Recognisable facial images captured by CCTV systems are special category personal data and on that basis require appropriate controls and protections around their use, in line with statutory requirements contained in the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (the Acts).
This confers rights to persons under the Acts. Importantly, the Council has duties and obligations as the holder of personal data, as in these cases, and must ensure such data is handled and managed correctly. This policy statement sets out what Kildare County Council, as Data Controller, must do in relation to management of personal data processed using CCTV.
Purposes and locations for CCTV:
Kildare County Council operates as a data controller regarding the use of CCTV for a range of purposes at various locations around the County:
Security of Council premises and property, including assisting in the safety and security of staff, visitors and customers on our premises throughout the County;
Assistance in the maintenance of public order and safety, including reducing or deterring incidence of anti-social behaviour, including in common/open space areas of certain residential developments in Maynooth and Athy;
Assistance in monitoring and managing traffic conditions on the regional and local road network. In this regard the Council operates a Traffic Management Centre where CCTV footage at key junctions and bridges in the following areas are recorded: Naas, Newbridge, Kildare, Leixlip, Celbridge, Maynooth, Carragh, Athy and Monasterevin. In carrying out Traffic Management functions Kildare County Council do not access vehicle registrations or facial images from CCTV. An Garda Siochana have access to a live feed of footage from the Traffic Management CCTV of Kildare County Council.
Assistance in the prevention, detection, investigation and prosecution of offences, including exercise of statutory law enforcement powers of the local authority (e.g. litter, waste enforcement)
In the case of litter and/or waste enforcement this may include from time to time temporary (normal duration of 3-4 weeks) covert CCTV use at remote litter blackspots. CCTV is overty used (signed) at Recycling Bring Centres in Tesco Newbridge and Kildare Town to aid litter enforcement activities.
To assist in emergency response situations for example, accidents, flooding, winter weather conditions
Management of CCTV:
In fulfilling its role as a Data Controller the Council is committed to ensuring that personal data collected via CCTV will be in line with the principles of the GDPR as below;
Obtained lawfully, fairly and in a transparent manner
Obtained for only specified, identified and legitimate purposes
Processed for purposes which we have identified or purposes compatible with the purposes that we have identified.
Adequate, relevant and limited to what is necessary for purpose for which it was obtained
Personal data collected and processed must be accurate and (where necessary) kept up to-date.
Kept only for as long as is necessary for the purposes for which it was obtained.
Processed in a manner that ensures the appropriate security of the personal data including protection against unauthorised or unlawful processing.
Processing CCTV images lawfully
The Council will identify a primary purpose for each CCTV system and this shall be aligned to a lawful basis, in accordance with Article 6(1) of the GDPR being either
A task carried out in the public interest
Exercise of official authority vested in the controller
Necessary for compliance with a legal obligation to which the controller is subject or
In exceptional circumstances processing is necessary in order to protect the vital interests of the data subject or of another natural person
The staff approved to access CCTV systems in the course of their duties will primarily do so for the purposes for which the CCTV was approved and installed.
This is without prejudice to the provisions of the Data Protection Act 2018 which in limited circumstances may allow limited access to and use of personal data, for purposes other than those specified related to the CCTV system, where it is necessary and proportionate for the Council to do so.
Processing CCTV images fairly and in a transparent manner.
To ensure compliance the Council will:
Include reference to CCTV use on its online Data Protection information
Ensure reference is made in privacy statements to the use of CCTV and its purpose where relevant in relation to a service;
Where feasible, ensure that signage regarding use of CCTV is easily- read and well-lit and in prominent positions, for example at the entrance to a facility where used at a property of the Council or at reception areas, or close to internal cameras, if used in rooms:
Ensure that the signage:
States the name of Data Controller - Kildare County Council
States purpose for CCTV use, where this is not readily obvious and includes an icon or statement that CCTV is in use
Provides contact details of the DPO – 045 980 200 or firstname.lastname@example.org
Ensure customers are advised of the use of CCTV using Video and Audio Recording in meeting rooms, where applicable. These rooms should also display signs as above.
More information on privacy statements for CCTV use is available here: http://kildare.ie/countycouncil/PrivacyStatement/index.html
Ensuring data minimisation and compliance with retention standards.
Article 5(1)(e) of the GDPR states that personal data shall be:
”..kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed..”
In accordance with this the normal retention period shall be not greater than one month.
Where, in response to an access request from An Garda Síochána or other agencies or processors (such as legal representatives), footage is downloaded and provided it shall be deleted from the CCTV system upon transmission to An Garda Síochána.
