Data Protection – CCTV Guidelines


The Data Protection Commissioner has recently issued guidance notes on the use of various items of technology such as CCTV, body worn cameras and drones. It is important for businesses who use these technologies to ensure that their use is compliant with the new guidance so as to avoid a possible breach of Data Protection Laws concerning the use of those technologies.

The new guidance notes take account of the existing legislation and also recent case law and effectively provides the best practice guide for the use of these technologies.



Section 2(1)(c)(iii) of the Data Protection Act provides that the data retained must be adequate, relevant and not excessive for the purpose which it is collected. Therefore, this means that an organisation must be able to show that the collection of CCTV footage on a continuous basis is justified. Usually the use of CCTV for security reasons to capture images of intruders damaging property or stealing goods and such uses are indicated to be likely to meet the test of proportionality.


The uses which the Commissioner cites as examples of purposes which may fail the test of proportionality include installing the system in order to constantly monitor employees. That is not to say that monitoring employees would never be a justified use, but there would need to be special circumstances in order for this to be the purpose of using the technology.

In relation to the use of the technology, the location of the cameras will also be a key consideration. The use of the cameras in areas where people would expect to have a reasonable expectation of privacy would be extremely difficult to justify, for example, areas such as toilets.


In relation to proportionality the Data Protection Commissioner’s Office recommends that the Data Controller would have carried out a detailed assessment of how to use the CCTV cameras and would have prepared a detailed data protection policy dealing with the use of the CCTV cameras and also separately to document evidence of previous incidents given rise to the concerns which justify the use of the technology. In addition, clear signage should be used indicating that image recording is in operation.


The policy regarding the use of CCTV footage should include information such as how to make an access request, the retention period for the information and security arrangements for the storing of that information.



Section 2(1)(c)(iv) of the Data Protection Act states that the data “should not be kept for longer than is necessary” for the purpose for which it was obtained. Therefore, the Data Controller will need to be in a position to justify the retention period which will be used. Obviously the longer the retention period the more difficult it will be to justify this period of time. The retention period should be clearly identified on the Data Protection policy relating to the use of CCTV.


A log of access to the information should be kept and access should be restricted only to authorised personnel.



In order to not breach the Data Protection rights of data subjects where images of them are recorded the Data Protection Commissioner recommends that CCTV footage should only be provided to An Garda Siochana when a formal written request is provided to the data controller stating that An Garda Siochana is investigating a criminal matter.

It is stated that if in emergency situations a verbal request is provided then this can be acted on if followed up with a written request as soon as possible.

A distinction is drawn between a formal request from An Garda Siochana to obtain copies of CCTV footage or a request from An Garda Siochana to simply view the CCTV footage. If the Gardai are making a request simply to view the footage then this would cause less concerns from a data protection perspective.



It is important to note that the data controller may charge up to €6.35 in responding to such a request and must respond within 40 days. The access requester must provide a reasonable indication of the timeframe of the recording being sought and the length of time being sought should be reasonable.

Where images of parties other than the requesting data subject appear on the footage the onus lies on the data controller to redact or darken the images of the other parties as it may pose difficulties to the Data Controller if images of other parties are shown where they can be identified.



There is generally an exemption whereby individuals can install CCTV systems in their own home. However, if the recording is being taken of a public place then this may not be regarded as personal or household activity and may be subject to the rules of proportionality and transparency as outlined above.



It is important for all data controllers to retain a clear and thought out policy regarding the use of CCTV footage and to deal with the items outlined above in that policy. If there was a question in relation to the validity of the use of CCTV footage the data controller should then be able to point to the policy and rely on the provisions contained therein.