I was tagged into an interesting thread on Twitter, in which someone wanted to put CCTV/IP cameras to record a public place, because of ongoing criminal activity in that area.

The question was essentially “doesn’t the GDPR stop me from doing this?”.

And my answer was “no, the GDPR does not stop you from doing it. It just says how you need to do it”.

I gave some suggestions about how to do it consistently with the GDPR, and I’m putting them here, with a few additional comments.

IP cameras / CCTV cameras, public spaces, and the (UK) GDPR

This isn’t legal advice, and it’s mostly (I hope) common sense.

• Don’t use cameras if there’s another reasonable option (e.g. better lighting)

• Don’t enable audio recording unless there’s a really good justification

• Keep each camera’s field of view as limited as you reasonably can

• Take the cameras down when you no longer need them

• Be transparent: put signs up showing you are using cameras, with (at a minimum) your contact details and an offer of more information. Talk with your neighbours, and take onboard their concerns (if any)

• Make sure your notice gives - or gives people a way to access - the information in the checklist here.

• If you’ve followed the points in this blogpost, that should be dead easy to do.

• If people contact you about it, engage reasonably with them. If they ask for a copy of footage with them in it, give it to them

• Keep footage for the shortest period you reasonably can. Ideally, set it up so that it deletes automatically.

• Be realistic. If you’d know that someone had broken into your car within 12 hours of it happening, do you need to keep the footage for much longer than that?

• Perhaps you need to keep it for a longer period if you’re planning on going away for the weekend and don’t have remote access.

• Avoid a system which sends data outside the UK or EU.

• You probably can still comply with the GDPR if it sends data outside the UK or EU, but it could end up being quite a lot more painful.

• If the data are stored in the UK or EU, but you (and not others) can access those data when you’re travelling, that’s unlikely to be a problem.

• Don’t post the footage on social media. But sharing relevant footage with police is fine

• Lock the cameras down: don’t let other people access / control them. You might want remote monitoring / remote control, and that’s fine

• Don’t use default passwords, especially ones which are listed publicly (e.g. in a manual)

• Keep the recordings reasonably securely, not on a public share / website

• Keep notes of what you decided, with reference to the points above, and - importantly - why you made those decisions. You could do a formal “legitimate interests assessment”, but keeping notes on why you’d made the decisions you made plus sticking the points above is likely to be sufficient.

Other points

But the GDPR requires opt-in consent?

No. Consent is one of the lawful bases. It’s not the only one, and, in this case, it is not the appropriate one.

But the GDPR doesn’t apply to individuals?

No. It does. Some processing by individuals is out of scope - processing of personal data by an individual in the course of a purely personal or household activity - but that’s a derogation from the fact that it does apply.

There are plenty of things which are likely to fall within that derogation, but the situation here is not one of them.

But what about that recent case where someone was successfully sued because of their cameras?

I’ve written about that on my work blog.