Entities that use closed-circuit television (CCTV) to monitor public and semi-public spaces must identify its legitimate purpose and consider its impact on the rights and freedoms of data subjects, the National Privacy Commission (NPC) said.
NPC issued Advisory No. 2020-04 on Monday, Nov. 16, to guide personal information controllers (PICs) and processors (PIPs) that process personal data through the use of CCTV systems.
The capture, use, retention and destruction of video and/or audio footage obtained from CCTVs are forms of personal data processing under the Data Privacy Act. Before installing a CCTV, the purpose/s of processing personal data to be obtained from the system must be determined.
Purposes that are allowed include compliance with the law or regulation; security of properties; protection of important interests of individuals; and, public order and safety. However, these purposes are overridden by the fundamental rights and freedoms of data subjects.
“CCTV systems, when used reasonably and appropriately, are tools that support the safety and security of PICs, PIPs and data subjects. Implement organizational, technical and security measures, conduct regular reviews on the system, and ensure that its use is bound to specified and legitimate purposes,” Privacy Commissioner Raymund Liboro said.
Prior to installing a CCTV system, NPC said the purpose/s for personal data processing using such system must be clearly determined. Such processing may be permitted for specific purposes, except where the same are overridden by the fundamental rights and freedoms of the data subject.
PICs shall identify an appropriate lawful basis for processing under the DPA and provide such basis when required by the Commission.
The PIC should also evaluate whether the installation and operation of CCTV systems and the nature and kind thereof is necessary for its legitimate purpose, considering whether such purposes could be reasonably fulfilled by other less intrusive means.
Collection and further processing of personal data from CCTV systems should only be to the extent necessary to fulfill the legitimate purpose.
For transparency, PICs and PIPs shall provide CCTV notices which are readily visible and prominent within their premises, such as at points of entry, or other conspicuous areas.
The CCTV notices shall provide information to the public that there is a CCTV system in operation in clear, plain, and concise language.
To ensure that CCTV systems capture footages in a manner consistent with the DPA, the location and angles of the cameras must be carefully considered. CCTVs shall only be used to monitor the intended spaces, taking into consideration the purpose for monitoring the same.
The use of CCTVs in areas where individuals have a heightened expectation of privacy (i.e. fitting rooms, rest rooms, toilets, lactation or breastfeeding rooms, and other similar places) is prohibited.
PICs are also required to implement reasonable and appropriate safeguards to ensure and maintain the integrity and accuracy of the footage recorded and stored, including any associated meta data (i.e. time, date, and location), and to facilitate access requests for CCTV footage.