Appendix: GDPR compliance

This section provides an overview of GDPR regulations relevant for video surveillance. It describes what GDPR is and how it impacts video surveillance usage in the following sections:

Do you have a lawful basis for collecting data?

GDPR requires that all organizations have a valid, lawful basis for collecting and processing personal data.

Video surveillance on the basis of consent or vital interests may be possible in exceptional situations, for example in the health and care sector if a person has to be monitored permanently.

You are required to keep track of processing activities in a Record of processing activities (Article 30, GDPR). For a sample template of a Record of Processing Activities, see the Record of Processing Activities template.

Check the legitimacy of processing video data and user data in accordance with the following levels of regulation:

  1. General Data Protection Regulation (Article 6, GDPR)

    Particularly Article 6 (1)(b) of the GDPR:

    Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

    And Article 6 (1)(e)(f) of the GDPR:

    Processing shall be lawful if and to the extent processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

  2. Directive (EU) 2016/680 Law Enforcement or the national law based on that directive

    Comply with national law based on the Directive (EU) 2016/680 Law Enforcement in order to establish a legal basis to check the legitimacy of the processing.

  3. National law

    Comply with national law, for example, Section 4 German Federal Data Protection Act (FDPA), though this provision does not apply to video surveillance conducted by enterprises.

Before you implement video surveillance, assess the potential benefits and the impact on the rights to privacy and other fundamental rights and legitimate interests of those in the covered area.

When you decide to use video surveillance, document the purpose of the video system, what information is collected, what it will be used for, by whom, and for how long, and provide adequate supporting evidence such as statistical data on the actual number of security incidents that occurred, as well as evidence of past effectiveness of the cameras to deter, prevent, investigate, or prosecute those incidents.

The extent of assessment depends on the size of the proposed system and the impact on people’s privacy and other legitimate interests or fundamental rights.

Processing based on a legal obligation or a public task

When is the lawful basis for legal obligations likely to apply? In short, when you are obliged to process the personal data to comply with the law. Article 6 (3) of the GDPR requires that the legal obligation must be laid down by EU law or Member State law.

This does not mean that there must be a legal obligation specifically requiring the specific processing activity. The point is that your overall purpose must be to comply with a legal obligation that has a sufficiently clear basis in either common law or statute. For example, a court order may require you to process personal data for a particular purpose and this also qualifies as a legal obligation.

Public institutions usually use video surveillance to perform a public task. Be aware that the balancing of interests is not a legal basis for public authorities in the performance of these tasks.

For public institutions, video surveillance is only legitimate if it is necessary to perform the public task. When performing a public task, you must conduct a proportionality assessment (see Balancing of interests/proportionality assessment). The data controller must consider the principles of data minimization (for example, privacy masking), storage limitation (retention time), and purpose limitation (Article 5 (1), GDPR).

Balancing of interests/proportionality assessment

Private bodies usually operate a VMS to pursue the legitimate interests of the data controller or a third party (Article 6 (1)(f), GDPR). Therefore, a balancing of interests is necessary to check the legitimacy of the processing. The data controller needs to identify and weigh his interests versus the interests or fundamental rights and freedoms of the data subjects, which require protection of personal data.

The processing of audit and alarm history data can usually be based on the legitimate interest of the data controller (Article 6 (1)(f), GDPR). The same is applicable for user management data (account data, authentication credentials, authorization data, configuration data) if the user is an employee of a security company.

You must be clear, open, and honest with people from the start about how you will use their personal data. In your assessment, address the following questions:

  • What are the benefits of using video surveillance? Do the benefits outweigh any detrimental effects?
  • Is the purpose of the system clearly specified, explicit and legitimate? Is there a lawful ground for the video surveillance?
  • Is the need to use video surveillance clearly demonstrated? Is it an efficient tool to achieve its intended purpose? Are there less intrusive alternatives available?

More so, the data controller can only use the personal data for a new purpose if it’s compatible with the original purpose, or the data controller gets consent or has a clear basis in law.

Typical interests of the data controller

Typically, the data controller:

  • Exercises the right to determine who shall be allowed or denied access to data
  • Safeguards legitimate interests for specifically defined purposes

In the context of employment, the data controller should be informed that the processing of employees’ personal data – video data as well as user data – in the employment context may be subject to more specific rules under member state law (Article 88, GDPR), for example Section 26 FDPA (Germany).

