The National Privacy Commission (NPC) issued Circular No. 2024-02 on Closed-Circuit Television (CCTV) Systems to provide an updated policy framework on the use of CCTV.
The Circular applies to all Personal Information Controllers (PICs) and Personal Information Processors (PIPs) engaged in the processing of personal data through CCTV systems, except when CCTV systems are used for any of the following purposes: (a) personal, family, or household affairs, and (b) lawful surveillance.
PICs and PIPs engaged in the processing of personal data through CCTV systems are mandated to ensure that reasonable and appropriate safeguards are in place for the protection of personal data, taking into account the rights of the data subject, and shall adhere to the following principles:
A. Transparency. PICs shall provide appropriate CCTV notices to inform data subjects of the existence and purpose of CCTV systems in operation. Given that CCTV notices are a specific kind of privacy notice, the requirements for privacy notices as stated in NPC Circular No. 2023-04 or the Guidelines on Consent shall apply. In addition, PICs shall ensure that CCTV notices adhere to the following:
1. Information about the use of CCTV systems shall be made available to the data subjects in the most appropriate format and in clear, plain, and concise language.
2. These CCTV notices shall be readily visible and prominently displayed within the appropriate premises, such as but not limited to, points of entry or other conspicuous areas.
3. The nature, scope, and extent of surveillance, purpose, capabilities of the CCTV systems, and other necessary information shall be provided to the data subjects in accordance with their right to be informed under the DPA.
B. Legitimate purpose. PICs shall ensure that the purpose of processing is not contrary to law, morals, or public policy, and that such purpose is clearly determined, specified, and declared to the data subject prior to the use of the CCTV systems.
C. Proportionality and Data Minimization. PICs shall ensure that the use of CCTV systems remains necessary and proportional to the specified and declared legitimate purpose.
PICs and its PIPs shall regularly review its use of CCTV systems to determine if the purpose of the processing could not reasonably be fulfilled by any other less intrusive means, and if the personal data processed is limited to that which is adequate, relevant, suitable, necessary, and not excessive in relation to the purpose.
D. Fairness and Lawfulness. The processing of personal data using CCTV systems shall be neither manipulative, oppressive, nor discriminatory. PICs shall ensure that the means and method of the processing shall be in accordance with law, morals, public policy, and good customs.
E. Accountability. PICs shall be responsible for personal data processed using CCTV systems and shall use contractual or other reasonable means to ensure proper safeguards are in place when the processing is subcontracted to PIPs. PICs shall demonstrate compliance by adhering to the general principles of privacy, implementing safeguards, keeping appropriate records, upholding data subject rights and their other obligations under the DPA, IRR, and relevant issuances of the NPC.
PICs shall identify the most appropriate lawful basis for processing under the DPA and the same should be provided when required by the Commission.
PICs and its PIPs shall implement reasonable and appropriate security measures, including privacy by design principles, to protect personal data processed against accidental, unlawful, or unauthorized use, to minimize privacy intrusion, and to comply with the requirements under the DPA, its IRR, and relevant issuances of the NPC.
Any person whose personal data is recorded on CCTV systems has a right to reasonable access to the same pursuant to Section 16 of the DPA and Section 34 of the IRR.
PICs and PIPs are mandated to establish policies allowing for access by data subjects or their representatives, and third-parties of personal data recorded on the CCTV Systems.
We are committed to YOUR cause. To ensure your organization’s adherence and safeguard against potential risks you can contact the firm at info@narplaw.com