These situations can mean that reviewing CCTV footage can become part of an investigation to an incident or break in, or part of a Subject Access Request. Not knowing how to access the footage or having the proper procedures in place, can lead to delays in responses and can mean you might not be able to meet data protection requirements.
Technical and Operational Barriers.
CCTV might be used to monitor key areas like entrances, gates and corridors. There might be a range of technical and/or operational factors about why you can't view the CCTV footage.🎦Outdated or Inadequate Systems: if your system is old then it may be unreliable or running on outdated technology. It may be prone to failure, record footage at low quality, or have limited storage capacity. This might result in the loss or inaccessibility of footage.
🎦Network or Connectivity Issues: there might be issues with your network that prevents access to the footage. This can also be the case even if the system is new and the footage is stored in the cloud.
🎦 Third Party Management: having a third party manage a CCTV system can mean delays in accessing the footage. However, it can also mean that operationally it is managed well.
🎦 Hardware Failures: sometimes the CCTV system can fail and it is not realised until footage is required. CCTV equipment can be susceptible to hardware failures, such as camera malfunctions, server crashes and hard drive issues. This can result in loss of footage.
🎦 Lack of Trained Staff: often CCTV systems are old and there is no member of staff currently working in an organisation that knows how to access the footage. They may not have the password or adequate technical knowledge to troubleshoot issues or retrieve footage.
Data Protection Implications:
Organisations should comply with the UK GDPR and Data Protection Act (2018) which governs the use and handling of personal data. CCTV footage is considered personal data and so should be handled with care:⚠️ Failure to honour Subject Access Requests: an individual could request CCTV footage as part of a SAR if it contains their personal data. A SAR should be responded to within one month. If technical barriers prevent access to footage then the organisation could face penalties for failing to comply with the request.
⚠️ Delayed Incident Investigation: footage is sometimes used as part of incident investigation such as bullying, vandalism and theft. Delaying the investigation could cause further stress or complaints.
⚠️ Breach of Data Retention Policies: personal data should be retained no longer than necessary, including CCTV footage. Know your retention period for your CCTV. If you have reduced cameras, it may cause your retention period to be longer! Consider how you will comply with a data retention schedule.
⚠️ Data Security Risks: outdated hardware and failures increase the risk of data breaches, particularly if the footage is not stored securely. Is the CCTV box (DVR HDD) in a locked container/cabinet? Unauthorised accidental or intended tampering could be a data breach and might require reporting to the ICO.
⚠️ Inadequate Access Control: specified staff should have access to the CCTV footage. If the footage/ DVR is stored insecurely then it could be accessed by unauthorised personnel which might be a data breach.
Solutions to the Technical and Operation Barriers
Here are some strategies for overcoming the technical and operational challenges:🛠️ Upgrade the CCTV System: investing in a modern CCTV system will offer higher video quality, larger storage capacities and enhanced reliability - they are less prone to failures and easier to maintain.
🛠️ Regular Maintenance: preventative maintenance will help identify potential hardware or software failures. Regular checks of the cameras and system is advised.
🛠️ Staff Training: ensure the relevant staff receive appropriate training on how to operate and maintain the CCTV system effectively. This should include knowing how to retrieve footage, troubleshoot common issues and respond to technical malfunctions.
🛠️ Third Party Providers: working with an outsourced third party provider will help with support and access. Ensure you have done any third party due diligence and have the appropriate agreements in place. If they are a cloud provider you will need to check how they store the footage. Review 👉 Supplier Due Diligence Best Practice.
🛠️ Retention Schedule: ensure you know the retention policy and apply it so that the footage is deleted when your policies say it is. You might choose to communicate this via your CCTV policy or privacy notice. Visitors need to know if they are being recorded.
🛠️ Network Infrastructure: you should consider how reliable your network infrastructure is. If you are a school, you might need to include this when you review 👉DfE Network Standards.
🛠️ Audits & Procedures: you should conduct regular checks and ensure you have appropriate procedures in place for managing a CCTV system so that it complies with data protection law. Review 👉 CCTV Best Practice Library
Although technical and operational issues with CCTV systems can create challenges - it is important to address them so that an organisation can comply with data protection regulations. Proactively addressing these challenges not only ensures organisation can access CCTV footage but also helps protect personal data, maintain safety and avoid potential reputational damage.
Support and Guidance:
✅CCTV Best Practice Checklist✅CCTV Best Practice Library where you can review a policy, access log, signs and further guidance.
✅ Retention Schedule
✅Supplier Due Diligence
✅ Subject Access Requests
Ee can do a CCTV walk about in your organisation: