What does the IKEA CCTV story tell us?
Only set up video surveillance if underpinned by data protection by design and default
What happened?
Following an internal investigation, IKEA was forced to apologise for placing CCTV cameras in the ceiling voids above the staff bathroom facilities in their Peterborough depot. The cameras were discovered and removed in September 2021, but the investigation has only just concluded in late March 2022.
An IKEA spokesman said:
“Whilst the intention at the time was to ensure the health and safety of co-workers, we understand the fact that colleagues were filmed unknowingly in these circumstances will have caused real concern, and for this we are sincerely sorry.”
The cameras were installed following “serious concerns about the use of drugs onsite, which, owing to the nature of work carried out at the site, could have very serious consequences for the safety of our co-workers”.
They had been sanctioned following “multiple attempts to address serious concerns about drug use, and the use of false urine samples as a way of disguising it”.
“The cameras placed within the voids were positioned only to record irregular activity in the ceiling voids,” he said.
“They were not intended to, and did not, record footage in the toilet cubicles themselves. However, as a result of ceiling tiles becoming dislodged, two cameras inadvertently recorded footage of the communal areas of two bathrooms for a period of time in 2017. The footage was not viewed at the time and was only recovered as part of these investigations.”
Apology and new ICO guidance
The key question raised by this incident is where to draw the line. When is it inappropriate to set up CCTV? In this instance, the company had concerns about drug misuse – but was that a good enough reason? I think a lot of us intuitively felt the answer was no.
This apology conveniently coincides with the recent publication of some new guidance on video surveillance from ICO regarding UK GDPR and Data Protection Act 2018.
This guidance is not based on any changes in the legislation – more an update to provide greater clarity about what you should be considering.
Video surveillance definition
The ICO guidance includes all the following in a commercial setting:
- Traditional CCTV
- ANPR (automatic number plate recognition)
- Body Worn Video (BWV)
- Facial Recognition Technology (FRT)
- Drones
- Commercially available technologies such as smart doorbells and dashcams (not domestic settings)
Guidance for domestic use is slightly different.
Before setting up your video surveillance activity
As part of the system setup, it’s important to create a record of the activities taking place. This should be included in the company RoPA (Record of Processing Activities).
As part of this exercise, one needs to identify:
- the purpose of the lawful use of surveillance
- the appropriate lawful basis for processing
- the necessary and proportionate justification for any processing
- identification of any data-sharing agreements
- the retention periods for any personal data
As with any activity relating to the processing of personal data, the organisation should take a data protection by design and default approach when setting up the surveillance system.
Before installing anything, you should also carry out a DPIA (Data Protection Impact Assessment) for any processing that’s likely to result in a high risk for individuals. This includes:
- Processing special category data
- Monitoring publicly accessible places on a large scale
- Monitoring individuals at a workplace
A DPIA means you can identify any key risks as well as potential mitigation for managing these. You should assess whether the surveillance is appropriate in the circumstances.
In an employee context it’s important to consult with the workforce, consider their reasonable expectations and the potential impact on their rights and freedoms. One could speculate that IKEA may not have gone through that exercise.
Introducing video surveillance
Once the risk assessment and RoPA are completed, other areas of consideration include:
- Surveillance material should be securely stored – need to prevent unauthorised access
- Any data which can be transmitted wirelessly or over the internet requires encryption to prevent interceptions
- How easily data can be exported to fulfil DSARs
- Ensuring adequate signage is in place to define the scope of what’s captured and used.
Additional considerations for Body Worn Video
- It’s more intrusive than CCTV so the privacy concerns are greater
- Whether the data is stored centrally or on individual devices
- What user access controls are required
- Establishing device usage logs
- Whether you want to have the continuous or intermittent recording
- Whether audio and video should be treated as two separate feeds
In any instance where video surveillance is in use, it’s paramount individuals are aware of the activity and understand how that data is being used.
Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.