A video surveillance system, or closed-circuit television (CCTV), is a sophisticated networked system consisting of one or more cameras that live-monitor or record a designated area. Video surveillance is frequently utilized in public spaces, and organizations of various sizes implement video surveillance systems to safeguard their property, assets, and employees. While these systems are beneficial for many reasons, they raise significant data privacy concerns due to their heightened vulnerability to cyberattacks, as well as the potential for personal data breaches — particularly in the context of compliance with the General Data Protection Regulation (GDPR).
What Are the Main Data Protection Issues of Video Surveillance?
The GDPR is a data protection regulation that affects organizations operating in the European Union (EU). To abide by the GDPR, organizations must ensure that personal data collected by way of video surveillance is processed in a lawful, fair, and transparent manner (Article 5(1)(a)). Despite the fact that video surveillance is installed mainly to strengthen security, if done poorly, organizations may be subject to severe GDPR fines for unlawful processing. The main privacy concerns when setting up a video surveillance system include:
1. Data Security Breach
The European Council stated that more than 10 terabytes of data are stolen monthly. In the case of a cybersecurity attack, organizations can be held responsible for personal data breach — despite being victims of the cyberattack themselves. Personal data is any information that can be used to identify a natural person and video surveillance poses the risk of capturing or recording such data. Accordingly, it is crucial to exercise caution when utilizing video surveillance, since this involves the processing of personal data, which could lead to serious ramifications in the event of a cyber attack or data breach.
Data collected from CCTV systems must be securely stored with appropriate security measures to prevent data loss or unauthorized access. Organizations bear the responsibility of ensuring their surveillance systems are well-protected against cyberattacks. Strengthening IT security can involve addressing network vulnerabilities, upgrading software and surveillance equipment with outdated security features, and providing staff with comprehensive training on data protection best practices.
2. Collection of Relevant Data
Video surveillance can offer real-time monitoring, which is convenient and, in some cases, cost-effective. Organizations can protect their physical assets as well as their employees by installing video surveillance systems around their premises. However, organizations need to be mindful of the locations they plan on monitoring. For example, installing a video camera to safeguard the entrance to an area where valuable assets are stored can be considered a valid reason for surveillance whereas installing a camera in private offices or changing rooms might not qualify. In addition, the data that is collected from video footage cannot be processed for purposes other than the one stated by the controller. For example, organizations that collect video footage for the sole purpose of safeguarding physical assets cannot subsequently start using the footage to monitor employees’ movements.
3. Lawful Basis
As required by GDPR Article 6, organizations must identify a lawful basis for processing personal data, including when this is done using surveillance systems. In the case of video surveillance, consent is often not a practical or viable legal basis, as obtaining valid consent from data subjects is usually impractical or impossible. Accordingly, the most relevant basis might be the organization’s legitimate interests or, if applicable, the necessity to carry out a task in the public interest.
4. Special Category Data
Organizations should exercise particular caution when video surveillance involves, or could involve, the processing of special categories of personal data such as racial or ethnic origin, political opinions, or religious beliefs as outlined in GDPR Article 9. (Learn more about when photographs constitute special category data.) An organization must identify one of the conditions in GDPR Article 9(1), such as consent, if it is actively processing special category data. This would be the case, for example, when biometric data is processed using facial recognition systems to uniquely identify individuals.
5. Transparency
Organizations should place clear signs informing individuals that surveillance is in place. The signs should be placed in appropriate locations, including the entrance to an area that is under surveillance. The signs must be prominent, easily visible, and readable.
6. Retention Period
Personal data collected from video surveillance systems should not be kept longer than necessary for the purposes for which it was processed. Such data can be stored longer only for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes (Article 5(e)). Organizations should ensure that video footage is deleted after surpassing the retention period deadline.
Summary
Implementing a video surveillance system for your organization is not as simple as just setting up your software and cameras. A data breach can create significant risk to the fundamental rights and freedoms of natural persons. Whether or not an organization’s video surveillance is GDPR-compliant is decided on a case-by-case basis. Assigning a data protection officer (DPO) for your organization can be an optimal solution to ensure GDPR compliance. In addition, IT Security Policy Implementation is helpful in identifying risks of processing personal data as well as minimizing these risks in the early stages.
You may also like:
Special Categories of Personal Data Under the GDPR
Photographs and the GDPR’s Special Categories of Personal Data
GDPR Data Breach Notification: What You Need to Know as a Data Controller