August 24, 2020

In today’s world, Closed-Circuit Television (CCTV) systems have become almost ubiquitous, whether for security in our neighborhoods, monitoring activities in workplaces, or ensuring safety in public spaces. While these systems serve critical functions, it’s essential to remember that they also collect personal data. This is where the National Privacy Commission (NPC) Circular No. 02, Series of 2014, comes into play. NPC Circular No. 02 sets out the guidelines for using CCTV systems in the Philippines, ensuring that the collection and use of personal data through these systems comply with the Data Privacy Act of 2012. If you’re an individual, business owner, or organization using CCTV systems, understanding your responsibilities under this circular is crucial. Let’s break down the key points in simple terms, making sure you’re in the loop on what you need to know and do. What Is NPC Circular No. 02? The NPC Circular No. 02, issued in 2014, is a set of guidelines created by the National Privacy Commission of the Philippines. It focuses on how entities that use CCTV systems should handle the personal data they collect. This circular aligns with the Data Privacy Act of 2012, ensuring that individuals’ privacy rights are protected while allowing organizations to use CCTV systems for legitimate purposes. Who Is Covered by NPC Circular No. 02? NPC Circular No. 02 applies to all public and private entities in the Philippines that use CCTV systems for the purpose of collecting, storing, or processing personal data. This includes: Businesses: Shops, offices, malls, and other commercial establishments that use CCTV to monitor premises. Government Agencies: Public institutions and offices that deploy CCTV for security and monitoring. Schools and Universities: Educational institutions that use CCTV to ensure the safety and security of students, staff, and faculty. Residential Buildings and Homeowners Associations: Gated communities, condominiums, and residential buildings that use CCTV to monitor common areas and enhance security. Transport Hubs: Airports, bus terminals, and train stations where CCTV is used to monitor activities and ensure the safety of travelers. Essentially, if your organization uses CCTV systems that capture personal data, you are covered by this circular and must comply with its guidelines. Who Is Not Covered or the Exceptions? While NPC Circular No. 02 has a broad application, there are specific instances and entities where it might not apply. The key exceptions include: Individuals Using CCTV for Personal or Household Purposes: If you’re using a CCTV system solely within your home or property and not for any business or public purpose, NPC Circular No. 02 does not apply. However, if the CCTV captures footage beyond your property (like a public street), the data captured may be subject to privacy regulations. Journalistic, Artistic, or Literary Purposes: CCTV footage collected for these specific purposes may be exempted, particularly when used in the context of freedom of expression. Law Enforcement Agencies: While generally covered, certain activities by law enforcement agencies might have different protocols and exemptions under other laws. However, they are still expected to balance security needs with privacy rights. Temporary CCTV Installations for Events: CCTVs set up for specific short-term events (e.g., festivals, parades) might not be fully covered if they are dismantled immediately after the event and do not store data long-term. However, event organizers should still practice transparency and notify participants. Why Should You Care About This Circular? CCTV cameras capture more than just footage—they collect personal data. For instance, if a CCTV system captures someone’s face, that’s personal data. The Data Privacy Act is all about ensuring that personal data is collected, processed, and stored responsibly. Failing to comply with these rules can lead to hefty fines, legal issues, and damage to your reputation. By understanding and following NPC Circular No. 02, you can avoid these pitfalls and contribute to a culture of privacy and respect. Breaking Down NPC Circular No. 02: What You Need to Know Here’s a simplified breakdown of the critical elements of the circular: 1. Purpose Specification The first rule is simple: Know why you’re using CCTV. Whether it’s for security, monitoring employee activity, or something else, the purpose must be clear and legitimate. You can’t just install cameras and record footage without knowing the “why.” This purpose should be documented and communicated, especially to those whose data you’ll be collecting. 2. Proportionality The circular emphasizes proportionality, meaning the use of CCTV must match the need. If you have a small office, you don’t need 20 cameras watching every corner. The idea is not to over-collect data—just gather what you need to meet your purpose. 3. Transparency Transparency is all about letting people know that they’re being recorded and why. This can be as simple as putting up signs where your cameras are located, explaining the purpose of the surveillance. For example, a sign saying, “This area is under CCTV surveillance for security purposes” is both informative and compliant. 4. Rights of Data Subjects People have rights when it comes to their data, and CCTV footage is no exception. If someone requests to see footage of themselves, you need to have a process in place to provide that. They can also ask for corrections if the data is inaccurate or have it deleted if it was obtained unlawfully. 5. Data Security You must ensure that the footage you collect is secure. This means protecting it from unauthorized access, whether from hackers or even someone inside your organization. Implement strong security measures, such as encrypted storage and access controls, to safeguard the data. 6. Retention and Disposal CCTV footage shouldn’t be kept forever. The circular mandates that data be retained only as long as necessary to fulfill its intended purpose. Once that purpose is met, the footage should be securely deleted. For example, if you’re using CCTV for daily security, you might keep the footage for a month before it’s automatically deleted. 7. Appointing a Data Protection Officer (DPO) If your organization uses CCTV, you’re required to appoint a Data Protection Officer (DPO). This person ensures that your CCTV operations comply with the Data Privacy Act and the guidelines of NPC