Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Philippines: NPC issues Circular No. 2024-02 on CCTV Systems

On August 12, 2024, the National Privacy Commission (NPC) published NPC Circular No. 2024-02 on Closed-Circuit Television (CCTV) Systems.

In particular, the Circular aims to ensure the use of CCTV systems by personal information controllers (PICs) and personal information processors (PIPs) in compliance with the Data Privacy Act of 2012. However, the Circular clarifies it does not apply to the use of CCTV in personal, family, or household affairs, or to law enforcement, intelligence, investigative agencies, and other government agencies conducting lawful surveillance.

The Circular identifies that PICs and PIPs must provide appropriate notice to inform data subjects of the use of CCTV, alongside principles for the reasonable and appropriate use of CCTV such as transparency, legitimate purpose, proportionality and data minimization, fairness and lawfulness, and accountability. In addition, PICs and PIPs must identify an appropriate lawful basis other than consent for processing under the Act, adopting an appropriate legal basis when processing sensitive personal information under Section 13 of the Act.

More specifically, the Circular stipulates a series of safeguards for the use of CCTV, including, among others;

  • policies documenting the legal basis of processing, regularly conducting privacy impact assessments, and procedures for data subject access requests (DSARs);
  • parameters on the deployment and operation of CCTV, such as the intended spaces to be monitored, zoom and rotation capabilities, and the use of CCTV where individuals have a heightened expectation of privacy;
  • the quality and integrity of data;
  • secure storage of data through encryption and access controls; and
  • retention schedules that must be clearly documented, and not determined solely on the storage capacity of CCTV systems themselves; and
  • contractual measures to ensure the reasonable processing of personal data by PIPs.

Notably, the Circular details that PICs and PIPs must establish policies for DSARs, including processes for submitting a request and verifying the identity of data subjects. Further, the Circular clarifies the circumstance under which a third party may submit an access request, alongside circumstances for determining whether a request constitutes a third-party access request.

PICs and PIPs must also establish procedures for responding to an access request, with the Circular outlining criteria for responding to requests and the timeframes for both viewing CCTV footage and obtaining a copy of CCTV footage. Requests must be acted upon without undue delay not exceeding five working days from receipt of a request to view CCTV footage, and 15 days where the request involves obtaining a copy of the CCTV footage.

The Circular enters into effect on August 27, 2024. 

You can read the press release here and the Circular here.