View related news articles
A company that provides CCTV systems has been fined by the Information Commissioner for two breaches of the data protection legislation.
The Information Commissioner’s Office (‘ICO’) became aware that the company (a provider of CCTV systems) had not been displaying adequate CCTV signage at their client premises. When CCTV is used, an essential feature of the data protection legislation is that clearly worded notices should be on display at the premises advising that CCTV cameras are in use. The notice should also refer to the purpose of the CCTV. In terms of administrative steps, there should be clear policies and procedures in place, and these should be communicated to those who need to comply with them. This is usually in the form of a ‘Privacy Notice’.
There also needs to be ongoing assessment of the CCTV system and its purpose. Periodic reviews should be documented to consider whether the use of CCTV continues to be justified. This is in keeping with the data protection regime, that an organisation does not only need to comply with the legislation, but be in a position to demonstrate their compliance activities if challenged.
Over a five month period the ICO wrote to the company on a number of occasions seeking an explanation. The lack of response eventually resulted in the ICO issuing an ‘Information Notice’, which is a formal notice of demand for compliance. The company did not respond or take action.
Organisations that are a ‘Data Controller’ under the legislation are also required to register with the ICO and pay a registration fee, unless one of the available exemptions applies. The company in this instance failed to do so.
A prosecution followed. In a hearing that took place on 2 July 2018, the Magistrate’s Court issued a £4,500 fine for the failure to register with the ICO, and the company’s failure to respond to the ICO’s formal demand to display the correct privacy information. The company did not attend the hearing, and the fine was issued in their absence.
Although the fine was issued for breaches of the Data Protection Act 1998, the new Data Protection Act 2018 (which came into force on 25th May) preserves the same principles. The deployment of CCTV is a particularly sensitive issue, and organisations are recommended to take the right advice on how to document, and evidence, their ongoing compliance obligations.