Updated guidelines on CCTV operation
By: Atty. Rey Christian M. Guintibano on August 22,2024
Last August 12, 2024, the National Privacy Commission (“NPC”) issued Circular No. 2024-02, an updated set of guidelines governing the use of Closed-Circuit Television (“CCTV”) systems. The Circular outlines the proper handling and processing of personal data captured by CCTV cameras in both public and semi-public spaces, to ensure compliance with the Data Privacy Act of 2012 (“DPA”).
Previously, NPC issued Advisory No. 2020-04 which provided basic guidance on CCTV usage. However, with the rise of more advanced surveillance technologies, the new Circular expands on those initial guidelines. It introduces more stringent requirements for transparency, data minimization, and accountability, ensuring that personal information controllers (“PICs”) and personal information processors (“PIPs”) manage personal data responsibly.
Under the Circular, PICs are required to provide CCTV notices, informing individuals of the presence and purpose of surveillance. The notices must be prominently displayed to ensure that the public is aware of the use of CCTV systems. Data subjects must also be informed about the purpose and extent of the surveillance and other necessary information in accordance with their right to be informed under the DPA.
Additionally, the Circular emphasizes that PICs must determine the most appropriate lawful basis other than the consent of the data subject for the processing of their personal data. The purpose of using a CCTV system will vary among different PICs, and consent may not be the most suitable lawful basis for surveillance in public and semi-public spaces.
To protect individuals’ privacy, PICs are required to establish policies that govern CCTV operations, including procedures for handling data breach incidents. PICs and PIPs are also mandated to follow certain parameters in the deployment and operation of CCTVs, such as storing footage securely and retaining footage only for as long as necessary to fulfill the purpose intended in obtaining it.
One of the most significant aspects of the Circular is the provision for data subject requests for access, which states that individuals have the right to reasonable access to CCTV footage containing their personal data. PICs are now required to establish a simple and accessible process for submitting such requests. Upon approval, the data subject or their authorized representative may be allowed a reasonable opportunity to view the requested footage or be given copies of the footage.
The Circular also outlines the procedure for third-party access requests, where PICs must decide on the merits of the request based on the DPA, relevant issuances of the NPC, and other existing laws and regulations. CCTV footage may also be disclosed in connection with law enforcement, court order, administrative investigations, and media requests, subject to certain conditions.
Regarding data requests, PICs/PIPs are mandated to act upon such requests without undue delay. PICs/PIPs are given five working days to act upon the data request from receipt of the request. If it involves CCTV footage, they are given 15 working days. PICs/PIPs may only deny a request after giving the data subject or third party a reasonable opportunity to amend the request and providing the reason for the denial.
If processing is subcontracted to PIPs, the PICs remain responsible for the processing of personal data using CCTV systems. PIPs are required to use contractual or other reasonable means to ensure cooperation and assistance of the PIPs they have engaged.
CCTV systems used solely for personal, family, or household affairs are not covered by the Circular, provided they do not monitor public spaces. Similarly, CCTV usage for lawful surveillance by law enforcement agencies is exempt, though such activities must still comply with other applicable laws and regulations.
With the issuance of this Circular, businesses and institutions are urged to promptly align their CCTV practices with the new guidelines. As surveillance technology advances, strict adherence with these updated regulations is essential to ensure responsible data management and compliance with privacy laws.
Rey Christian M. Guintibano is a Junior Associate of Mata-Perez, Tamayo & Francisco (MTF Counsel). This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. If you have any question or comment regarding this article, you may email the author at info@mtfcounsel.com or visit MTF website at www.mtfcounsel.com