Businesses need to ensure if they use CCTV they do so legally and that any footage recorded is securely kept – unlike the recent incident involving the UK’s health secretary Matt Hancock.
Shaky CCTV footage and still images of former health secretary Matt Hancock embracing his aide recently flooded the internet, causing his eventual resignation for a breach of his own COVID regulations.
But while discussion of exactly how the footage was obtained remains unclear, what is emerging is that government departments like other businesses are increasingly using CCTV to monitor their staff and visitors, as well as their buildings.
“In London alone, there are now at least 50,000 CCTV cameras, most of them installed on private premises, including workplaces,” says Andy Stocker, Director of Electronic Security at ACCL, which routinely installs surveillance cameras in the workplace. “We’ve always been obsessed with CCTV in the UK compared to other European countries, but take up has increased in the last ten years with migration to IP cameras,” adds Nick Smith, Regional Manager at Genetec, which provides access control and surveillance software for businesses.
So what can organisations do to ensure they stay on the right side of the law when it comes to using overt surveillance or, indeed, covert surveillance (where a camera is secretly installed). And how can they prevent footage from being leaked if not to media organisations, then into the hands of people they would rather not view it? In this article we will look at the steps that businesses need to take to ensure they comply with CCTV legislation.
Surveillance v Civil Liberties
First of all, there is the issue over whether using CCTV in the workplace in the first place is even legal. The answer is yes, but with some caveats. Under surveillance law, businesses have a right to protect their legitimate business interests using CCTV, as long as their deployment is proportionate, necessary, and addresses a pressing need that cannot be addressed by other means.
On the other hand, Article 8 of The Human Rights Act (1998) outlines a person’s right to privacy which extends to public spaces and the workplace, as well as the home. Further legislation also enshrines an individual’s right to freedom including the Data Protection Act (DPA) of 2018 which expands on Article 8 of The Human Rights Act and GDPR (General Data Protection Regulation) which clarifies that CCTV is personal information and which includes number of specific requirements about how footage is collected, processed and disclosed.
According to Toni Vitale, Partner at Gateley Legal, balancing the rights of an individual with those of a business relies largely on businesses being completely transparent with their staff. “You don’t have to tell employees where the cameras are located, but you do need to tell them they are being monitored and recorded. This is usually covered somewhere in a staff handbook, says Vitale. “What you have to determine is what’s the legitimate interest of the person recording and does it outweigh the right to privacy of the person being filmed?”
Importantly, says Vitale, businesses shouldn’t invade people’s private lives. For example, while it is perfectly legal to monitor how long people are working at their desks and their work-related emails providing they are informed, it isn’t legal to check private emails whether they are from a work or personal email address. “Lots of people will use their work emails to arrange social events which employers are not supposed to look at.” Conversely, it could be legal (although technically difficult) to check private email if it was being used to, say, ‘poach clients or take data from the business.’
Nor is the use of recording equipment always by the employer. Sometimes it can be used by an employee. “I’ve dealt with lots of cases where employees have recorded their line manager without telling them because they are concerned about bullying or sexual harassment,” says Vitale.
While in many cases this audio or video evidence will be admitted by an employment tribunal, if the employer has done nothing wrong then it could technically be a breach of their human rights and a criminal offence under the Data Protection Act, section 170. Similarly, if an employee captures video footage of another employee who has done nothing wrong then this could also be a breach of their data protection rights.
However, in the case of Matt Hancock, it would seem likely that the person who captured footage from the security camera in his office claimed he or she was a ‘whistle blower’ and that it was in the public interest to reveal the health secretary’s breach of social distancing regulations.
Informing the ICO
While most businesses simply use CCTV for security related or intelligence purposes, such as tracking the numbers of people entering and leaving a building for insurance reasons, it’s important that if they are using cameras for management purposes – such as logging how long employees are spending at their desk – that staff are informed of this, claims ACCL’s Andy Stocker. “If you start to use the cameras to manage someone’s performance without them knowing they would have recourse to say that the system hadn’t been put in for this purpose.”
Each camera also needs to be registered with the ICO (Information Commissioner’s Office), along with the purpose of its use. And although this isn’t usually a problem for ‘overt surveillance cameras’, Stocker claims that permission for covert surveillance cameras in the workplace ‘would almost certainly never be given’ unless it was for a ‘very specific criminal investigation.’ Stocker claims it’s important that every camera has a particular purpose and that people are aware of how it is being used. “There are always a small number of people who are very much against any kind of surveillance, but most become more comfortable when they fully understand what the system is doing.”
Stocker says in the case of Matt Hancock it is very unlikely that the camera was moved. “As a designer of a CCTV system, that’s where I would put a camera to get the image of someone coming through a door.” That said, he admits that most organisations would tend to install cameras in more public areas such a lobby, lift or entrance and exit points of the building. “We tend not to put cameras in areas where people have a reasonable expectation to privacy such as inside an office.”
However, according to Genetec’s Nick Smith the use of surveillance cameras in the workplace is changing. “Typically most cameras were installed on the outside of the building because they were looking for outside threats, but as IT has become more prevalent and more data is stored in the workplace, the insider threat has become much higher,” he says.
Storing CCTV footage
Finally, keeping data secure, including CCTV footage, is becoming increasingly challenging for businesses especially when it is typically stored for at least a month, admits Genetec’s Nick Smith. “Now everyone has mobile devices with cameras on them, it is difficult to stop the movement of data outside of the control room.” However, measures can at least be put in place so that if CCTV footage is filmed from a computer monitor – as seems to be the case in the Matt Hancock affair – details of the operator who is logged onto the system at the time will be shown as a watermark on the screen.
For businesses CCTV can be an effective way to protect their assets, comply with health and safety measures and possibly monitor staff behaviour. However, they must be fully transparent with staff about how cameras are used, register their use with the ICO and balance their business interests with those of an individual’s rights to privacy. Appropriate steps also need to be taken to mitigate the risks if the worst should happen and CCTV footage falls into the wrong hands, as happened recently in a UK government building.
Written by Chris Price, IFSEC Global