NPC’s updated guidelines on the use CCTV

The National Privacy Commission recently updated its guidelines on the use of CCTVs. NPC Circular No. 2024-02 was published on August 12 and will take effect 15 days after. Here are some of the things you need to know about the circular:

Coverage

The circular applies to all Personal Information Controllers (PICs) and Personal Information Processors (PIPs) engaged in the processing personal data through the CCTV system. It does not apply to

>Individuals who use CCTVs for purely personal, family, or household affairs, or

(But if the CCTV captures images beyond the boundaries of the private and noncommercial space, the use is no longer considered for purely personal, family, or household use)

>Law enforcement, intelligence and investigative agencies, and other government agencies conducting lawful surveillance.

General principles to remember

PICs and PIPs must follow these data privacy principles:

1. Transparency. The public must be informed in clear and plain language the nature, scope, extent of surveillance, and purpose of the use of the CCTV. The notice must be readily visible and prominently displayed within the establishment.
2. Legitimate purpose. The purpose for the CCTV must be lawful and not contrary to morals or public policy. Since consent may not be the most appropriate basis for processing, PICs must determine other lawful basis as provided in the Data Privacy Act.
3. Proportionality and Data Minimization. The use of CCTV must be necessary and proportional to the specified and declared purpose. If there are other less privacy-intrusive means of achieving the purpose, then those means must be used instead of CCTVs.
4. Fairness and lawfulness. Processing of personal data using CCTV must not be manipulative, oppressive or discriminatory.
5. PICs are responsible for the personal data gathered using CCTVs. They must adopt reasonable and appropriate security measures to prevent accidental, unlawful, or unauthorized used or disclosures.

PICs and PIPs should also adopt policies that will govern the operation of CCTVs, and these policies must be regularly reviewed.

In deploying CCTVs, care must be taken: Ensure that they only monitor the intended spaces. Use of CCTVs in areas where there is heightened expectation of privacy (such as in fitting rooms, toilets, etc.) is strictly prohibited.

Retention period

The circular does not mandate a specific period for retaining personal data captured by CCTVs. This is left to the PICs. However, the period must not be more than what is required to fulfill the legitimate purpose.

Access request

There must be a process established to allow the Data Subjects, their representatives, or third parties to request access to data captured by the CCTVs. The process must be simple, but must ensure that safeguards are still in place to prevent unauthorized disclosures. Thus, the process must include identity or proper authority verification, inquiring about the purpose of the request, and sufficient details on the requested footage (e.g., date, approximate time, and location).

For third-party requests, PICs and PIPs must decide on the merits of each request based on the Data Privacy Act, its IRR, and other existing laws and regulations.

Procedure when providing access

If it’s a request to view, the footage must be viewed in an authorized and secure area. Only the requesting party and the authorized personnel of the PICs or PIPs will be allowed to view the footage. Other security measures must also be implemented such as signing of nondisclosure agreements or the prohibition to capture the footage through mobile phones.

If it’s a request to obtain a copy of the CCTV footage, PICs and PIPs must ensure that copying is made in a secure manner that maintains the integrity of the footage and associated metadata. If there are technical difficulty in providing a copy, still images may be provided. PICs and PIPs may charge the requesting party a reasonable fee to cover the cost of providing a copy.

Denial of access request

Access request may be denied if

1. Information provided by the requester is incomplete. But requester must be given reasonable opportunity to amend request or complete the information.
2. The request is frivolous or vexatious based on the circumstances.
3. The purpose for and manner of viewing or obtaining a copy is contrary to law, morals, or public policy.
4. The request to obtain a copy is disproportional to the purposes stated by the requesting party.
5. The burden or expense of providing access would be unreasonable or involved disproportionate effort on the part of the PIC or PIP.
6. The footage has already been deleted (pursuant to the retention policy) at the time the request was received.
7. Disclosure could put an ongoing criminal investigation at risk as determined in writing by the appropriate public authority.

For more information, please read the full text of the circular. It is available at NPC’s website.