Typical interests and rights of the data subjects

Data subjects have the right of:

  • No long-time surveillance
  • No monitoring of intimate situations
  • Short retention times
  • Adequate safeguards if special categories of personal data (Article 9, GDPR) are processed

How XProtect reduces the impact on the interests or fundamental rights and freedoms of the data subject

Milestone XProtect reduces the impact on the interests and fundamental rights of the data subject by:

Transfers and disclosures

There are three main rules in the GDPR governing transfers, depending on whether the recordings are transferred:

  • To a recipient within the organization or in another organization

    In this case, the GDPR provides that the recordings can be transferred to others within the organization or in another organization if this is necessary for the legitimate performance of tasks covered by the competence of the recipient.

  • To others within the European Union

    In this case (transfers outside the organizations but within the European Union), these are possible if this is necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority, or if the recipient otherwise establishes that the transfer is necessary and there is no reason to assume that the legitimate interests of those whose images are transferred might be prejudiced.

  • Or to outside the European Union

    In this case, transfers outside the European Union can be made: (i) if done solely to allow the organization’s tasks to be carried out and (ii) only subject to additional requirements, mainly to ensure that the data will be adequately protected abroad.

Summed up

Ensure that you do not do anything with the data in breach of any other laws.

You must use personal data in a fair way. This means you must not process the data in a way that is unduly detrimental, unexpected, or misleading to the individuals concerned.

You can only use the personal data for a new purpose if it’s compatible with your original purpose, or you get consent or have a clear basis in law.

In some cases that are deemed high risk of encroaching on privacy, you must conduct a formalized impact assessment (see Appendix: Data Protection Impact Assessment).

Conducting an impact assessment

Before installing and implementing video surveillance systems, you should conduct a privacy and Data Protection Impact Assessment.

The purpose of an impact assessment is to determine the impact of the proposed system on individuals' privacy and other fundamental rights, and to identify ways to mitigate or avoid adverse effects.

How much effort should go into the impact assessment? It depends on the circumstances. A video surveillance system with a high risk of encroaching on privacy warrants a greater investment than a video surveillance system with limited impact on privacy, for example, a conventional static CCTV system.

At a minimum, according to Article 35 (7) of the GDPR, the assessment must contain at least:

  • A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller

  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes

  • An assessment of the risks to the rights and freedoms of data subjects referred to in Article 35 (1) of the GDPR:

    Where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

  • The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

In any event, and in all cases, you must assess and justify whether to resort to video surveillance, how to place the cameras, select and configure the systems, and how to implement the required data protection safeguards. For information about securing your XProtect VMS installations, see the hardening guide and the certificates guide.

Individual rights

One of the main purposes of GDPR is to give individuals greater protection and a set of rights governing their personal data.

There are some very specific requirements under the terms of the regulation, all of which mean that the party processing or storing personal data has a responsibility to keep this data private.

GDPR gives individuals the right to be made aware of when their personal data is being collected (at the point of capture), and how it will be used. In the case of video surveillance, for example, these will mean appropriate signage in and around the area where video surveillance is being used.

Articles 12 to 23 of the GDPR cover the rights of the data subject.

  • Section 1: Transparency and modalities
    • Article 12: Transparent information, communication, and modalities for the exercise of the rights of the data subject
  • Section 2: Information and access to personal data
    • Article 13: Information to be provided where personal data are collected from the data subject
    • Article 14: Information to be provided where personal data have not been obtained from the data subject
    • Article 15: Right to access from the data subject (see Right to access)
  • Section 3: Rectification and erasure
    • Article 16: Right to rectification
    • Article 17: Right to be forgotten (Right to erasure) (see Right to be forgotten (Right to erasure))
    • Article 18: Right to restriction of processing (see Right to restriction of processing)
    • Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
    • Article 20: Right to data portability
  • Section 4: Right to object and automated individual decision-making
    • Article 21: Right to object
    • Article 22: Automated individual decision-making, including profiling
  • Section 5: Restrictions
    • Article 23: Restrictions

Of these, the rights that are most relevant in the context of video surveillance are:

The right to be informed (Articles 12 to 14 and 34, GDPR)

Article 12 deals with transparency and modalities, whereas Articles 13 and 14 deal with information and access to personal data. These articles provide the data subject with the ability to be informed of what personal data is collected and how long it is retained. In the VMS context, see Appendix: On-the-spot notice.

