Under the UK GDPR data subjects can request access to personal data that a controller processes about them. This is known as a subject access request, or SAR. The personal data that a data subject is permitted to request can include copies of CCTV footage that they feature in.
All of the usual rules for responding to a SAR will apply, including that the footage must be provided within one month of receiving the request (unless the request is complex or you have received a number of requests from the data subject, in which case you can extend the deadline by up to a further two months).
But what additional considerations are there where a SAR includes a request for CCTV footage?
Instead of providing a copy of the CCTV footage, it is possible to comply with the SAR by providing the data subject with an opportunity to view the footage, for example in store or at your offices. The important thing to remember though, is that this is only possible if the data subject agrees to access the footage in this way. If they want a copy of the footage rather than a viewing, you must comply with their request for a copy.
Where a data subject is happy to agree to view the footage instead of receiving a copy, this avoids any risks associated with the footage being shared on with wider audiences.
One of the primary considerations with CCTV requests, is the presence of third parties within the footage. It is often not possible to ask the third parties whether they consent to the disclosure of their personal data in response to a SAR, nor appropriate to disclose the footage without their consent. This means that controllers are required to redact or blur third party personal data within the footage, including faces and other identifying features such as clothing, tattoos or vehicle registrations
Some controllers will have the technical capabilities to redact or blur footage themselves, whereas others will need to engage a third party provider to do this for them. When carrying out the redaction exercise, it is paramount that the quality and security of the footage is maintained.
As a result, if engaging a third party supplier to support with this exercise, you should ensure that appropriate data processing, confidentiality and security provisions are in place.
Unless the data subject requests that the footage is provided in another format, if a SAR is received electronically, your response should also be provided electronically. However the footage is shared though, appropriate security measures must be in place to prevent unauthorised access. This can include password-protecting email attachments or memory sticks, or using encrypted file sharing. If a data subject requests the footage on a memory stick, consider whether they are able to collect this in person, and if not ensure that you are using recorded or tracked delivery methods.
If you need assistance with responding to a CCTV request, please contact Hannah Pettit.