Every step you take, we’ll be watching you: CCTV and data privacy
CCTV Legislative Framework
The City of Cape Town has a large number of CCTV cameras that form part of a network used to monitor public spaces in order to prevent instances of crime. Over the years the need to monitor public spaces and vehicles on major roads has increased. The surveillance of persons and their activities raises some major data protection concerns regarding the use and regulation of CCTV cameras.
As a result, the Western Cape Government is in the process of developing a provincial legislative framework that will govern the use of CCTV cameras both on private properties and in public areas. To date, such a legislative framework does not exist. This will be a great starting point in addressing growing concerns regarding security camera networks across the country and addressing the question of privacy. There is certainly a need for a legislative framework that can ensure that these networks can prevent crime without encroaching on the privacy rights of persons.
Application of POPIA
Such a legislative framework would likely need to be developed in compliance with the Protection of Personal Information Act (“POPIA”). POPIA requires public and private bodies to protect any "personal information" they hold relating to any person. In terms of POPIA, CCTV data would also fall within the scope of personal information if such a recording provides information relating to an identifiable, living, natural person and, where applicable, an identifiable juristic person.
Such a legislative framework would also have to ensure that both public and private bodies that are subject to it would have to adhere to the conditions for lawful processing of personal information provided for in POPIA. This means that every public or private body that collects personal information by way of CCTV must have a lawful basis for doing so. In this regard, POPIA permits a public body (such as the SAPS or a metropolitan police force) to process personal information where it is necessary for the performance of its public law duty, and permits a private body (such as the occupier of premises or owner of property) to do so to pursue its legitimate interests. In this particular context, the CCTV data is to be used for the lawful purpose of detecting, investigating, prosecuting punishable offences, preventing crime and ensuring the safety and security of property.. When processing personal information, public and private bodies would have to justify the element of “minimality” because surveillance measures should only be used if the purpose for which is the personal information is processed could not reasonably be achieved by other means which are less intrusive to the fundamental rights and freedoms of any person. Furthermore, they should only monitor what is necessary and therefore they should not survey areas that fall outside the locations they are entitled or obliged to protect.
Generally speaking, public and private bodies are obligated to notify persons when collecting their personal information. Prominent signage at the entrances and other strategic points on premises or locations that are being monitored, advising people accessing the premises or areas of that fact, will go some way to fulfilling this requirement. However, there are instances where they may be exempt from this obligation, specifically where compliance with the obligation would prejudice a lawful purpose of the collection of personal information. In terms of POPIA, some examples are where non-compliance:
would not prejudice the legitimate interests of the person concerned;
is necessary to comply with an obligation imposed by law;
is for the conduct of proceedings in any court or tribunal;
is in the interest of public security and;
is to avoid prejudice to the maintenance of the law by a public body, including detection, investigation, prosecution and punishment of offences (for example where warning malfeasants of the existence of the monitoring would assist them to circumvent it).
It is equally important that the CCTV data is only used and kept only to fulfil its purpose, which is to identify individuals performing offences that are punishable by law or infringe the legitimate rights of others. Furthermore, the CCTV data should be restricted to authorised persons that require access to it for purposes for which the data is held. The manner in which CCTV data is stored must be secure in order to prevent unauthorised access. In addition, the CCTV data should only be stored for as long as the purpose for which it is recorded requires . Where it is no longer necessary to retain such data, it must be deleted in accordance with POPIA.
It is ultimately the responsibility of private and public bodies to secure the integrity, confidentiality of personal information in their possession or under their control by taking appropriate, reasonable, technical and organisational measures to prevent data breaches in line with the security safeguard condition in POPIA. This means that they should ensure that technical and organisational measures promote the protection of personal data. It may also be worthwhile to conduct a data protection impact assessment in instances where the CCTV data is likely to put the data subject at risk. Overall, the development of a legislative framework that will govern the use of CCTV data is to be welcomed in light of the sometimes conflicting interests of parties collecting personal data and the data subjects to whom it relates.