In Nigeria, the use of closed-circuit television also known as CCTV cameras in the workplace is legal but regulated under the Nigerian Data Protection Regulation (NDPR).
CCTV cameras in the workplace serve multiple purposes, including enhancing security, deterring crime, and monitoring employee performance. However, their use is governed by strict regulations to protect employee privacy. Employers must inform employees about surveillance.
Legal Framework
The use of CCTV cameras in Nigerian businesses for surveillance and crime detection is regulated by the Nigerian Data Protection Regulation (NDPR) as it involves processing personal data.
Key provisions of the Nigerian Data Protection Act (NDPA) relevant to workplace CCTV include:
1. Lawful Basis for Processing:
Section 25 provides for the lawful basis for processing personal data, which includes the legitimate interest of the data controller.
Employers must have a legitimate reason for collecting and processing employee data through CCTV cameras. This could include security but must be balanced against employee privacy rights.
2. Transparency:
Section 27 requires data controllers to provide information to data subjects about the processing of their personal data, including the purpose and legal basis.
Organizations must inform data subjects (employees) about the collection and use of their personal data, including video surveillance.
3. Purpose Limitation:
Section 24(1)(b) states that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
CCTV footage can only be used for the specific purposes for which it was collected and communicated to employees.
4. Data Minimization:
Section 24(1)(c) also provides that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Employers should only collect and retain the minimum amount of CCTV footage necessary to achieve their stated purposes.
5. Storage Limitation:
Section 24(1)(e) requires that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
There must be clear policies on how long CCTV footage is retained, ensuring it’s not kept longer than necessary.
6. Data Security:
Section 39(1) requires data controllers and processors to implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data.
Strict measures must be in place to protect CCTV footage from unauthorized access, alteration, or disclosure.
Read also: Teacher bags life imprisonment for raping a six-year-old girl
Employee Rights Under the NDPA
According to Section 34, employees have the following rights:
1. Right to Information: Employees must be informed about the presence of CCTV cameras, their purposes, and how the footage will be used.
This is stated in Section 34(1)(a) of the NDPA, which requires data controllers to advise employees on data processing under the Act.
2. Right of Access: Employees can request access to CCTV footage in which they appear.
Section 34(1)(a) of the NDPA grants data subjects the right to obtain confirmation from the data controller on whether their personal data is being processed.
3. Right to Rectification: If CCTV footage is used to make decisions about an employee (e.g., disciplinary actions), the employee has the right to challenge the accuracy of the footage.
This is implied in Section 34(1)(a)(v) which provides the right to request rectification or erasure of personal data.
4. Right to Erasure: In certain circumstances, employees may request the deletion of CCTV footage containing their image.
Section 34(1)(a)(v) of the NDPA grants data subjects the right to request erasure of their personal data.
5. Right to Object: Section 36 mandates that employees can object to the processing of their data if they believe it infringes on their privacy rights, including the use of CCTV for monitoring.
6. Right to Withdrawal of Consent: Section 35 mandates that employees can withdraw consent for their data processing at any time, which includes the use of CCTV footage, reinforcing their control over personal data
Key Responsibilities of a Data Processor
Compliance Monitoring: The Data Processor should ensure that the use of CCTV complies with the data protection principles outlined in Section 24, such as processing personal data fairly, lawfully, and in a transparent manner. This may involve conducting a Data Protection Impact Assessment as per Section 28.
Policy Development: The Data Processor should develop and maintain a CCTV Data Protection Policy that specifies the purpose, legal basis, and retention periods for CCTV footage, in line with Sections 25 (lawful basis for processing) and 39 (security and confidentiality).
Staff Training: The Data Processor should train employees on data protection practices related to CCTV, such as handling access requests from data subjects, as per Section 34 on data subject rights.
Access Control: The Data Processor should restrict access to recorded CCTV footage to authorized personnel only and ensure secure storage of the data, under Section 39 on security and confidentiality.
Penalties for a Data Processor for Non-Compliance with NDPR
Section 49(1) states that a data controller or data processor who fails to comply with orders made under the Act, such as improper data retention, commits an offence and is liable on conviction to a fine or imprisonment for up to one year or both
Offences Against The Use of CCTV in the Workplace
Unlawful Processing of Personal Data:
Section 25 mandates lawful bases for processing personal data, including CCTV footage.
It is an offence under the NDPA to process personal data, including CCTV footage, without a lawful basis. The Act requires data controllers to identify and document an appropriate legal basis for processing, such as consent, contract, legal obligation, vital interest, or public interest.
Failure to Implement Security Measures:
Section 39 requires data controllers to ensure security measures for personal data processed through CCTV.
Data controllers must implement appropriate technical and organizational measures to ensure the security of personal data processed through CCTV systems. Failure to do so is an offence under the Act.
Excessive Data Collection:
Section 24 limits data collection to what is necessary for specified purposes.
The NDPA requires that CCTV data collection be limited to what is necessary for the specified purpose. Collecting excessive personal data through CCTV is considered an offence.
Unauthorized Disclosure or Access:
Section 39 prohibits unauthorized access to CCTV footage.
Unauthorized disclosure or access to CCTV footage containing personal data is prohibited under the Act. Restricted access to CCTV data must be ensured.
Failure to Provide Transparency:
Section 24 mandates clear notices regarding CCTV use.
Data controllers must provide clear and legible notices about the use of CCTV, including the purpose, contact details for inquiries, and the policy guiding the use of CCTV. Failure to do so is an offence.
Improper Data Retention
Section 24(1)(d) states that personal data shall be “retained for no longer than is necessary to achieve the lawful bases for which the personal data was collected or further processed.
CCTV footage must only be retained for the period necessary to fulfil its purpose. Retaining data for an excessive duration is an offence under the NDPA.
Penalties for Non-Compliance with NDPR on CCTV usage in the workplace
The penalties for violations related to data privacy, including the use of CCTV in the workplace, are outlined in Section 48 of the Nigeria Data Protection Act, 2023. This section specifies that a data controller or processor of major importance may face fines up to ten million naira or 2% of their annual gross revenue, along with potential imprisonment for responsible individuals for violations of the Act.
