NPC issues Circular on CCTV Systems
The National Privacy Commission (NPC) issued NPC Circular No. 2024-02, which provides an updated policy framework for the use of Closed-Circuit Television (CCTV) systems by personal information controllers (PICs) and personal information processors (PIPs). The Circular, which was published today, 12 August 2024, shall take effect after fifteen days following the completion of publication or on 27 August 2024, outlines the responsibilities and obligations of entities using CCTV systems to ensure compliance with the Data Privacy Act of 2012 (DPA).
The Circular applies to CCTV systems used by PICs and PIPs that process personal data. Excluded from the scope of the Circular are those CCTV systems used for purely personal, family, or household affairs, and lawful surveillance.
Privacy Commissioner Atty. John Henry D. Naga emphasized the importance of these guidelines in balancing security needs with privacy obligations, “As technology advances, so too must our policies. This Circular ensures that the use of CCTV systems is both responsible and respectful of data subject rights. It is essential that PICs and PIPs using CCTV systems understand their obligations under the DPA and implement appropriate safeguards to protect personal data."
Privacy Commissioner Atty. John Henry D. Naga emphasized the importance of these guidelines in balancing security needs with privacy obligations, “As technology advances, so too must our policies. This Circular ensures that the use of CCTV systems is both responsible and respectful of data subject rights. It is essential that PICs and PIPs using CCTV systems understand their obligations under the DPA and implement appropriate safeguards to protect personal data."
One of the key provisions of the Circular is the requirement for PICs to prominently display CCTV notices in surveillance areas. These notices must clearly indicate the nature, scope, and extent of surveillance, the purpose of the CCTV system, its capabilities, and other relevant details.
Section 5 of the Circular outlines reasonable and appropriate security measures that organizations must implement to protect personal data processed through CCTV systems. These include establishing policies that govern the operation and deployment of CCTV systems, as well as procedures for handling access requests, managing personal data breaches, and ensuring regular audits of security practices.
Individuals whose personal data are recorded by CCTV systems has a right to reasonable access to footage in which they appear, subject to the DPA, its IRR, relevant issuances of the NPC, and other existing laws and regulations. The Circular requires PICs and PIPs to have procedures in place to respond to such requests efficiently. Additionally, CCTV footage may be disclosed for purposes such as law enforcement, criminal investigations, court orders, and administrative inquiries, in accordance with the provisions of the Circular.
For more information, access the Circular here.
###