In line with principles of data minimisation, use of CCTV to monitor areas where individuals would have a reasonable expectation of privacy will not take place. Cameras placed so as to record external areas shall be positioned in such a way as to prevent or minimise recording of passers-by or of another person's private property. Compliance with this requirement must be demonstrated at installation and reviewed periodically by persons authorised to access images.
Processed in a manner that ensures the appropriate security of the personal data
Recorded images will be stored in a secure environment, will be restricted to authorised individuals and access controls will be in place to ensure they are secure (practical measures include remote feeds to secure locations/servers, password controlled/encrypted access to data, locked storage rooms);
Access to and disclosure of CCTV images to external parties is to be carefully monitored. All requests and disclosures made to in relation to Access Requests for personal data to the Data Subject or third parties such as An Garda Síochána will be recorded in the access log by the DPO and/or logs maintained by Depts will be available to the DPO.
Security companies that place and operate cameras on behalf of clients may be considered to be "Data Processors", depending on the nature of their access to footage. As data processors, they operate under the instruction of data controllers (Kildare County Council). Where any aspect of the services provided by a data processor involves processing of personal data obtained through CCTV the processor must be subject to a data processing agreement that sets out their obligation to the Council as controller, in detail.
The use of recording mechanisms to obtain data without an individual's knowledge is generally unlawful (i.e. without signage). If the surveillance is intended to prevent crime, overt cameras may be considered to be a more appropriate measure, and less invasive of individual privacy. Use of covert CCTV by the Council will be an exception and is only permitted where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders.
This provision automatically implies that the use of such CCTV will be with the objective of an actual involvement of An Garda Síochána or other prosecution authorities for potential criminal investigation or civil legal proceedings being issued, arising as a consequence of an alleged committal of a criminal offence(s).
Covert, surveillance may on occasion be justified where it is apparent that overt surveillance would or has merely transferred any illegal activity to some other location where CCTV is not in place.
Approval and review of covert use
Council Departments proposing to use covert surveillance for the first time must consult the DPO and (in addition to standard requirements of this policy related to CCTV use):
Retain evidence (photos, complaints, reports, prosecutions, statements etc.) to satisfy themselves (and the DPO or DPC as required) that use of covert CCTV is a proportionate measure;
State in relevant privacy statements that covert CCTV may be used and the purpose for same;
Ensure use is focused in purpose and of short duration;
Record only specific (and relevant) individuals / locations and avoid intrusion of privacy outside the target area;
Annually review the effectiveness of covert use and if no evidence is obtained or the use is not serving its purpose within the preceding year, the surveillance should stop at said location.
Current use of covert CCTV.
In this context, to operate its statutory litter and/or waste enforcement powers the Council will from time to time use temporary (normal duration of 3-4 weeks) covert CCTV at remote litter blackspots.
Access requests for CCTV footage
Under data protection legislation, individuals are permitted to seek access to images held by Kildare County Council. This applies equally to employees and members of the public.
To make a Data Subject access request for CCTV images, individuals must supply a written request to the Data Protection Officer and supply proof of identity (photo ID), date, time, location of CCTV footage and state their legitimate reasons for seeking access.
A form has been developed for this purpose.
Where the image / recording identifies another individual, those images may only be released where they can be redacted / anonymised so that other persons are not identified or identifiable.
If the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data and may not be released by the Council.
In giving a person a copy of their data, the Council may provide a still / series of still pictures, a tape or a disk with relevant images. However, other images of other individuals will be obscured before the data is released.
More information on access requests and subject rights are here
The Council will facilitate access to CCTV by An Garda Siochana where a valid request is made. A form has been agreed to facilitate such requests.
Where a copy is provided it must be given on an encrypted USB.
The Council maintains an access log in relation to all such requests.
Policy regarding new CCTV.
It is the position of the Council that the proposed use of technologies involving CCTV, body worn equipment and drones will be reported to the Council’s DPO from May 25th 2018 to enable a privacy impact assessment to be carried out, to assess the proportionality of use of technologies and, where required, the measures to ensure its use in compliance with Data Protection legislation and guidance.
The Council is reviewing existing practice in respect of CCTV systems operated by the Council in the County and will comply with revised guidance of the Data Protection Commission on this matter, which is pending. This review includes consideration of resource implications for example related to signage.
Our policy will specify legitimate purposes for the use of CCTV and distinguish between covert and public CCTV, body worn equipment and any proposed use of drones or similar technologies.
Should the review identify amendments to policy they will be published online where applicable.