By: Atty. Edsel F. Tupaz & Atty. Luis Teodoro B. Pascua
Summary
NPC Circular No. 2024-02 updates guidelines on CCTV systems, emphasizing transparency, legitimate purpose, proportionality, accountability, and security measures. It requires PICs and PIPs to conduct regular privacy assessments, establish clear policies on footage retention, access requests, and data breach handling. The Circular excludes personal, family, or household CCTV systems unless they capture images beyond private residences. It mandates scrutiny of footage requests, especially from law enforcement and media, to protect privacy rights while balancing surveillance needs.
The National Privacy Commission (NPC) issued NPC Circular No. 2024-02, entitled Closed-Circuit Television (CCTV) Systems (the Circular), on August 9, 2024. It notes the previously issued NPC Advisory No. 2020-04, entitled Guidelines on the Use of Closed-Circuit Television (CCTV) Systems, and recognizes the need to provide an updated policy in relation to the use of CCTV systems due to the continuously evolving nature of technology concerning CCTV systems. Thus, the NPC has provided guidelines to assist all personal information controllers (PICs) and personal information processors (PIPs) in navigating the emerging privacy risks arising from the use of CCTV systems.
In this Insight article, Edsel F. Tupaz and Luis Teodoro B. Pascua, from Gorriceta Africa Cauton & Saavedra, highlight salient changes in the NPC’s policy since its NPC Advisory No. 2020-04 and discuss the practical implications arising from notable changes.
Scope
The Circular does not regulate CCTV systems used for personal, family, or household affairs, except when these CCTV systems capture images beyond private and non-commercial residences and lawful surveillance by law enforcement and government agencies.
Owners of family businesses simultaneously using family homes for commercial purposes or other similar PIC/PIPs, should note that CCTV systems being used inside their homes are not necessarily excluded. The following criteria should still be considered:
- dissemination of personal data to an indefinite number of people;
- processing may have an adverse impact on the rights and freedoms of the involved data subjects; or
- processing of personal data about data subjects who have no personal, family, or household relationship with the person engaged in the processing.
Policy
The Circular clarifies the operation of certain policies governing the use of CCTV systems:
- Transparency – It now mandates that the nature, scope, and extent of surveillance, purpose, capabilities of the CCTV systems, and necessary information are readily visible and prominently displayed within the appropriate premises. PICs/PIPs should consider displaying the necessary information at points of entry and other conspicuous areas.
- Legitimate purpose
- Proportionality and data minimization – Owing to the continuously evolving technology concerning CCTV systems, PICs/PIPs are now required to regularly review whether or not the purpose of using CCTV systems can be achieved through other less intrusive means. PICs/PIPs are now required to make recurring reviews of their use of CCTV • systems
- Fairness and lawfulness
- Accountability
PICs/PIPs that wish to install CCTV systems must implement reasonable and appropriate security measures, including applying Privacy by Design principles.
Accountability and compliance start with establishing a policy on the use of CCTV systems. PICs/PIPs must have an updated policy containing the following:
- information on the legitimate purpose;
- information on the lawful basis for processing;
- regular conduct of Privacy Impact Assessments (PIAs) and regular reviews of the use of the CCTV systems; CCTV notice and placement thereof;
- operational details of the CCTV systems, such as, but not limited to, procurement, installation, operation, control, monitoring, maintenance, and incident response and reporting;
- designation of authorized personnel who shall be responsible for handling access requests, monitoring live feeds, and the day-to-day operation of the CCTV systems;
- procedures for:
- requests for access to CCTV footage, whether for viewing or providing a recording or copy thereof;
- handling inquiries and complaints, if any; and managing personal data breaches and security incidents involving the CCTV systems;
- a documented retention policy containing the retention period of CCTV footage and manner of disposal or destruction when the retention period has lapsed;
- security measures to be implemented for the protection of CCTV footage against any accidental, unauthorized, or unlawful processing, including access (e.g., copying or viewing), alteration, destruction, or disclosure, and the conduct of regular evaluation and audit of such security measures;
- and a process for the regular review and assessment of the policy document, audits to determine if the policy is being implemented and complied with, and policy revision and updates.
