Why Your Business Should Have A CCTV Policy
Every Nigerian has a Constitutional right to privacy. The Nigerian Data Protection Regulations (NDPR) introduced in 2019 also regulates and protects the processing of personal data of Nigerians.
It provides minimum policies and practices that must be present in any organization that handles and processes the personal data of Nigerians.
This includes the personal data of their employees and their customers/clients. Personal data refers to any information through which a human being can be identified such as their name, address, picture, email address, bank details, health information, IP address, etc.
Who Should Have a CCTV Policy?
Some business owners have installed Closed-Circuit Television Cameras (CCTV) on their business premises for a variety of reasons, including security purposes and to monitor business activities.
The CCTV cameras capture the live video footage of any person who walks into the vicinity covered by the camera. The personal information which the CCTV cameras capture includes the photographic images, behavioral mannerisms, and activities done by persons who walk into the vicinity of the camera.
Some CCTV cameras are so powerful that they can penetrate dark spaces and zoom into minute details. The video footage from CCTV cameras can either be viewed in real-time and/or can be saved/recorded for later viewing. Both activities amount to the processing of personal data under the NDPR which must be done in accordance with the law.
All electronic surveillance carried out away from a person’s domestic property must comply with the NDPR. Hence, CCTV cameras in business establishments and public places must comply with the NDPR.
A CCTV Policy sets down the position of that business establishment on how the CCTV camera is to be managed, operated, and used by the organization in such a way that the privacy rights of Nigerians are protected.
HOW CAN CCTV CAMERAS BE USED IN ACCORDANCE WITH THE NDPR?
The NDPR contains six principles that must be present every time an organization attempts to process personal data of individuals, including when it records and processes footage from CCTV cameras. These principles are:
a. The recording/processing must be lawful, fair, and transparent: The processing of footage from the CCTV must be done for a lawful purpose. The cameras must be placed in public places and there must be notorious signboards/notices warning everyone that CCTV cameras are in operation. Failure to place conspicuous notices warning individuals about the presence of CCTV cameras on the premises makes the recording by the cameras unlawful. CCTV cameras cannot be located in places where persons have an expectation of privacy, e.g. toilets and changing rooms. Any recording activity done in a toilet is intrusive and illegal.
b. It must be used for specific and legitimate purposes: The organization must use the CCTV cameras and the footage for only the legitimate purpose it has identified in its CCTV Policy. It cannot use the cameras or the recording for any other purpose. For example, if the organization installed the cameras for security purposes, it cannot use or sell the video footage to data/marketing companies to analyse the behavior of persons captured by the camera in order to send them targeted advertising.
c. The recording/processing must be adequate and necessary: the information captured by the CCTV must be necessary and not excessive for its purpose. A CCTV system installed for security purposes in a store should not be able to see through the clothes of customers. The cameras at the gate/car park should not attempt to view the neighbors’ compound.
d. The footage must be accurate: The footage from CCTV cameras must not be manipulated or tampered through the use of Photoshop tools.
e. The footage must be kept for only as long as necessary: The business cannot hold on to the footage in infinity. The footage can only be stored for as long as is required under the law and must thereafter be deleted.
f. It must be processed and stored in a secure manner: The footage from the CCTV must be secured from leakage. There should be no unauthorized or indiscriminate sharing of CCTV footage on social media as this amounts to a breach that can attract imposition of fines on the business management.
Who Can View CCTV Footages?
The live and recorded footage captured by the CCTV cameras can only be viewed by authorized personnel who are named in the CCTV Policy. The Policy also details the procedure to be followed when law enforcement agencies request for the footage.
Anybody who has been caught on camera has the right to see the footage, in which they are identifiable. They can request this by submitting a “Subject Access Request” to the organization. The images of the other persons captured by the camera must be blurred before such a request is granted.
Failure to comply with these provisions of the NDPR will result in the imposition of fines on the business establishment by the National Information Technology Development Agency (NITDA).