Health Secretary Matt Hancock was recently forced to resign after his affair was leaked via CCTV footage. Following the very public scandal, concerns have now been raised around the GDPR and privacy issues associated with CCTV in the workplace.
So, what do employers need to know when implementing this technology?
Identifying and mitigating risks
Before installing CCTV, employers should carry out a data protection impact assessment (DPIA), that will identify the risks of handling the footage and potential mitigation routes.
Employers should consider minimising the impact on people’s privacy, for example by keeping cameras restricted to communal areas only and not recording sound.
The DPIA should also identify the legal basis that the employer has for using the CCTV. If this relies on “legitimate interests” then these must not prejudice individual interests, rights and freedoms.
Informing the workforce
Even with a DPIA on record, employers are still required to speak to all relevant stakeholders in the business, including employees. All affected parties should be made aware that their data is being captured, this includes visitors to the building.
Consent cannot be relied upon as a lawful basis for processing this data, so employees will need to be able to access a privacy policy that includes how the data will be used, how it will be stored and how long for, and who can access it.
Covert cameras
Should an employer have specific concerns about an individual employee, there is no law against the use of covert cameras. However, they will still be required to demonstrate that there is a lawful basis for planting one and carry out a DPIA to cover the circumstances.
Failure to do so, could result in a claim for breach of privacy.
Right to object
Even when fully informed about CCTV, employees are still within their right to object. If a member of staff shares concerns about the way their data is being processed, the employer should firstly offer to provide a more in-depth reasoning for the monitoring. If the worker remains unhappy, then the employer will need to consider how best to move forward.
If one particular camera is of concern, the solution may be to remove it. However, if it is the concept of the CCTV itself, the employer should consider whether the employee’s individual rights are likely to override the legitimate interests they seek to protect. If they believe this isn’t the case, the cameras can remain.
Should the concerns continue, then the business may be faced with a claim for breach of data protection legislation and right to privacy. The employee also has the option to escalate the complaint to the Information Commissioner’s Office (ICO), which has the power to investigate and issue fines for GDPR breaches.
As the technology becomes more affordable, the interest in CCTV across businesses of all sizes increases. Seeking legal advice before implementation, can help employers ensure that they are following the correct GDPR processes and avoid costly fines down the line.
Get in touch to find out how our GDPR team can help.
We have launched our guide to recovery and resilience, helping to support businesses and individuals unlock their potential, navigate their way out of lockdown and make way for a brighter future. Further advice in relation to COVID-19 can be found on our dedicated coronavirus resource hub.
From inspirational SHMA Talks to informative webinars, we also have lots of educational and entertaining content for life and business. Visit SHMA® ON DEMAND.