CCTV has become almost ubiquitous in recent years. In addition to the familiar cameras in public spaces and building and shopping venues, CCTV is seen in small business, homes and even doorbells. As long as individuals can be recognised then you’re holding personal data. CCTV and other video files can can create sigificant demands when requested in SAR’s, or form part of a breach. When systems are being installed or upgraded, personal data risk must be considered especially if any form of recognition technology is involved.
Data Protection Support for users of CCTV
Avoiding the complexities of video
CCTV has become almost ubiquitous in recent years. In addition to the familiar cameras in public spaces and building and shopping venues, CCTV is seen in small business, homes and even doorbells. As long as individuals can be recognised then you’re holding personal data. CCTV and other video files can can create sigificant demands when requested in SAR’s, or form part of a breach. When systems are being installed or upgraded, personal data risk must be considered especially if any form of recognition technology is involved.
CCTV Background
Changing Technology
Although CCTV has been with us for a long time, in the period since the last data protection act the technology has changed radically. As well as becoming smaller and cheaper, many cameras have radically improved resolution and the ability to work in low light conditions . Government guidance makes it clear that the equipment should be capable of producing identifiable images, both moving and still.
Internet enabled cameras mean that images can be streamed to devices like phones and tablets. This means that your organisation can potentially be streaming personal data to uncontrolled devices and you can be held reponsible for what happens to that data afterwards. All organisations need to consider the use of CCTV carefully and be able to demonstrate full compliance.
Other Video Sources
Fixed CCTV systems are not the only source of video. Most computers, tablets and phones also have the ability to capture video. If this video is saved on, or transferred to, your systems, irrespective of where it came from, you may have to treat it like personal data. This means that if an incident occurs and it is filmed by a member of staff, potentially by any other individual, you are holding personal data on every person on that footage who could be identified.
Changing Attitudes
The place of video within data protection has been slightly unclear and this has led to practices which cross the boundaries of good practice. Taking schools as an example, there has been a culture that if an incident occurred, parents would be able to visit the school and view a copy of the unredacted video. At the same time, despite significant improvements in technology, it was considered too difficult to provide redacted copies of video that individuals were entitled to.
Both of these approaches limit the rights and freedoms of individuals. It is now expected that if you chose to have video capture, that you should be able to produce redacted versions of meaningful segments of video, meaning that individuals can get the data they require and other individuals do not suffer disclosure of their personal data.
Our Range of Services
How we can help – CCTV
There are three key times with CCTV, when it’s great to have additional support.
CCTV Implementation / Upgrade
Implementation/Upgrade: While the requirement for a data protection impact assessment remains ( and frankly even if the regulatory requirement is dropped) if you are implementing, re-engineering or renewing a CCTV system. Without a clear DPIA in place the legitimacy of your CCTV can be questioned.
We can help you go through the DPIA process rapidly, without missing the key elements. We can support the assessment of risk and put forward mitigations. Once the information has been gathered we can help you get it into a format recognised by the ICO.
Should there be a high residual risk we can help make representations to the ICO on your behalf.
Services
CCTV Requests and Redaction
A cornerstone of data protection is that personal data will only be accessible on a need to know basis. Historically CCTV has frequently been treated as unrestricted within an organisation. Depending on your retention policy you CCTV record may be the largest store of personal data. Large sites can have tens, if not hundreds, of cameras and footage is often kept for 21 – 28 days before being overwritten. Within these vast data files, everytime a person is in shot and could be identified that’s a piece of personal data.
General access to CCTV needs to be restricted and monitors should be placed to minimise the risk of overlooking if they have to be in the open. The files need to able to be accounted for should they need to be used in a disciplinary or criminal purpose. If you decide to use body worn video, you must ensure that your processes of issuing, returning and reviewing footage are capable of being audited.
Dealing with CCTV requests
Many people request access to CCTV. It might be in connection with an incident on site, a scrape in the car park, or a confrontation. You may also get requests from the Police Service for access.
It’s essential that you have appropriate authority and then only give access to the data a person is authorised to have.
Where an individual asks for footage, they are often trying to show that someone else took an action that mitigates their own. The simple fact is that only part of the image a personal is entitled to is that of themselves. This can be greatly annoying to the individual because the reason they are asking for access is to show that someone else did something.
You must not provide unredacted footage, even just allowing people to ‘come in and watch’ without explicit consent of others in the shots. Instead you must provide a redacted version. To do otherwise is to lay yourself open to claims for damages, even prosecution.
CCTV Redaction
CCTV redaction is no longer as difficult as it used to be. A computer that will run a video editing application will be sufficient. The technique is exclude everything other than the individual and to blur out the rest so that no identifiable individuals can be seen. Like other redaction work it is based on identifying what can be left in and removing the rest.
We can udertake this redaction on your behalf and will return mp4 files that are ready to be distibuted.
Services
CCTV Breach
CCTV systems are by no means invulnerable to being breached. Obscuring or even destroying cameras in certain areas is not uncommon. There are other potential breaches in the flow of data, but these are probably more in the realm of fiction than of day to day experience.
It is a breach of the content that is of most common. This may come from it beingviewed at source by unauthorised individuals, or it may come from from copies of downloaded material getting into unauthorised hands. A key complicating factor is that these type of extracts only get made when there is material of interest. This might be about illicit activity or an individual’s vulnerability. The key point is that it already likely to be sensitive.
Access Breaches
Whether access is given to the wrong person, a file is sent incorrectly, even a removable storage device may be acquired by an unauthorised person the content of the video has the capability of causing harm. Thought should be given to the way that CCTV is accessed and shared so that a chain of custody can be established. If a breach does occur you may not find this out until negative consequences start to become evident.
Unless the video is on a physical device, you find out almost immediately and then retrieve the device, there is no real concept of retrieving the data once breached. You can attempt to get individuals to say that they have removed copies of any material but you have no way of checking. In addition you need to consider what mitigation might be required.
Mitigation
If there material that could cause embarresment then individuals need to notified and worked with to address the potential feelings. If the material shows some form of argument or a fight then any of the participants may be at risk if it is shared further. This is a particulalr issue for schools and colleges, but could occur anywhere. Again letting the affected individuals know about the breach is essential and you may need to provide support in the short term.
The last area to consider is whether the footage shows something which could create risk to the organisation. In this case you will need to decide on further action that might need to be taken.
Click here to add your own text