Rarely do we pay attention to the use of our personal data when a security guard at a building reception asks for our identification and issues a visitor’s badge. The same occurs when we register and provide personal information to access premises. 

This practice is grounded in the Private Security Regulations Act, which provides the legal basis for such data collection. The Act requires security guards at the entrance of any premises to request identification, record a person’s time of entry and exit, and temporarily retain the identification document. It further requires that the document be returned upon exit, used only for identification purposes, and kept in safe custody until returned to its owner. 

These provisions constitute the only explicit safeguards for personal data collected by private security companies under the Act. In contrast, the Data Protection Act mandates the Office of the Data Protection Commissioner (ODPC) to oversee the processing of personal data and ensure compliance with established data protection principles. These principles include protecting the right to privacy, collecting data for explicit, specified, and legitimate purposes, and preventing further processing that is incompatible with those purposes. 

To address gaps in practice, the ODPC recently released a Draft Guidance Note for Private Security (“the Note”). The Note provides guidance to private security companies on how to process personal data lawfully and embed data protection principles into their operations. It highlights key concerns, including the sharing of personal data with third parties, lack of transparency in data use, and inadequate safeguards that heighten vulnerability to cyberattacks. 

Compliance with Data Protection Principles 

The guidelines set out in the Note are anchored in the principles of the Data Protection Act. Private security companies are required to ensure that personal data is processed lawfully, with data subjects informed of and consenting to the purpose of collection. This promotes compliance with the principles of lawful processing, transparency, and data minimization. Any further processing must remain compatible with the original purpose for which the data was collected. 

To ensure data accuracy, the Note permits security providers to request identification documents solely for verifying identity and correcting any errors that may arise during registration. 

Seldom do we consider what happens to the many filled visitor register books at building entrances. Are they stored indefinitely, destroyed, or sold to third parties? In most cases, their fate remains unknown. Although the Data Protection Act does not prescribe a specific retention period, security providers are discouraged from retaining personal data on a “just-in-case” basis. Instead, they must justify their retention policies. Prolonged retention is often unnecessary and increases storage and security costs. Security providers are therefore expected to securely dispose of visitor records, through shredding or incineration, once they are no longer required. 

Protecting the confidentiality and integrity of personal data requires the implementation of access controls to prevent unauthorised exposure or misuse. The Note recommends establishing authentication mechanisms to limit access to authorised personnel only. It also emphasises continuous staff training to foster a culture of confidentiality, supported by clear reporting and escalation procedures for data breaches. 

Legitimate Interest vs Public Interest in Biometric Surveillance 

While the Private Security Regulations Act allows security providers to request identification documents, the Note stresses the need to establish a legitimate interest for doing so. Security providers must determine whether the request is necessary to protect premises or assets and whether the interest is factual and linked to an imminent risk. 

The Note further clarifies that public interest may override legitimate interest in limited circumstances, particularly with respect to CCTV monitoring in public or government buildings accessible to the general public. In private or commercial buildings, CCTV monitoring requires consent or must be justified by the legitimate interests of the building owner or occupants. 

Additional guidance is provided on the use of CCTV in workplaces. Employees must be informed of the presence, location, and purpose of CCTV cameras. Surveillance should not be used to monitor employee attendance or performance. Any use beyond the stated purpose must be justified on a case-by-case basis. Notably, CCTV monitoring within private households is exempt from the Data Protection Act, provided it captures activities solely within the scope of private family life. 

Data Protection Policy Checklist 

The Note outlines key compliance obligations for private security companies when developing data protection policies. These include the duty to notify data subjects that their personal data is being collected, explain the purpose of collection, disclose any third parties involved, and outline the safeguards in place. 

Data protection must also be considered at the design stage of security systems. This approach promotes data protection by default and reduces the risk of breaches through built-in safeguards. 

Policies should further address procedures for data breach notification and communication. Data controllers are required to report any data breach to the ODPC within 72 hours and detail the mitigation measures taken. Where possible, affected data subjects must also be informed in writing within a reasonable period. 

Security providers whose processing activities pose a high risk to the rights and freedoms of data subjects, such as biometric data processing or systematic monitoring of publicly accessible areas, are required to conduct Data Protection Impact Assessments. Regular assessments help ensure that appropriate safeguards remain effective. 

Finally, the Note calls on all security providers offering CCTV solutions or managing personal data, regardless of size or turnover, to register as data controllers or processors with the ODPC. 

Conclusion 

Rising security concerns have driven the growth of private security companies, resulting in increased collection of personal data. In response, the ODPC released the Draft Guidance Note and invited public participation. While the Note does not contain enforcement mechanisms, it provides practical guidance aimed at strengthening compliance with the Data Protection Act and enhancing the protection of personal data within the private security sector.