Article 34 provides the data subject with the right to be informed in case of a data breach if it is likely to result in a high risk to the rights and freedoms of the data subject.

The right of access (Article 15, GDPR)

This right provides the data subject with the ability to get access to his or her personal data that is being processed, for example, video recordings of the data subject.

The data subject is granted the right to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing.

The right to erasure ("right to be forgotten") (Article 17, GDPR)

This right provides the data subject with the ability to ask for the deletion of their data. In the VMS context, the erasure upon the data subjects' requests is exceptional due to the interests of the data controller and the short retention times. (See Appendix: Video Surveillance Policy and Deleting video recordings partially in Appendix: The Milestone XProtect VMS system and GDPR).

The right to object (Article 21, GDPR)

This right provides the data subject with the ability to object to the processing of their personal data. In the VMS context, other interests such as Legitimate interests (fraud detection, health, and safety), Legal obligation (bookkeeping, anti-money laundry), or even contractual fulfillment (employment contracts) may override the interests and rights of the data subject. In all cases, this must be fully transparent so the data subject can know and object. If the data subject objects, the data controller must assess the objection, or otherwise he might face a fine.

For GDPR compliance in VMS systems, three rights are especially relevant: the right to be informed, the right to access, and the right to erasure.

Right to access

Under Article 15, the GDPR gives individuals control over their personal data, including the right to see that data. Particularly important is the right that data subjects can get a copy of their data and that third persons are masked (using third-party tools).

Upon request, organizations need to deliver to a data subject all the personal data collected about them, including video collected by a video surveillance system.

Ensure that you establish formal procedures and policies for handling right to access requests, described in Register of transfers and disclosures.

Transfers and disclosures

There are three main rules in the GDPR governing transfers, depending on whether the recordings are transferred:

  • To a recipient within the organization or in another organization

    In this case, the GDPR provides that the recordings can be transferred to others within the organization or in another organization if this is necessary for the legitimate performance of tasks covered by the competence of the recipient.

  • To others within the European Union

    In this case (transfers outside the organizations but within the European Union), these are possible if this is necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority, or if the recipient otherwise establishes that the transfer is necessary and there is no reason to assume that the legitimate interests of those whose images are transferred might be prejudiced.

  • Or to outside the European Union

    In this case, transfers outside the European Union can be made: (i) if done solely to allow the organization’s tasks to be carried out and (ii) only subject to additional requirements, mainly to ensure that the data will be adequately protected abroad.

Register of transfers and disclosures

The organizations should keep a register—whenever possible, in an electronic form—of transfers and disclosures. In it, each transfer to a third party should be recorded. (third parties also include anyone within the organization to whom a transfer is made by those having access to the recordings in the first place. This typically includes any transfer outside the security unit.) The register, in addition, should contain all instances where, although the copy of the video surveillance recording was not transferred, third parties were shown the recordings or when the content of the recordings was otherwise disclosed to third parties.

The register should include at least the following:

  • Date of the recordings
  • Requesting party (name, title, and organization)
  • Name and title of the person authorizing the transfer
  • Brief description of the content of the recordings
  • Reason for the request and the reason for granting it
  • Whether a copy of the recording was transferred, the recording was shown, or verbal information was given

Right to be forgotten (Right to erasure)

Under Article 17, the GDPR gives individuals control over their personal data, including the right to have their personal data erased if it is no longer necessary for the intended purpose of the system.

According to Article 17 (1)(c) of the GDPR, the data controller must handle objections of data subjects. Since deleting a specific subject from video is not practical, data-processors should strictly limit how long video is retained in accordance with the documented purpose of the system.

What should you do?

Review retention time for all cameras, and ensure it is set in accordance with the documented system purpose.

The right to be forgotten does not often apply to video surveillance, since retention time is usually short and since other lawful basis overrule 'reasonable' technical and legal interests such as legal obligation (employment act), public interest (crime prevention, public health & security), vital interests (life & health critical data, hazardous and dangerous environments), legitimate interests (fraud detection, employment, product development), or even contractual fulfillment (employment, subscriptions and licensing). An example of a legitimate interest is that video surveillance recordings must be a trusted source of evidence at any given time, therefore, the VMS primarily protects video evidence from being tampered with and assuring its authentication, making the right to be forgotten secondary.

