Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bermuda: PrivCom publishes statement on privacy considerations for use of CCTV

The Bermuda Office of the Privacy Commissioner ('PrivCom') published, on 20 March 2023, a statement on CCTV privacy risks and best practices. In particular, PrivCom stated that its note aims to examine the privacy issues surrounding the use of CCTV, with examples of how issues have been addressed in different regions, such as the EU, UK, and US, as well as examples of how the Personal Information Protection Act 2016 ('PIPA') applies to the use of personal information in connection with CCTV. More specifically, PrivCom provided a summary of the approach taken by the EU, UK, and US, respectively, towards the use of CCTV, noting that examinations of the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') are of use due to its substantial similarity with the PIPA.

Furthermore, PrivCom highlighted that since CCTV systems use personal information, organisations must ensure that they have implemented a privacy programme with suitable measures and policies to give effect to its obligations under PIPA, and specified the following special considerations for the use of CCTV:

  • Right of information under Section 9 of PIPA: organisations must provide individuals with a clear and accessible statement about its practices, taking all reasonably practicable steps to ensure it is provided before or at the time of collection of personal information, which can be difficult in certain circumstances, such as if the camera is covering a wide public area, and as such must be considered carefully to ensure true notice is provided. Individuals affected by video-surveillance must be informed about key details, such as the existence of the monitoring, its purpose, and the length of time for which the footage is to be kept and by whom.
  • Data quality: cameras should be used thoughtfully, with an identified and quantifiable purpose to be accomplished. For example, cameras should only target specifically identified security problems, thus minimising the gathering of irrelevant footage (data minimisation). A security camera that covers a rear garden need not also capture the neighbours' house or even the public street. This careful use not only reduces intrusions into privacy, but also helps to ensure a more targeted and more efficient use of video-surveillance.
  • Retention period: although the installation of cameras might be justified for security purposes, the timely and automatic deletion of footage is essential to reduce privacy-related risks.
  • If information meets the definition of sensitive personal information under Section 7 of PIPA, the organisation must consider what special risks may be present, and the fact that the conditions of use under Section 6 of PIPA are more limited.

You can read the statement here