Usage of CCTV Systems in Compliance with the Data Protection Law in Kenya

Usage of CCTV Systems in Compliance with the Data Protection Law in Kenya

In Data Protection

By Victor Orandi

A closed-circuit television (CCTV) is required in many businesses to ensure the safety of employees, visitors, and customers and the security of the premises.

However, the use of CCTV cameras necessitates compliance with the Data Protection Act, 2019 (DPA) since such use involves processing personal data. Personal data encompasses all information that can be used to identify a person, including photographs and videos.

Compliance with the various DPA requirements is not optional, and the fines for non-compliance can be severe, so it is critical that your video surveillance solutions are set up with DPA compliance in mind. Below are some of the compliance measures that your company can implement;

What are the fundamental DPA CCTV compliance requirements?

To ensure that your video surveillance meets the basic requirements for DPA compliance;

  1. Ensure transparency in CCTV footage.
  2. Minimize data collection.
  3. Ensure data security.
  4. Conduct data protection impact assessments.
  5. Comply with the data subjects’ rights.

Transparency in CCTV footage

  1. A company should be open about how, where, and why it uses CCTV.
  • Transparency is at the heart of the DPA. Therefore, you must notify individuals (data subjects) that you are collecting their personal data, including CCTV images. You must display signs indicating that CCTV is in use.
  • Along with your CCTV signage, including the identity of the company (as the data controller), contact information for the data protection officer (if applicable), and the purpose of the processing for which the personal data are intended, e.g, “CCTV surveillance is in place in this area to ensure public safety.” Also, include the legal basis for the processing.
  • In addition, inform the data subjects of their rights, such as the right to request access to or erasure of data subjects’ rights from the company.

    2. Other information can be obtained upon request, either through a QR code, URL or physical documentation from the company’s office, as the sign may be limited to address all of the information the company is required to disclose.

Minimize data collection

  1. Next, consider how to operate your CCTV system while limiting the amount of data collected.
  • According to the DPA, the personal data you collect from people must be “adequate, relevant, and limited to what is necessary” for the purpose you’ve specified.

     2. Data must be restricted to only what is required to achieve this goal. As a result, you should review your data regularly and delete anything you no longer require.

Ensure data security

The company should also limit access to CCTV data to only those who require it. The company’s responsibility is to keep the CCTV data it collects secure and accessible only to management, security and/or those who need access to perform their job duties.

Conducting data protection impact assessments

  1. Before installing your CCTV cameras, a company must conduct a data protection impact assessment (DPIA). This is a requirement for any data processing deemed “high risk” to individual rights, which includes CCTV operation in public spaces. The DPIA should also be reviewed on a regular basis.
  2. If cameras are relocated, or your CCTV system is upgraded or reconfigured, a DPIA should be conducted.

Comply with the data subjects’ rights.

The company should make certain that data subjects’ rights are respected, and any questions or requests raised are addressed in a timely and efficient manner, as required by the DPA.

The penalties for non-compliance

The violations of the DPA can attract fines of up to Kenya Shillings five million (Ksh. 5,000,000) or up to 1% of the company’s annual turnover of the preceding financial year, whichever is lower.

Creating your CCTV policy

A company should consider developing a comprehensive CCTV Data Protection Policy to that meets the DPA requirements. The Policy may address the following issues;

  • Why does your company need CCTV surveillance and how should these systems be used?
  • How the Data Protection Laws, regulations, codes of practice, and standards should be applied to surveillance;
  • What aspects of privacy must be considered before implementing CCTV surveillance?
  • How to process CCTV recordings in accordance with the DPA’s data processing principles;
  • Notification of the CCTV systems and recording on your premises;
  • Third-party CCTV system contractors; and
  • Delegating CCTV roles and responsibilities.

For more information, please contact victor@mmagareadvocates.com or info@mmagareadvocates.com 

Leave a Reply

Your email address will not be published. Required fields are marked *