Inherent risks with using VMS

When maintaining the Data Protection impact Assessment, you should be aware of the risks that are inherent with using VMS.

The impact assessment should be adequately documented. As a matter of principle, an impact assessment report should clearly specify the risks to privacy and/or other fundamental rights that the organization identified, and the additional safeguards proposed. Be aware of the following risks of impinging on personal rights:

  • Company / employer, using the video feeds, alarms or audit logs to:
    • Monitor the work hours of the employees at the surveyed site – for example arrival and departure time
    • Monitor the effectiveness of the employees by monitoring where they spend their time, amount of time spent at coffee machine, time spent in restrooms, as long as they effectively work at whichever task they have
    • Monitor what the employee is looking at on their computer screens
    • Monitor if employees comply with work or safety requirements – for example on building sites
    • Show video recordings of employees to other employees or managers in order to bully the employee or threaten other employees to do the same
    • Check if security guards / operators perform their duties effectively – for example checking whether they are actively using the clients, selecting cameras, running playbacks, etc.
  • Company / owner / operator / guards, using the video feeds to:
    • Share video recordings of people (company employees or the general public) in embarrassing or sensitive situations on social media
    • Use PTZ cameras to zoom in on people to get intimate / inappropriate close-up recordings of them without their knowledge
  • Company / owner / operator / guards
    • Export video or providing access to recorded video uncritically to whomever asks for it

Additional sources to identify risk are:

  • The Milestone Hardening Guide provides the Cyber Risk Management Framework, describing the recommended six steps of categorizing, selecting, implementing, assessing, authorizing, and monitoring risks. The Hardening Guide provides a series of technical risks and recommended implementations to mitigate the risks. These include but are not limited to the protection of VMS privacy in terms of s series of data breach and unauthorized access risks from weak technical configuration, design and maintenance operations.
  • The Milestone Privacy Guide (this) provides recommendations on handling the non-technical operational risks, including handling of data subject rights and requests, roles and responsibilities of a VMS, templates for on-the-spot-notice, video surveillance policy and Data Processor Agreements.
  • The Milestone end-user privacy e-learning provides awareness training for VMS operations and supervisors on how, in everyday operation, to handle VMS related privacy risks. See on the Milestone Systems web site.