Before you start, make sure you have a legitimate purpose for using surveillance. It's important to assess whether surveillance is the best way to achieve it.
Identify your purpose
You must be able to identify your purpose for using surveillance – the thing you want to achieve.
You might have more than one purpose.
Your purpose must be legitimate under data protection law. This means it must be reasonable, lawful and appropriate. If you use surveillance for one purpose, you can’t later use the information you collect for a completely different one. So it's important to consider each purpose separately.
Using surveillance involves processing data about people. You must process data in a way that's lawful, fair and transparent.
Carry out an initial assessment
If you conclude your purpose is valid, next consider if surveillance is the best way to achieve it. Think about:
- if there's something else you could do that would intrude less on people's privacy
- if surveillance is the best way to use your resources.
Check the right regulations
There are some regulations we do not enforce ourselves that you will need to consider.
- The General Data Protection Regulation (GDPR): this regulation is about data protection and privacy.
- Human Rights Act 1998: Article 8 sets out people’s right to privacy.
- Regulation of Investigatory Powers Act 2000 (RIPA): this act regulates the way public bodies use covert surveillance.
As well as reading guidance on these regulations, we recommend you get legal advice on how to apply them.
It's important you consider:
- whether the way you plan to use surveillance gives you a 'lawful basis' for processing data under GDPR
- if you're likely to collect sensitive (or 'special category') data – this means you will need to meet extra conditions under GDPR.
Read about special category data on the ICO's website.
Fill in a data protection impact assessment
A data protection impact assessment (DPIA) can be useful for identifying privacy issues. It may also help you find ways to address them.
You must always fill in a DPIA if you're planning surveillance where there's a high risk to people's rights, freedoms and privacy. For example, you'll need a DPIA if you plan to:
- handle genetic or biometric data
- handle other types of special category data on a large scale
- use innovative new technologies
- collect data on a large number of people.
You should review your DPIA regularly and update it if things change.
Find out when and how to complete a DPIA at the Information Commissioner's Office website.
Carry out a needs assessment
You must think about how surveillance will help meet the needs and interests of people who use your service.
This is particularly important if your purpose is to protect them from risks of unsafe care or treatment.
What you should record
Keep a record of:
- your purpose for using surveillance, including how it supports people’s needs
- your initial assessment
- your DPIA, if you’ve completed one
- what alternatives to surveillance you’ve considered.