Filtered By: Opinion
Opinion
LAW, ICT, AND HUMAN RIGHTS

Maintaining CCTV Systems


The National Privacy Commission (NPC) released another issuance last week. This time it’s an Advisory and it’s about closed-circuit television (CCTV) systems in public or semi-public areas.

That first detail is critical and here’s why: circulars actually prescribe rules and procedures, while advisories tend to offer explanations or suggestions. Circulars are meant to supplement the provisions of existing laws like the Data Privacy Act (DPA), or to provide the means for carrying them out. In many cases, failure to comply with a Circular results in administrative penalties. One can’t say the same for Advisories. Keep this in mind when you go over the document yourself.

What I’ve prepared here are the key suggestions of the Commission featured in the Advisory. I agree with most parts but find some in need of clarifications. I also disagree with a few scattered points, one of which I will end this piece with. Thus:

1. If you will install and maintain a CCTV system, you should have a legitimate purpose. Among the more common reasons include: (a) to comply with a law or regulation, including city ordinances; (b) to secure one’s property; and (c) to ensure public order or safety.

2. Observe the Proportionality Principle. Except in cases where you are required by law or regulation to install a CCTV system, begin by asking yourself this: is there a less intrusive way to achieve or meet the purpose of this system? If there is one, it’s ideal that you adopt that measure instead. If you’ve determined that a CCTV system is necessary, go ahead but think about the other factors that may impact the intrusive nature of your system, such as: (a) number of cameras; (b) location of the cameras; (c) recording capability; (d) storage capacity; (e) disclosure or sharing protocol vis-à-vis the CCTV records; and (f) retention period.

3. Put up CCTV Notices. Consistent with the general rule observed when personal data is being processed, you should make sure people know you have cameras in place recording data. A well-placed CCTV notice will do the trick. While the Advisory is silent on the use of a Privacy Notice, I recommend that you still maintain one. It should explain the relevant details of your CCTV system. If you’re wondering if the two Notices can be combined, it’s possible although it may not be the most practical approach (i.e., CCTV Notices are like common signages, featuring short but big text).

4. Establish a CCTV Policy. If your Notices inform people about your CCTV system, this document should govern it. It should, among others, discuss: (a) who are authorized to maintain and access the system; (b) the locations of your cameras; (c) the process for requesting access to or a copy of your CCTV records; and (d) retention period of your CCTV records.

5.  Conduct a Privacy Impact Assessment (PIA). Many would probably frown on this and note that a CCTV system is simple enough, a full-blown PIA would be an unnecessary hassle. To be fair, it’s what most people say about PIAs, in general. Remember, though, that this minor inconvenience can go a long way in helping you avoid data breaches or some other serious data privacy law violation. If made to choose between the two, I’m betting people would rather go through the hassle.

6. Keep your CCTV system secure. While the system is in itself a security measure, it must also be insulated from all possible threats. This means making sure only authorized personnel have access to it, especially the recorded data. Systems that are connected to the web are particularly more vulnerable.

7. Handle access requests promptly and properly. The Advisory looks at and treats access requests based on who is making them.

  • Data Subjects. Any person whose personal data is captured by a CCTV system has a right to access his or her recorded data, and/or ask for a copy of such data. The NPC describes this right in absolute terms, presumably based on the provisions of the DPA regarding data subject rights. If that’s the case, then I’d like to think it is also subject to the same limitations that apply to those rights (see: Sections 18 and 19, DPA).
  • Law enforcement authorities. The police and other law enforcement agencies must present sufficient proof of the occurrence of a crime, the corresponding investigation, and the authority of the requesting party, before their requests are granted or favorably acted upon. I suppose this means they cannot just go on a fishing expedition and ask for CCTV records, hoping to chance upon a crime being committed.
  • Courts. A court may access or ask for copies of a CCTV record once it has issued a lawful order.
  • Journalists. CCTV system owners need not give the media access to or copies of their CCTV records. In fact, they are barred from doing so if it’s merely for entertainment purposes—not unless the data subjects give their consent. That said, an owner may choose to do so if there is a “lawful basis” and the disclosure gives “due regard to the rights of data subjects and codes of conduct and ethical standards of journalism.” I think the NPC failed to give sufficient guidance here, and simply left it to the owners to figure things out. It even sounds like the Commission expects owners to be familiar with whatever codes of conducts or ethical standards that apply to journalists. Curiously, when it comes to law enforcement, the NPC is not as shy and actually gives possible grounds for the disclosure of CCTV records to the media (e.g., public order and safety, identification—of suspects[?], etc.).
  • Others. Each request must be evaluated based on its merits. The requesting party must have a legitimate interest and it must outweigh those of the people whose data were captured by the CCTV system.

CCTV system owners address access requests within a reasonable period. The Advisory recommends a tiered response (i.e., if mere access to the CCTV record will suffice, release of a copy may be dispensed with). A reasonable fee may also be collected, just enough to cover administrative costs.

Finally, the NPC suggests possible grounds for denying access requests. They include requests: (a) accompanied by insufficient or incomplete information; (b) that are frivolous or vexatious; (c) that are contrary to law, morals, or public policy; (d) that will involve unreasonable or disproportionate effort by the owner; (e) that involve CCTV records that are no longer available or have already been deleted; and (f) where the ensuing disclosure will put an ongoing criminal investigation at risk.

Overall, I would say the issuance is useful, especially as regards access to CCTV records. As a Data Protection Officer and as a privacy practitioner, I know how organizations frequently come across access requests and how diverse their responses are (for lack of guidance). This Advisory could help solve that.

I did say, though, that the Advisory has parts I am not comfortable with. Some of them I have already mentioned in the preceding paragraphs.

The most significant in terms of impact is how it manages to include home or residential CCTV systems in its coverage. These would ordinarily be outside the scope of the DPA.

In fine, the Advisory says that if at least one of your CCTV cameras is facing a public space or area, then your CCTV system is covered by the Advisory—and, by necessary implication, the DPA. I think the Commission got this idea from a decision of the Court of Justice of the European Union. It’s a position similar to that adopted by the UK’s Information Commissioner’s Office. Suffice to say, it has many ramifications, not least of which is that it unnecessarily expands the scope of the DPA. Then there’s the undue burden it imposes on individuals or families. They, too, are expected to observe the list I’ve provided here.

Don’t get me wrong, though. I think the EU is still the gold standard when it comes to data protection. Of course, this doesn’t mean we have to adopt every single view or position they maintain.

Thankfully—and this is where the distinction I made earlier proves crucial—we’re just talking about an Advisory here. Nothing more.

----------------------------------------

Jamael Jacob (@jamjacob) is a lawyer specializing in the field of law, ICT, and human rights. He works for the University Data Protection Office of the Ateneo de Manila University, the Foundation for Media Alternatives, and the LIGHTS Institute. The views expressed herein do not necessarily represent or reflect the views of the organizations he is currently affiliated with.