Home Articles What does GDPR mean for surveillance?

What does GDPR mean for surveillance?

by Andy Clutton

Over the last 20 years, various crisis and initiatives have come and gone that have resulted in huge consultancy and IT bills – now GDPR has become the latest golden goose which has the industry feathers ruffled.  Here, Neil Patel at D-Link Europe, explores and debunks some of the claims being made regarding GDPR and its impact on video surveillance.

After May 25th 2018, the way CCTV video footage is captured and handled has changed to fit with the new GDPR guidelines introduced by EU, ensuring that more stringent rules and regulations are implemented in order for business owners and organisations looking to install new CCTV systems.  A business owner now needs to have a valid reason for CCTV placement within their businesses, which requires viable reasoning. One such reason may be to help protect their stocks or assets, the wellbeing of their employees when it comes to health and safety, or to capture footage of any incidents that may occur within the company.

Obviously, CCTV cannot be fitted to explicitly monitor staff.  There is a basic requirement for employers to have a valid reason for video surveillance implementation and in what specific areas.  Employers using CCTV will need to communicate in advance to their employees the lawful basis for using CCTV in the workplace. Camera positioning and how they are used will need to be reasonable and proportionate – for example, monitoring all employees at general entrance, rather than monitoring a select group of people in view of a positioned CCTV camera.

However, if an employee objected to the use of CCTV in a particular area, GDPR regulations put the burden on the employer to demonstrate that it has a compelling, legitimate reason for processing the employees’ personal data, the CCTV images, which outweigh the employees’ rights, or grounds for establishing exercising or defending legal claims.

We can accept that businesses that use CCTV are collecting personal data of anyone who is visible within the cameras field of view. To inform people who operate in and around the business, you are already obliged to disclose that CCTV is in use and that their image could be captured on any footage that is obtained. The most common method to do this is to have clearly displayed signs warning people or, in some regions, a contact number for anyone wanting to contact the CCTV operator if they have any queries is required.

Typically footage that has been recorded from CCTV operations is retained for a period of time. The duration of this time varies based on the application and the operator, and around 31 days video retention is not uncommon.  In professional deployments, the video is typically recorded and stored to a VMS or NVR. This approach ensures video footage is recorded centrally, which facilitates the ability to enable access control to the footage and log user access.  However, with the introduction of more affordable cameras and the rapid adoption of high capacity SD Cards, videos can now also be recorded locally to these cards in the camera itself.  This introduces new risk since there is now the possibility that someone can eject and retain the SD Card containing the video leading to security breach.  So, for professional installations it is strongly advised that a professional VMS and/or NVR be used.

If the footage needs to be kept for longer time periods, then a risk assessment needs to be carried out to document the reasons for this concession.  Images and videos that are acquired through CCTV system might be requested by emergency services, for example. Typically, they will usually view the CCTV footage onsite and this would not warrant any concerns for the leak of the data; as long as they have a written request, ensuring GDPR compliance. Recorded material should be stored in a way that maintains the integrity of the information. This is to ensure that the rights of individuals recorded by surveillance systems are protected and that the information can be used effectively for its intended purpose. To do this, you need to carefully choose how the information is held and recorded, and ensure that access is restricted. You will also need to ensure that the information is secure and, where necessary, encrypted.

Encryption can provide an effective means to prevent unauthorised access to images processed in a surveillance system.  When access is provided, a log of where, what, by whom and how the data was accessed must be retained.  In this instance the Fundamental Data Protection principles of GDPR are applicable, the data controller not only accepts accountability for compliance, but also needs to clearly demonstrate their processes to ensure accountability.  Lawful processing and special categories of personal data, GDPR contains similar conditions for lawful processing of personal data as defined in local data protection laws.

As far as public authorities’ use of CCTV systems is concerned, it should be noted that the condition that the processing of personal data is ‘necessary for the purposes of legitimate interests pursued by the data controller’ will not apply to public authorities. Instead, a public authority will need to consider whether it can plausibly make use of one of the other conditions, e.g. ‘performance of a task carried out in the public interest’ to justify the use of CCTV.

It’s becoming increasingly common to find security cameras being deployed in residential domestic properties these days, either installed professional or by doing it yourself.  These DIY home surveillance solutions typically use Wi-Fi to communicate with the cameras and record video to the cloud. Even though these domestic installations are simply designed, they equally have stringent restrictions which most consumers are unaware.  Everybody has the right to protect their property; security lights, alarms, locks, CCTV are just some of the possible security measures that can be taken.  CCTV is the most overt solution, in fact, before getting a CCTV system for your home, there are a couple of considerations that need to be deliberated first.  You must consider how your CCTV system might have an impact on the privacy of your neighbours and their properties.  Legally, home CCTV use can be a bit of a grey area.  As long as the cameras are being used to monitor your property only, and within its boundaries, you should be ok as a rule.  Unless you’re streaming the footage publicly, so in effect broadcasting images of the visitors to your home, then similar rules apply as to when cameras capture footage beyond your property fences – such as public pavements, roads and neighbouring properties.

If a domestic CCTV system is monitoring the movements of strangers outside the property boundaries, then it is effectively collecting data on those individuals.  It is therefore covered by GDPR; this requires that the individual who is operating the system register with their local Information Commissioner as a data controller, which will have an annual fee associated with it.  Most home security cameras will inevitably capture footage from beyond the property boundary, it’s often unavoidable. So it is important to ensure that clear signs stating that CCTV is in operation.  The home owner needs to ensure that the footage is used for security use only and is retained securely for the minimum number of days.  The footage should not be released to third parties.  However, where a camera has been captured a crime, the footage can be kept for as long as needed to detect and prosecute the crime. The footage captured can also be passed on to the police and other authorities to achieve this.

In terms of cloud storage, from a video surveillance perspective, it is critical for people and businesses using any cloud recording service to know the location where their data/footage is being processed or stored.  Data is seldom stored where the cloud provider is headquartered, the data can be moved around between a supplier’s data centres, meaning it can reside anywhere in the world unknowingly.

Individuals or business using cloud based recording services should take adequate security measures to protect the recorded data from loss, alteration, or unauthorised processing. They should only collect and retain “necessary” video data and limit the processing of “special” data, as well as confirm what data processing is being conducted.  As well as ensure that they clearly own the data and that they do are share the data with third parties.  Further a defined data or video retention policy should be in place so that after predetermined amount of time anything that is not needed for legal reason is erased. Make sure that the any cloud recording service clearly states that once you download your own data immediately, and they will erase all your video data once you’ve terminated service.   Confirm how it will take them to do this. The more immediate (in less than a week), the better, as lingering data carries a higher risk of noncompliance.

What is evident is GDPR will have a major impact on the use of video surveillance, how it applies to the different uses of cameras and video retention remains to be seen.  What is evident, is that with the introduction of GDPR, the use of cameras coupled with the evolution of cloud based video recording services will have to planned and considered carefully, with local legislation undergoing some major changes to accommodate the law.

Related Articles