CCTV and fingerprints v/s Privacy rights in Mauritius
November-2024
Content
1) Introduction
The Data Protection Office (DPO) in Mauritius oversees compliance with laws related to data and privacy. Since the Data Protection Act 2017 came into effect on 15 January 2018, privacy rights have been strengthened, particularly regarding processing personal data by technological means. Processing refers to capturing, recording, sharing, or storing any information that identifies you as an individual.
Fortunately nowadays, there is more public awareness on privacy rights. It is important to speak-up if your privacy is violated, especially when consent has not been given. The DPO investigates complaints and audits organizations responsible for processing personal data. These organizations include 'Controllers' who decide how or what data is processed, and 'Processors' who process data on behalf of Controllers. The DPO website offers real-life examples of complaints and their outcomes. Refer to https://dataprotection.govmu.org/
When reviewing those complaints, two main topics frequently arise: (a) use of CCTV cameras and (b) use of fingerprints for Time Attendance at work. Note, we have in addition given consideration to the use of CCTV cameras in public or commercial spaces. Let’s take a closer look at each situation and the steps you can take to minimize and eliminate privacy infringements.
2) CCTV surveillance at residential properties
When installing CCTV at your home, it is important to place clear signage notifying the public that your property is under surveillance. This not only deters potential intruders but also ensures transparency. Signs should be visible at all entry points to your premises.
Most importantly, it is crucial to ensure your cameras only record your property and not beyond your boundary walls. Recording neighbouring homes, windows, yards, entrances, or public roads is a violation of privacy. While it may be acceptable to record unoccupied and adjacent land, you should notify your neighbors in advance, especially if part of the footage needs to be blacked out to protect their privacy.
Meanwhile audio recording is particularly a sensitive privacy subject and thus should be disabled if the cameras are placed near a neighbour’s property.
Here is our top tip if you consider to install CCTV cameras: to avoid complications, it would be a smarter choice to hire a professional installer who can define the type of cameras required and position them accurately so they only capture footage within your boundaries. The right set-up can prevent discussions or arguments if your neighbors raise privacy concerns. You will easily be able demonstrate (e.g. via a mobile app) that your cameras are not invading your neighbour’s private space. Let us know if we can help you with this!
Other solutions in case you have blind spots:
You could consider to add an electrical fence over your border walls. It is an effective means of deterring potential intruders
You could also consider to place outdoors motion sensors (in combination with CCTV system) and sirens, which sends you warnings or alerts should an intruder be detected
3) CCTV surveillance at public, commercial or office spaces
As an extension to the above, when using CCTV in public or commercial spaces, it is essential to inform the public with clear signs that cameras are in use and their purpose. If you are a data subject, you are able to request access to the data that is recorded of you. If you are an employer and recording your employees, their consent is mandatory.
How to ensure compliance to privacy laws:
Obtain proof of consent: ensure all employees have been informed along with their rights, and they have given clear consent in writing to be recorded. If you are not able to offer an alternative solution, you can always discuss and agree on a data retention policy
Clear purpose: you should always state the purpose of the use of CCTV cameras (e.g. for the security of the premises) and not deviate from this purpose during operations, such as profiling data subjects based on race, location, etc
Set a data retention policy: define a clear period for storing footage (e.g. three months) and inform your employees of the same. Permanently deleting unneeded footage not only safeguards privacy, but also frees up storage space on your CCTV system
Carry out a Data Protection Impact Assessments (DPIA) when necessary
4) Fingerprints for time attendance
Fingerprint recognition systems for Time Attendance are gaining popularity both in public and private sectors. Since replicating fingerprints is difficult, these systems are seen as an efficient way to monitor who is present at the workplace and for how long. However, recording fingerprints or other biometric data is highly controversial. Under the Data Protection Act 2017, employers are required to offer alternative methods for employees, in this case, to register their attendance. And surely, reverting to a paper-based system is not ideal due to the inefficiency.
Here are some alternative options to consider (some less invasive than others) for tracking time attendance:
- RFID tags, badges, or cards
- QR codes
- PIN codes or passwords
- Video surveillance at entrances
- Voice and/or face recognition
While some of the above methods may also impact privacy, it is important that any system with privacy implications is fully justified before being implemented. Note that many other countries have rejected fingerprinting for time attendance due to privacy concerns. To assess whether a biometric system is appropriate and justified, the DPO typically applies a four-part test based on international standards, asking:
1. Is the measure necessary to meet a specific need?
2. Is it effective in addressing that need?
3. Is the loss of privacy proportionate to the benefit?
4. Is there a less invasive way to achieve the same result?
Through these questions, we can also guide you to set-up the right system for your business or property. Even if fingerprinting is seen as a cost-effective and convenient solution to employers, the employees should not be forced into using them or penalized for refusing. This highlights the risk of sacrificing privacy for technological convenience without fully considering the consequences.
5) Conclusion
While technology continues to enhance our lives, its misuse can compromise privacy. Technology should be used responsibly, and not abused for one’s own benefit. If misuse or abuse occurs, the matter will be referred to the Office of the Director of Public Prosecution who will decide if the offence has to be tried in court. Whether you are the system owner or data subject, we hope this article have given you valuable insights on balancing technology's purpose with privacy rights in Mauritius.