Author: Indrek Keis
Video recordings are also used for commercial and other purposes, but this article will focus on the purpose for providing security in organizations – keeping property and persons safe. I will list the main activities that help organizations reduce the negative consequences of using video surveillance and the possibility that they might have to resolve complaints or get a citation from an oversight body.
Activities preceding video recording
Who is responsible? First of all, it is necessary to specify the actual entity who is responsible, meaning the organization that ensures the legitimacy of use of video surveillance. The responsible organization may not always be obvious because more than one organization may share the same grounds or property or the use of video cameras may be contingent on pre-existing contracts, agreements and legal acts.
It is necessary to determine whether there is a need to use video surveillance and what to what extent. The end does not always justify the means – the use of cameras to keep property safe is not permitted everywhere. For instance, it is hard to consider video surveillance legitimate in a dressing room area where people disrobe and expect greater privacy. In such a case, there are better alternatives for protecting property that do not involve processing of personal data. Consider stronger lockers and locks if there is a need to keep the contents of the locker safe or security elements in case of a store looking to deter shoplifters. Determining the need for using video surveillance is important for selecting the camera’s line of sight and the suitable equipment.
Once you have identified who wants to use video surveillance and for what reason, also consider the legal framework. Legal options in the private and public sector vary. Apartment associations should think about property law issues and if necessary, use video surveillance based on the decision of the general meeting. Organizations that use a video surveillance service provider or store data outside the EU must additionally consider mandatory legal agreements.
Before starting the use of video surveillance, the organization should set rules on how long the video recordings are retained, by who and in what instances can the recordings be accessed and how the organization will enforce the rules.
To sum up, before cameras are installed and turned on, it must be made sure that the organization has documented the purposes of video surveillance, the need for using the camera and rules for using the video recordings and. The organisation also has to be able to demonstrate that it has provided relevant notices regarding the use of video surveillance.
Choosing technical solutions
Selectiong of technical solutions depend largely on the previously defined goal and needs. Use of a 360-degree camera is not expedient if only a specific area must be monitored, such as an entrance, cash register or one part of the office or hallway. If the scope of the viewing area does not have to be changed constantly but the equipment enables it, the organization will find it harder to prove compliance with data protection requirements. If a technical solution with additional functionality or enhancements is used, people captured on camera may raise trust issues – why use a type camera that makes it possible to easily and unnoticeably change the viewing angle although there is actually no need for it?
Data security also plays a role when it comes to the technical aspect, starting from the transmission of data from the camera to data retention and deletion of data. A wireless camera is certainly easier to install but security should not be overlooked. Unfortunately, it is all too easy to go on the internet and find recordings or live streams by security cameras with factory-default access privileges or that are not password protected. When storing recordings in the cloud or locally, it should be ensured that only authorized people have access. It should also be decided who uses the data and how the data is erased – automatically or with manual intervention.
To sum up, the keywords for choosing technical solutions are secure and encrypted data connections, transmission, storage and deletion, as well as user and password management.
Data subject access requests
When video surveillance is used, the rights of the people who may be captured on camera must not be overlooked. In general, everyone has the right to access their personal data, which in the case of video surveillance means the camera recording, and demand that their data be deleted, although the latter does not always have to be granted. From the perspective of the organization, it is wise to consider how such requests will be processed (how a person can make the request and to whom, how the request reaches the right employee responsible for resolving it, etc.). Previously determined and documented purposes, need, legal grounds and rules also play a role in case the organisation receives a data subject access request.
As with other activities that involve collection, creation or otherwise using personal data, the organization responsible for video surveillance must be capable of proving the following, among other things:
- the processing of personal data is legitimate (conditions relying on a specific legal basis are fulfilled);
- people have been notified of processing their personal data (the person was aware of video surveillance, and who was doing so for what reason);
- the security of the data is ensured (rules and technical measures).
What to avoid?
First of all, avoid failing to provide notice to people or giving the notice too late. Regardless of whether it is only the organization’s own employees who are on camera or complete outsiders, it should be clear and understandable to everyone that they may be caught on camera. The notification must be made at the first opportunity so that people can decide whether they wish to remain in the potential surveillance zone or not.
Secondly, vague purposes should be avoided. A specific, well-conceived objective is the basis for evaluation of suitable technical solutions, determining the camera’s field of vision, notification and resolving later data subject access requests.
Third, it is not a good idea to ask for people’s consent for video surveillance. The technical and legal requirements for legitimate consent make asking for consent impractical in the case of video surveillance. In other words, video surveillance should not depend on consent.
Fourth, the video recordings must not be publicly disclosed without a legitimate reason. Access to recordings and use thereof should take place only in justified cases. Publication of a surveillance camera recording on (social) media is not always lawful, even if the footage depicts damage to property, a humorous situation or an accident narrowly averted. When releasing video footage in the context of a request related to personal data, it should be ensured that no other persons are recognizable on the video if the person wishes to access a video recording in which they are depicted.