In Defence of Personal Data
Danny Bradbury, Freelance Journalist
We live in a CCTV nation. In 2013, a report by the British Security Industry Association estimated up to 5.9 million cameras across the UK. Nearly five years on, there are doubtless many more. Between them, they collect years of visual data every single day. Many companies haven’t yet realized how valuable that data is – and how badly it could be misused. It’s time to protect it more diligently.
When individuals walk into shot, cameras record their location and activities at a certain time of day. How can those being recorded be sure this visual data isn’t being used inappropriately?
Until now, regulations haven’t made CCTV owners that accountable. There is a 2015 CCTV code of Practice, but it is voluntary.
Now, the rules are changing. Regulators have refined privacy protection rules to the point where camera owners must pay attention to how they are treating this visual data.
The EU’s General Data Protection Regulation (GDPR), which comes into force in May 2018, introduces mandatory restrictions for CCTV operators, including small businesses and even home users. It forces them to acknowledge the value of the data they’re gathering, and protect it properly.
The GDPR specifically calls the large-scale, systematic monitoring of public spaces a “high-risk” activity, and use of CCTV will often fall into this category.
Retail organisations recording customers moving through their stores are just one category of CCTV user that will have to think carefully about the visual data they’re gathering. They must plan how they manage it, and the impact that it will have on individual privacy.
These users must conduct privacy impact assessments (PIAs), clearly outlining what visual data they are collecting, what they will use it for and how long they will keep it.
A PIA is not a one-off process. The GDPR forces CCTV owners to revisit the issue regularly to remain compliant as circumstances change. These assessments will include consultations with individuals whose privacy may be affected, potentially including employees who are being filmed.
Having documented what their CCTV policies mean for individual privacy, operators must then plan technical safeguards to protect this valuable personal data.
Older CCTV systems were developed before these new requirements came along. When it comes to data protection, in many cases, they won’t be up to the job. That doesn’t mean you have to throw them out. Modern cloud-based CCTV solutions provide a way to enhance older cameras, enabling you to use them while adding extra data protections to satisfy new data protection principles.
Safe secure storage
For example, one way to protect data from compromise, or misuse, is to store it in a safe place. This certainly isn’t on a DVR sitting in a poorly protected room.
Cloud CCTV systems can replace or supplement old DVRs by connecting cameras directly to a remote, secure, professionally managed visual data platform. This stops an intruder walking into a small business and stealing the CCTV recording equipment used to protect it.
Some cloud-connected camera systems can also encrypt visual data, both in transit and wherever it is stored. This means even if an attacker gets access to it, they won’t be able to read it.
Recording data to the cloud carries another advantage when it comes to complying with strict data regulations: auditability. Under GDPR, CCTV owners must demonstrate how long they kept the personal data that their cameras gathered, and what they did with it when they had it.
Cloud-based access enables the camera operator to assign separate login credentials to different users, so that the service can record who accessed what data, and when. Compare this with an unprotected video recording stored on-site, potentially accessible by anyone.
Beyond these measures, modern cloud-based CCTV systems can use signal processing to selectively block recordings that could cause legal problems later. For example, a camera may need to film a public space, but a privacy impact assessment may show that it should only record the public space at certain times of day, or under specific circumstances, such as when a vehicle comes into view.
Modern cloud-based services can blur specific parts of the image as outlined by the camera operator, and then unblur the recording when predefined conditions are met. This satisfies one of the key defining principles of GDPR and other data protection rules before it, which is that organizations should only gather the personal data that they need for the purposes defined, and nothing more.
Armed with these new technologies, companies can continue to use CCTV cameras to secure their businesses while properly respecting valuable private data and ensuring that they comply with the rules.
As cameras become increasingly pervasive and people become more privacy-literate, the data protection capabilities that cloud-based systems offer will be more important than ever.
CCTV owners must comply with some key data protection principles:
Principle: Collection limitation
Only collect the personal data you need, and nothing more.
Solution: Redaction and selective recording
Operators can program cloud-based security cameras to blur out portions of an image where appropriate. Cameras can be centrally set to record, based on specific pre-defined parameters.
Principle: Data quality
Video data should be kept up to date and relevant, only to the purposes for which it is used.
Solution: Cloud storage and SD card failover
Digital cloud-based storage is effectively unlimited, can be guaranteed for predefined periods and stored with bit-for-bit accuracy. No fuzzy videotaped images here. If the Internet connection fails, video is stored locally on an SD card until the connection is restored.
Principle: Purpose specification
Camera operators must clearly show where they’re gathering video and what it will be used for.
Solution: Adequate signage
Display signage that communicates clearly to people what you are doing, and why.
Principle: Use limitation
Recorded video should only be used for its stated purpose.
Solution: Secure access
Proper access controls to a secure, cloud-based video data store mean that only the right people get access to the appropriate camera data.
Principle: Security safeguards
Operators must protect visual data from misuse or modification.
Solution: Remote storage and encryption
Cloud-based CCTV systems store video remotely, making it impossible to tamper with it at a local site. For added protection, the data is encrypted on its journey to the cloud, and when it is stored there.
The camera operator must prove that it has complied with the data protection principles.
Solution: Auditable systems
Cloud-based access portals make it possible to log all stored and retrieved data, satisfying auditors that the camera operator is taking all the appropriate protective measures.