Handling exported data

Exporting is done when there has been an incident that requires sharing evidence with authorities. If you have the rights to export evidence, you have the responsibility when handling it. The reason why it's sensitive is both due to the contents and the fact that the data leaves the surveillance system. Most likely, there has been an incident that may involve criminal activity. There may also be sensitive private details in the evidence. When you export it, it is usually stored on a removable storage of some kind (USB drive, optical disc, etc.).

If that data ends up in the wrong hands, the privacy of the Data Subjects in the evidence would be lost.

You should have a clear process for exporting evidence, which covers:

  • Who can export evidence?
  • Where is the evidence stored until handed to authorities?
  • Who has access to it?
  • What format(s) should be used?
  • Whether encryption should be applied (highly recommended)?
  • When is the evidence destroyed?

Data Controllers must take technical and organizational measures to protect data that leaves the Milestone XProtect VMS. Such measures could be:

  • Limit the permission to export videos and audit logs to special personnel only
  • Consider encrypting the data before or after it is being exported
  • Apply privacy masks before exporting video data, where appropriate
  • Physically protect removable media with personal data on it
  • Establish policies that ensure that personal data is deleted from media according to the retention time
  • Keep a register of removable media – who exported what data to the media? To whom has it been forwarded and for what purpose? Is the recipient informed to destroy the media or to return it after the purpose has been reached? Etc.
  • Use Windows group policies to disable USB ports or media access on the client PCs
  • Monitor the audit logs for unauthorised export events
  • Commit employees to the data protection policy
  • Properly sanitize the media or physically delete it if sanitization is not possible (for example, DVDs)

See the Milestone GDPR e-learning for VMS Operators for more information on handling data exports.