Outcomes - Selected Case Summaries



Use of a Sign-in Book and CCTV Cameras

Informal Resolution | 20 November 2020

A complainant queried how the Public Library processed his personal data gathered in a sign-in book and the use of CCTV cameras by the data controller during its operations.

The sign-in book contained the names of all individuals that entered the library building, along with their sign-in and sign-out data and their reasons for entering the building. The complainant indicated that persons who use the book could see all of the personal data recorded in it, including third-party data. The complainant also pointed out that the data controller used CCTV cameras that were not accompanied by a proper privacy notice.

In relation to the sign-in book, the data controller relied on the “legitimate interests” legal basis, arguing that its data processing was necessary for health and safety reasons. In the event of an emergency, such as a fire, the data controller would need to be able to account for all visitors and the sign-in book fulfilled this purpose. The data controller indicated that the same legal basis applied to the CCTV cameras, reasoning that this data processing was necessary for crime prevention in the building.

Our investigation noted issues relating to the first (fair processing) and seventh (security) data protection principles, and the data controller agreed to take a number of steps to ensure compliance with the DPL, including the erection of signs to warn individuals that they were being filmed, the initiation of a specialized sign-in book, the development of policies relating to data processed by the data controller and the creation of a publicly available privacy notice.