Completing a DPIA on surveillance cameras

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Completing a DPIA on surveillance cameras
  • UK GDPR and DPA 2018
  • The regulators
  • The ICO
  • The SCC
  • Regulatory codes and guidance
  • SCC Code of Practice
  • Joint SCC/ICO guidance
  • EDPB guidelines on the processing of personal data through video devices
  • Historic ICO CCTV Code of Practice
  • More...

Completing a DPIA on surveillance cameras

This Practice Note is aimed at in-house lawyers, privacy and compliance professionals in private commercial organisations. It explains why, when and how to complete a data protection impact assessment (DPIA) on a new or existing surveillance camera or CCTV project or system. It will take you through the key points of a DPIA, based on a template and guidance produced by the Surveillance Camera Commissioner (SCC) and ICO, and takes into account the requirements of the UK General Data Protection Regulation (UK GDPR), Retained Regulation (EU) 2016/679.

A DPIA does what the name suggests—it’s a way of assessing the data protection impact of a particular project or process on any affected individuals. Generally, a DPIA is conducted at the start of a project which could have data protection or privacy implications, eg rolling out a new document management or HR system. Done properly, the DPIA will enable you to:

  1. systematically and thoroughly analyse how the project will affect individuals’ privacy, and

  2. ensure privacy risks are minimised while allowing the aims of the project to be met whenever possible

For more information on the use and regulation of surveillance cameras by public bodies, see Practice Note: Surveillance powers of local councils—Surveillance cameras and CCTV systems.

UK GDPR and DPA 2018

The data protection regime applies to all personal data, which includes images of individuals

Popular documents