The usage of closed-circuit television (CCTV) nowadays became even more prevalent in the world of technology. Installing CCTVs aids in identifying future anomalies, provides people with the feeling of safety, and gives a long-term cost-effective solution to privacy and security concerns. CCTVs are tools which support safety and security of personal information controllers (PICs) and personal information processors (PIPs).
As the usage of CCTV employ the processing of personal data, which refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data, these shall then be subject to the guidelines set forth in the Data Privacy Act (DPA).
Included within the purview of the Guidelines on the Use of CCTV Systems as published by the NPC are: households where a CCTV faces outwards from an individual’s private property and captures images of individuals beyond the boundaries of such property; certain business establishments and strategic areas frequented by the public; and within the company premises.
Data Privacy Principles
Under the DPA, all organizations processing data must process data in accordance with the three general data privacy principles. The usage of CCTVs is no exception to these. Prior to installing a CCTV system, the purpose/s for processing personal data must be clearly determined. The first data privacy principle of legitimate purpose is present once the PIC identifies an appropriate lawful basis for processing under the DPA.
Next, the PIC should evaluate whether the installation and operation of CCTV systems is necessary for its legitimate purpose, considering whether such purposes could be reasonably fulfilled by other less intrusive means. Proportionality is fulfilled once the collection and further processing of personal data from CCTV systems is used only to the extent necessary to fulfill the legitimate purpose.
Lastly, PICs and PIPs shall provide CCTV notices which are readily visible and prominent within their premises. The principle of transparency is present once CCTV notices provide information to the public that there is a CCTV system in operation in clear, plain, and concise language.
All of these must be embodied in a mandatory CCTV Policy of the PIC or PIP. The policy shall provide for several information.
First is the designation of an authorized personnel who shall have access to and responsibility for the operation, control, and monitoring of the CCTV system. PICs should restrict monitoring of live CCTV feeds. The designated personnel shall likewise be responsible for granting access to Data Subjects.
Second is the notice/s and placements of CCTV. To ensure that CCTV systems capture footages in a manner consistent with the DPA, the location and angles of the cameras must be carefully considered. This notice should likewise sufficiently explain the policy on CCTV and the rights of data subjects. CCTVs shall only be used to monitor the intended spaces, taking into consideration the purpose for monitoring the same. The use of CCTVs in areas where individuals have a heightened expectation of privacy is prohibited.
Third is the inclusion of the procedure for requests for access to CCTV footages and providing a recording or copy thereof when requested. This shall be done by the usage of a standard request form or by even merely providing for information sufficient enough to process the request. There shall be a verification of the identity of the person requesting for access. The purpose/s of the request and specific details sufficient enough to locate the footage such as date, time, and location must be asked.
In cases where the CCTV footage includes other data subjects or a third-party request for access, such may be allowed provided that the following tests must be considered: First is by using the Purpose Test wherein the existence of a legitimate interest must be clearly established, including a determination of the purpose for acquiring such footage. Second, by the use of the Necessity Test wherein the processing of personal information must be necessary for the purposes of the legitimate interest of the PIC or the third party to whom personal information is disclosed and that such purpose could not be reasonably fulfilled by other means. Lastly, the usage of the Balancing Test wherein the fundamental rights and freedoms of data subjects must not be overridden by the legitimate interests of the PICs or third party, taking also into considering the likely impact to the data subjects involved in the disclosure of the footage.
It is the duty of the PICs to act on the request without undue delay. The PIC must grant the request involving the obtainment a copy of the footage within fifteen (15) working days after receipt of the request. In cases where viewing only is requested, the PIC must grant access within five (5) days upon the request of the Data Subject. If a request is complex or numerous, the process of obtainment or viewing may be extended for a period not exceeding another fifteen (15) working days provided that the data subject or his or her authorized representative is notified of the reason for the extension and the final date of release.
Fourth is the implementation of a retention period and a disposal policy of the footages. There is no specific or fixed minimum or maximum retention periods for CCTV footage. However, the same shall be retained only for as long as necessary to fulfill of the purposes for which the CCTV footage was obtained. Once determined, such information on retention period shall be clearly documented and form part of the CCTV policies.
Fifth is that security measures must be implemented for the protection of CCTV footages against any unlawful interference or interception, unauthorized access by copying, recording or viewing, accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing. Under physical security measures, CCTV footages, whenever access is provided, must be viewed only by the requesting party and the authorized personnel of the PIC in a secure area. Other security measures to ensure confidentiality of the footage to be viewed may be implemented, such as signing of non-disclosure agreements or prohibiting the capture of the footage through mobile phones and other devices, where appropriate. For technical security measures, the recorded footage shall be encrypted. And for organizational security measures, access to the area where the CCTV footages are stored shall be secured and restricted to authorized personnel or persons only. Access logs for the CCTV footage shall be updated on a regular basis, including transfers, reproductions, and access requests.
Sixth is the conduct of regular evaluation and audit of security measures and whether the use of CCTV remains to be justified; and lastly is that the process for the regular review and assessment of the policy and its revision, if necessary, to make sure that the measures in place are still useful and compliant with the DPA.
With the heightened implementation of the usage of CCTVs due to its purpose of protecting important interests of individuals and for public order and safety, the NPC calls on to make sure that the legitimate purpose and impact on the rights and freedoms of data subjects are always put into consideration.
The processing of personal data obtained from CCTVs are forms of personal data processing under the DPA. Hence, before installing a CCTV, the legitimate purpose of processing personal data to be obtained from the system must be determined, the proportionality of the personal data gathered must be delineated, and the transparency of the usage of the personal data must be provided.
As Privacy Commissioner Liboro stated, “CCTV systems, when used reasonably and appropriately, are tools that support the safety and security of PICs, PIPs and data subjects. Implement organizational, technical and security measures, conduct regular reviews on the system, and ensure that its use is bound to specified and legitimate purposes.”
- NPC Advisory No. 2020-04: GUIDELINES ON THE USE OF CLOSED-CIRCUIT TELEVISION (CCTV) SYSTEMS (16 NOVEMBER 2020)
- Privacy Commission calls on entities using CCTV to establish its legitimate purpose [https://www.privacy.gov.ph/2020/11/privacy-commission-calls-on-entities-using-cctv-to-establish-its-legitimate-purpose]