- CCTV footage capturing individuals is 'processing' of 'personal data'.
- CCTV footage must not be kept for longer than is necessary
- As a general rule, 7-days is the maximum. Reasonable exceptions may be authorised.
On the 5th October 2018 the Maltese Court of Appeal (Inferior Competence) decided Appeal No 26/2017 in the names of Maltapost PLC Vs Kummissarju Ghall-Informazzjoni u l-Protezzjoni tadData. In so doing, the Court annulled a decision of the Information and Data Protection Appeals Tribunal and confirmed that the Information and Data Protection Commissioner ("IDPC") was right to establish that CCTV footage should, as a general rule, be deleted after 7 days. It also agreed that the IDPC was correct to establish, by way of exception, a 20-day retention period for a high-risk area in view of the special circumstances and the nature of work carried out in that area.
By way of background, in 2015 the IDPC had ordered Maltapost PLC to apply a maximum 7-day retention period for footage recorded in its reception area and surrounding parameters and allowed for a maximum 20-day retention period for "Data-Management-Area". In so doing, whilst the IDPC noted that these were maximum periods, it had also noted that if the footage had to be reviewed to investigate specific incidents, then any extracted footage could be retained for the purpose of that investigation and also to be used as evidence were required, until the investigation is concluded.
Maltapost appealed this decision, claiming that the 7-day and 20-day retention periods were too short when considering the sensitive nature of its operations. In its decision of the 20th April 2017, the Information and Data Protection Appeals Tribunal overturned the decision of the IDPC and stated that the recordings in the Data Management Area could be kept for a maximum 7-year period, whereas the retention period for the remaining areas would be limited to a 2-year period. The Tribunal had based its decision on its interpretation of the European Document on Retention Guide, which is a comparative guide on record management best practice.
To no surprise, the IDPC appealed this controversial decision of the Tribunal, fervently arguing that the retention periods confirmed by the Tribunal are contrary to the spirit of Data Protection laws and the recently introduced GDPR. The IDPC has for years on end insisted on a 7-day CCTV retention period and only allowed for short extensions in exceptional circumstances. This Tribunal decision would be a significant and unprecedented U-turn on the approach to CCTV Footage.
For starters, in its decision the Court of Appeal confirmed that any CCTV footage which records persons' movement is "processing" of "personal data" – and in terms of the Data Protection Act, such personal data must "not be kept for a period longer than is necessary".
Next, in its assessment of the Tribunal's reasoning the Court noted that the Tribunal's position was incongruous, in that it ignored evidence of the fact that Maltapost itself had, in practice, already applied a shorter retention period (this being 60-days, or longer if there was an investigation justifying a longer period). The Tribunal should not have ignored the fact that Maltapost itself recognised the need for short retention periods.
Finally, the Court of Appeal assessed the reference to the European Document on Retention Guide and found that the Tribunal was too selective in its interpretation. It noted that the Tribunal referred to foreign comparatives which had nothing to do with CCTV footage, such as a 7-year retention period in Ireland for pension-related data. Conversely, the Tribunal ignored references in the Guide which deal specifically with the subject of retention periods for CCTV footage, which include periods of 24-hours, 3-days, 7-days and 4 weeks. The Court commented that these periods are more reflective of the IDPC's original position and in so doing quoted the Guide as follows:
"If an Institution opts for recording, it must specify the period of time for which the recordings will be retained. After the lapse of this period the recordings must be erased. If possible, the process of erasure should be automated, for example by automatically and periodically overwriting the media on a first-in, first-out basis. Once the media is no longer useable (after many cycles of use) it must be safely disposed of in such a manner that the remaining data on it would be permanently and irreversibly deleted (e.g. via shredding or other equivalent means).
If the purpose of the video-surveillance is security and access control, and a security incident occurs and it is determined that the recordings are necessary to further investigate the incident or use the recordings as evidence, the relevant footage may be retained beyond the normal retention periods for as long as it is necessary for these purposes. Thereafter, however, they must be also erased.
7.1.2 Retention period for typical security purposes: one week. When cameras are installed for purposes of security and access control, one week should in most cases be more than sufficient for security personnel to make an informed decision whether to retain any footage for longer in order to further investigate a security incident or use it as evidence. Indeed, these decisions can usually be made in a matter of hours. Therefore, Institutions should establish a retention period not exceeding seven calendar days. In most cases a shorter period should suffice"
Based on the above, the Court of Appeal concluded that the IDPC's original position fell in line with this Guide and compared neatly with retention periods established in other jurisdictions – and for that reason annulled the Tribunal's decision and re-affirmed that of the IDPC.
This judgement is based on an interpretation of the previous (now repealed) Data Protection Act (Chapter 440, Laws of Malta) which has now been replaced by the EU 2016/679 General Data Protection Regulation ("GDPR") and the new Chapter 586, Laws of Malta. This notwithstanding, the judgement remains of utmost relevance since the GDPR not only reaffirms the same principles relating to retention periods but is more taxing on data controllers in that respect.
Aside from the issue of potential fines (lest we forget!), with GDPR, organisations must not only stop processing personal data if it is no longer necessary for the purpose for which it was originally processed, but they must, even before the processing commences, establish and publish retention periodsfor that personal data. Where this is not possible, organisations must publish the criteria which they will apply when determining such periods.
This ties in with two key GDPR principles of transparency and accountability. Organisations must be able to demonstrate their efforts towards GDPR compliance and the setting of objectively reasonable retention periods is one of the top priorities. This judgement reminds us all that retention periods must be sensible and not established a "just-in-case" approach. As a general rule, CCTV footage must be deleted or over-written within 7 days. If your organisation feels the need for a longer period, then this must be assessed with caution and restraint, possibly on the strength of a GDPR Data Protection Impact Assessment.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.