There are usually two reasons for data subjects to object to the storage of video recordings:

  • The interests of the data controller to store the data are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 17 (1)(c), GDPR)
  • The personal data have been unlawfully processed, for example the surveillance of a kindergarten or a locker room (Article 17 (1)(d), GDPR)

Therefore, each request must be examined thoroughly.

How long should the recordings be kept?

The general principle is that recordings must not be retained longer than necessary for the specific purposes for which they were made. It must also be considered whether the recording is necessary in the first place and whether live monitoring without recording would be enough.

If an organization opts for recording, it must specify the period for which the recordings will be retained. After the lapse of this period, the recordings must be erased. Milestone XProtect VMS automates the process of erasure, by automatically deleting recordings older than the set retention time.

When files containing the recorded video data are deleted by the VMS, the files and their content are actually not erased from the data blocks on the storage system but simply marked as free in the file system, allowing other files to be written to this location on the storage system. Until the data blocks are actually overwritten with new data, the old deleted video data may potentially be restored, providing access to recordings older than the set retention time.

Because of this, it is recommended not to over-dimension the storage system, because the risk becomes larger with the size of the overhead.

For example, if the allocated storage system is twice as large as the amount of video data stored for the set retention time – for example seven days - the deleted data blocks containing old deleted video data may statistically lurk around on the storage system for an additional seven days before they are overwritten.

To further reduce the risk of accessing old video data that has been deleted, and for security in general, it is recommended to enable encryption of the media databases, because this, in addition to restoring the deleted files, now also requires the encryption to be broken.

Regardless if the video data has been encrypted or not, once the disks in the storage system are no longer useable, it important that you sanitize or physically destroy the hard disks that have been used to store media databases before you dispose of them (for example, by shredding or other equivalent means).

For information about how to set this up in Milestone XProtect, see the Storage and archiving (explained) section in the administrator manual for XProtect VMS.

If the purpose of the video surveillance is security, and a security incident occurs and it is determined that the recordings are necessary to further investigate the incident or use the recordings as evidence, the relevant recording may be retained beyond the normal retention periods for as long as it is necessary for these purposes. Thereafter, however, they must also be erased.

Retention period for typical security purposes: one week to one month

When cameras are installed for purposes of security, one week to one month should be enough time for security personnel to make an informed decision whether to retain a recording for a longer period to further investigate a security incident or use it as evidence.

An example of local law: according to some German Data Protection Authorities and most of the data protection literature, this retention period is from 48 to 72 hours as a guideline for access control and investigation of criminal offenses.

Member State or third-country territory: 48 hours

In case the surveillance covers any area outside the buildings on Member State (or third-country) territory (typically those near entrance and exit areas) and it is not possible to avoid that passers-by or passing cars are caught on the cameras, it is recommended to reduce the retention period to 48 hours or otherwise accommodate local concerns whenever possible.

Right to restriction of processing

The data subject may, with reference to Article 18 (1) of the GDPR, claim the right to restriction of the processing. In a basic VMS scenario, the data subject may claim that the VMS processing is unlawful, for example if the data subject is unaware that video surveillance of a public space is performed with privacy mask protection. It is recommended to use a Data Subject Request template to document the claim (see Data subject request). For a sample template of a Data Subject Request, see the Milestone Data Subject Request template.

The claim should be processed within a reasonable time-frame, faster than the retention period to avoid automated retention or deletion of the VMS evidence in the claim. It is generally advised to seek legal counsel concerning the restriction of processing. One way to handle such a request is to let the VMS administrator limit VMS supervisors or operators by role assignment to only be able to playback recordings within a short time after they have been recorded – for instance, four hours or one day (see What should you do?: "Consider restricting access to recorded video for operators, either completely, to only the video recorded in the past few hours, or only with dual authorization"). Limitations of playback also apply to evidence locks. If further restrictions of processing are required, it is recommended to conduct both a business impact assessment and a Privacy Impact Assessment (see Conducting an impact assessment) as part of the claim handling.

Privacy by design

The GDPR mandates that privacy must be a priority throughout system design and commissioning. The approach taken with respect to data privacy must be proactive, not reactive. Risks should be anticipated, and the objective must be to prevent events before they occur.

