Right to be forgotten (Right to erasure)
Under Article 17, the GDPR gives individuals control over their personal data, including the right to have their personal data erased if it is no longer necessary for the intended purpose of the system.
According to Article 17 subparagraph 1c of the GDPR, the Data Controller must handle objections of data subjects. Since deleting a specific subject from video is not practical, data-processors should strictly limit how long video is retained in accordance with the documented purpose of the system.
What should you do?
Review retention time for all cameras, and ensure it is set in accordance with the documented system purpose.
The right to be forgotten does not often apply to video surveillance, since retention time is usually short and since other lawful basis overrule 'reasonable' technical and legal interests such as legal obligation (employment act), public interest (crime prevention, public health & security), vital interests (life & health critical data, hazardous and dangerous environments), legitimate interests (fraud detection, employment, product development) or even contractual fulfillment (employment, subscriptions and licensing). An example for a legitimate interest is that video surveillance recordings must be a trusted source of evidence at any given time, therefore, the VMS primarily protects video evidence from being tampered with and assuring its authentication, making the right to be forgotten secondary.
There are usually two reasons for data subjects to object the storage of video recordings:
- The interests of the Data Controller to store the data are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 17 subparagraph 1c GDPR)
- The personal data have been unlawfully processed, for example the surveillance of a kindergarten or a locker room (Article 17 subparagraph 1d GDPR)
Therefore, each request must be examined thoroughly.
How long should the recordings be kept?
The general principle is that recordings must not be retained longer than necessary for the specific purposes for which they were made. It must also be considered whether recording is necessary in the first place and whether live monitoring without recording would be enough.
If an organization opts for recording, it must specify the period for which the recordings will be retained. After the lapse of this period the recordings must be erased. Milestone XProtect VMS automates the process of erasure, by automatically deleting recordings older than the set retention time.
When files containing the recorded video data are deleted by the VMS, the files and their content are actually not erased from the data blocks on the storage system but simply marked as free in the file system, allowing other files to be written to this location on the storage system. Until the data blocks are actually overwritten with new data, the old deleted video data may potentially be restored, providing access to recordings older than the set retention time.
Because of this it is recommended not to over dimension the storage system, because the risk becomes larger with the size of the overhead.
For example, if the allocated storage system is twice as large as the amount of video data stored for the set retention time – for example seven days - the deleted data blocks containing old deleted video data may statistically lurk around on the storage system for an additional seven days before they are overwritten.
To further reduce the risk of accessing old video data that has been deleted, and for security in general, it is recommended to enable encryption of the media databases, because this, in addition to restoring the delete files, now also requires the encryption to be broken.
Regardless if the video data has been encrypted or not, once the disks in the storage system are no longer useable, it important that you sanitize or physically destroy the hard disks that have been used to store media databases before you dispose of them (for example, by shredding or other equivalent means).
For information about how to set this up in Milestone XProtect, see "Storage and archiving (explained)" in the XProtect VMS - Administrator manual.
If the purpose of the video surveillance is security, and a security incident occurs and it is determined that the recordings are necessary to further investigate the incident or use the recordings as evidence, the relevant recording may be retained beyond the normal retention periods for as long as it is necessary for these purposes. Thereafter, however, they must also be erased.
Retention period for typical security purposes: one week to one month
When cameras are installed for purposes of security, one week to one month should be enough time for security personnel to make an informed decision whether to retain a recording for a longer period to further investigate a security incident or use it as evidence.
An example of local law: according to some German Data Protection Authorities and most of the data protection literature, this retention period is from 48 to 72 hours as a guideline for the purposes of access control and investigation of criminal offenses.
Member State or third country territory: 48 hours
In case the surveillance covers any area outside the buildings on Member State (or third-country) territory (typically those near entrance and exit areas) and it is not possible to avoid that passers-by or passing cars are caught on the cameras, it is recommended to reduce the retention period to 48 hours or otherwise accommodate local concerns whenever possible.