Operation
In operation, PICs/PIPs are now required to thoroughly consider the location and angles of the cameras to avoid unreasonable intrusions on the data subjects’ privacy. This includes the consideration that the zoom and rotation capabilities of CCTV systems, if any, must not result in the surveillance of private spaces.
Should PICs engage PIPs to process data through CCTV systems, PICs are required to place contractual or other reasonable means to ensure cooperation and assistance. It is therefore advisable to always have contractual agreements that set forth all duties and responsibilities inter se in relation to CCTV.
Requests
Generally, when CCTV footage is requested, PICs/PIPs must evaluate such requests with great scrutiny to prevent violation of the privacy rights of the data subjects concerned. The PICs/PIPs concerned must weigh the needs of the third party in relation to those of the affected data subject.
If requested by law enforcement officers for law enforcement and criminal investigations, PICs (not PIPs) may require a written statement, affirmative declaration, or equivalent to establish the lawfulness of the request. In such cases, PIPs must defer to the decision of the PIC in terms of requests made by law enforcement officers.
The policy for court orders and administrative investigations remains unchanged.
Retention in case of requests
When a request for CCTV footage is made to the PIC in writing, the PIC and its PIPs shall preserve the pertinent CCTV footage by taking it out of the coverage of the established retention period as indicated in the documented retention policy until any of the following occurs:
- the access request is fulfilled;
- the access request is abandoned by the requesting party;
- or in cases where the request is denied and the requesting party files a complaint before the NPC questioning the said denial or the NPC conducts an investigation on the matter, and the NPC affirms the PIC’s denial of the request.
Denial
The grounds for denial of requests for CCTV footage remain mostly the same. However, the Circular provides the ground of disproportionality in light of the purpose stated as an additional ground for denial. In any case, PICs may only deny requests after giving the data subject or third party a reasonable opportunity to amend the request.
In cases of denial, PICs must provide the requesting party with the reason for the denial within five working days from receipt of the request. Further, denial shall not serve as a bar for future requests by the same requesting party.
Conclusion
NPC Circular No. 2024-02, which updated guidelines on the use of CCTV systems, replaced the earlier NPC Advisory No. 2020-04. The Circular provides updated policies to assist PICs and PIPs in addressing privacy risks associated with CCTV usage. It outlines requirements for transparency, legitimate purpose, proportionality, accountability, and security measures, including regular privacy assessments and clear policies on footage retention, access requests, and handling data breaches. The Circular emphasizes privacy protection while balancing surveillance needs, particularly regarding footage requests by law enforcement and media.
Edsel F. Tupaz is a Senior Partner, Head of Data Privacy, Cybersecurity and AI Initiatives Practice Group & Head of Special Projects and Infrastructure Group. Edsel is a Dual-qualified under the Philippine and New York Bars, with over 20 years of expertise across data privacy & protection, technology, cybersecurity, AI, infrastructure, government procurement, corporate law, and banking and financial services. Master of Laws from Harvard Law School, holds economics and law degrees from Ateneo (both with honors), served as Managing Technical Editor of the Harvard Human Rights Journal, and listed under the Experts Directory for Philippine privacy law on OneTrust DataGuidance. Certified Information Privacy Professional – Europe (CIPP/E) and Certified Information Privacy Manager (CIPP) under IAPP. Challenger at the Alan Turing Institute’s Data Challenge – Policy Priorities and AI for Sustainable Development Goals (2023-2024). Awarded “Data Privacy & Protection Lawyer of the Year” at the 2023 Philippine Law Awards and is recognized among the Top 100 Lawyers in the Philippines by Asia Business Law Journal.
Luis Teodoro B. Pascua is a Junior Associate and a member of the Firm’s Litigation, Corporate Services, Data Privacy, Anti-money Laundering/Counter-Terrorist Financing (AML/CTF), and Intellectual Property Departments. As a member of the litigation team, Luis handles civil and criminal cases, as well as disputes related to labor and foreign aid and development. Luis’ practice also covers corporate services, which include assisting in the establishment of businesses in the Philippines, providing legal advice in corporate restructuring, and ensuring compliance with relevant laws and regulations.
This article was originally published on OneTrust Data Guidance. You may find the full article here: https://www.dataguidance.com/opinion/philippines-updated-rules-cctv-systems