Organizations must carefully consider and document how systems are designed to stay within the stated objectives.

Care must be paid not to capture personal data of subjects who fall outside of the domain of the system (for example, adjacent public areas).

Careful consideration of who needs to see what information (for example, live/recorded, time frame, resolution) and who can access what features (for example, search).

What should you do?

  • Document the resolution of different points in the camera scene
  • Document the intended retention time
  • Consider applying privacy masking – permanent or liftable
  • Consider setting up permissions for viewing live videos, recordings
  • Consider restricting access for exporting recordings and for lifting privacy masks
  • Regularly review roles and responsibilities for operators, investigators, system administrators, and others with access to the system
  • Consider restricting access to groups tasked with investigations for cameras that are specifically positioned to capture identity (for example, faces of people entering a store)
  • Consider restricting access to the recorded video for operators, either completely, to only the video recorded in the past few hours, or only with dual authorization
  • Limit the number of users who have an administrator role

Requirements for privacy by design

Data minimization

You must ensure the personal data you are processing is:

  • adequate – enough to properly fulfill your stated purpose
  • relevant – has a rational link to that purpose
  • limited to what is necessary – you do not hold more than you need for that purpose.

Accuracy

Generally, for personal data:

  • You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.
  • You may need to keep the personal data updated, although this will depend on what you are using it for.
  • If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
  • You must carefully consider any challenges to the accuracy of personal data.

Storage period limitation

  • You must not keep personal data for longer than you need it.
  • You need to think about—and be able to justify—how long you keep personal data. This will depend on your purposes for holding the data.
  • You need a policy that sets standard retention periods wherever possible, to comply with documented requirements.
  • You should also periodically review the data you hold, and erase or anonymize it when you no longer need it.
  • You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
  • You may keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.

Privacy by design and privacy by default

According to GDPR, the controller of personal data, when processing such data, must implement technical or organizational measures which are designed to implement the data protection principles set out in GDPR. GDPR refers to this as privacy by design.

In the context of a camera, a relevant example of privacy by design would be a feature that digitally allows the user to restrict image capture to a certain perimeter, preventing the camera from capturing any imagery outside this perimeter that would otherwise be captured.

In the XProtect VMS, there is support for privacy masking in two forms: permanent masks that cannot be removed, and liftable masks that (with the appropriate permissions) can be lifted to reveal the image behind the mask.

The data controller must also implement technical or organizational measures which by default ensure the least privacy intrusive processing of the personal data in question. GDPR refers to this as privacy by default. In the context of a camera, a relevant example of privacy by default could be using privacy masking to keep a sensitive area within the view of the camera private.

What is an example of an XProtect feature that supports the privacy by design approach?

Milestone develops its portfolio of products continuously, and privacy by default is a key evaluation criterion in making XProtect GDPR compliant. For more information, see the guide about the secure development lifecycle at Milestone. This guide is an integral part of privacy by default, applying principles such as "defense-in-depth," "least privileges," and avoiding less secure default settings and turning off infrequently used features by default.

What should you do to ensure privacy by design?

  • Consider the resolution of different points in the camera scene and document these settings

    Different purposes require different image qualities. When identification is not necessary, the camera resolution and other modifiable factors should be chosen to ensure that no recognizable facial images are captured.

  • Encrypt your recordings

    Milestone recommends that you secure your recordings by enabling at least Light encryption on your recording servers' storage and archives. Milestone uses the AES-256 algorithm for encryption. When you select Light encryption, only a part of the recording is encrypted. When you select Strong encryption, the entire recording is encrypted.

  • Encrypt investigations database

    Milestone recommends that you secure the investigations database on the Mobile Server.

  • Secure the network

    Milestone recommends that you select cameras that support HTTPS. It is recommended that you set the cameras on separate VLANs and use HTTPS for your camera to recording server communication, as well as clients to recording server communication.

    It is recommended that you enable encryption for all communication between all servers and clients. For information about securing your XProtect VMS installations, see the hardening guide and the certificates guide.

    It is recommended that XProtect Smart Client and XProtect Smart Wall are on the same VLAN as the servers.

    Use a VPN encrypted network or similar if using Smart Client or Smart Wall from a remote location.

  • Enable and document the intended retention time

    According to Article 17 (1)(a) of the GDPR, recordings must not be retained longer than necessary for the specific purposes for which they were made. Milestone recommends that you set the retention time appropriately. This, then, automates the disposal of video.

