCTV footage. This is not just a good idea, it’s a requirement of the DPA. But having clear procedures in place ensures that everyone receives equal protection, and that a company maintains the level of accountability that makes its workplace surveillance trustworthy.
Actively engage surveillance stakeholders, including employees and senior staff. Companies should ensure that everyone can voice concerns about the use of cameras without fear of apprehension.
In particular, employees should have the opportunity to explain and contest footage used during disciplinary hearings. If they are not allowed to do so, the ICO can prevent the data from being used.
Handle data correctly. Don’t misappropriate it, don’t sell it, keep it secure, and answer SARs in a timely manner. Ultimately, the way a company handles its employees’ data is a part of its employer brand, and it’s as valuable as the way it handles its customers’ data.
Conclusions and Recommendations
Companies that operate in the UK are allowed to monitor their staff at work. However, the use of CCTV in the workplace is governed by extensive privacy and data protection legislation, which aims to ensure that the basic human rights to privacy and dignity are upheld for everyone, regardless of occupation and status.
CCTV surveillance cameras can be deployed on a business’ premises, but only for legitimate, justifiable purposes. Certain rights, such as the right to access footage in which they appear, are granted by law to all employees.
It’s up to you to ensure that you comply with surveillance regulations and that you have the technical means to protect your employees’ rights and to respond to their legitimate requests for access to personal data.
Technical requirements range from correct CCTV camera installation to video lookup and indexing software that can help you quickly locate and export relevant footage fragments.