2 minute read
LEGAL MATTERS
using CCTV in a commercial or office car park
Nat Young explains how the use of CCTV in a commercial or office car park is subject to data protection law.
Q What rules apply to CCTV in car parks?
A
The use of CCTV in England and Wales is governed primarily by data protection law – the Data Protection Act 2018 and UK GDPR. Other legal principles can affect the use of CCTV systems, such as private nuisance or harassment, but these are less likely to be issues in a car park environment.
Q Why does data protection law apply to CCTV in car parks?
AData protection law concerns personal data, which is data about identified or identifiable living individuals. Any operational car park CCTV system is likely to capture personal data within this definition, particularly since car park operators will often have other information about individuals using the car park such as their car, number plate or the parking space that they use.
Q Do you need to register with the ICO?
AIf you are responsible for deciding about which CCTV system to use and what happens to its footage, you will be a data controller for the purpose of data protection law. Data controllers are required to notify and pay a data protection fee to the Information Commissioner’s Office (ICO). Anyone merely operating CCTV for someone else would be a data processor, so would not need to register. Processors still owe obligations under data protection law, but not to the same extent as controllers.
Q What else do you need to do when using CCTV in a car park?
A
The main obligations are to identify an appropriate lawful basis for capturing personal data, justify why it is necessary and proportionate, and consider and integrate the principles of data protection law into how you capture and process footage.
Crucially, you must keep a written record of this. Other key issues include how data is shared with other parties (a common situation with car parks), installing signage and the need to respond correctly to subject access requests made by individuals for their data.
Q What are the consequences of getting things wrong?
A
The Information Commissioner can investigate and fine any organisation that breaches UK data protection law. These fines can be substantial – up to a maximum of £17.5 million or 4% of an organisation’s annual worldwide turnover. However, regulatory action is still comparatively rare, and other issues have a bigger practical impact. For example, breaches of data protection law can make it harder to enforce parking policies and there is a growing trend towards using civil claims to enforce rights under data protection law, which exposes businesses to the risk of litigation.
Q How can I get further guidance on these issues?
A
The ICO publish guidance on the use of CCTV on their website, but this is quite generic. Organisations may therefore benefit from a solicitor’s advice on their own particular situation, particularly when it comes to developing and documenting policies around the use of CCTV.