  • Secure exports

    Milestone recommends that you only allow access to export functionality for a select set of users that need this permission.

    Milestone also recommends that the Smart Client profile is changed to only allow export in XProtect Format with encryption enabled. AVI and JPEG exports should not be allowed, because they cannot be made secure. This makes export of any evidence material password-protected, encrypted, and digitally signed, making sure forensic material is genuine, untampered with, and viewed by the authorized receiver only.

  • Enable privacy masking – permanent or liftable

    Use privacy masking to help eliminate surveillance of areas irrelevant to your surveillance target.

  • Restrict access permissions with roles

    Apply the principle of least privilege (PoLP).

    Milestone recommends that you only allow access to functionality for a select set of users that need this permission. By default, only the system administrator can access the system and perform tasks. All new roles and users that are created have no access to any functions until they are deliberately configured by an administrator.

    Set up permissions for all functionality, including viewing live video and recordings, listening to audio, accessing metadata, controlling PTZ cameras, accessing and configuring Smart Wall, lifting privacy masks, working with exports, saving snapshots, and so on.

    Restrict access to recorded video, audio, and metadata for operators, either completely, or restrict access to only the video, audio, or metadata recorded in the past few hours or less.

    Regularly assess and review roles and responsibilities for operators, investigators, system administrators, and others with access to the system. Does the principle of least privilege still apply?

  • Enable and use two-step verification

    Milestone recommends that you specify an additional login step for users of XProtect Mobile or XProtect Web Client by enabling two-step verification.

  • Restrict administrator permissions

    Milestone recommends that you limit the number of users that have an Administrator Role.

Setting up and configuring the video surveillance system

The guiding principle in connection with all items addressed in this section should be to minimize any negative impact on the privacy and other fundamental rights and legitimate interests of those under surveillance.

Camera locations and viewing angles

Camera locations should be chosen to minimize viewing areas that are not relevant for the intended purposes.

As a rule, where a video surveillance system is installed to protect the assets (property or information) of the organization or the safety of staff and visitors, the organization should restrict monitoring to

  • carefully selected areas containing sensitive information, high-value items, or other assets requiring heightened protection for a specific reason,
  • entry and exit points to the buildings (including emergency exits and fire exits and walls or fences surrounding the building or property), and
  • entry and exit points within the building connecting different areas which are subject to different access permissions and separated by locked doors or another access control mechanism.

Number of cameras

The number of cameras to be installed will depend on the size of the buildings and the security needs, which, in turn, are contingent upon a variety of factors. The same number and type of cameras may be appropriate for one organization and may be grossly disproportionate for another. However, all other things being equal, the number of cameras is a good indicator of the complexity and size of a surveillance system and may suggest increased risks to privacy and other fundamental rights. As the number of cameras increases, there is also an increased likelihood that they will not be used efficiently, and information overload occurs. Therefore, the European Data Protection Supervisor (EDPS) recommends limiting the number of cameras to what is strictly necessary to achieve the purposes of the system. The number of cameras must be included in the Video Surveillance Policy.

Times of monitoring

The time when the cameras are set to record should be chosen to minimize monitoring at times that are not relevant for the intended purposes. If the purpose of video surveillance is security, whenever possible, the system should be set to record only during times when there is a higher likelihood that the purported security problems occur.

Resolution and image quality

Adequate resolution and image quality should be chosen. Different purposes will require different image qualities. For example, when the identification of the individuals is crucial, the resolution of the cameras, compression settings in a digital system, the location, the lighting, and other factors should all be considered and chosen or modified so that the resulting image quality would be sufficient to provide recognizable facial images. If identification is not necessary, the camera resolution and other modifiable factors can be chosen to ensure that no recognizable facial images are captured.

Who should have access to the VMS?

Access permissions must be limited to a small number of clearly identified individuals on a strictly need-to-access basis. VMS access policies should be defined following the principle of “least privilege”: access is permitted to users for only those resources that are strictly necessary to carry out their tasks.

Only the data controller, the system administrator, or other staff members specifically appointed by the data controller for this purpose should be able to grant, alter or annul access permissions of any persons. Any provision, alteration, or annulment of access permissions must be made in accordance with criteria established in the organization's Video Surveillance Policy.

Those having access permissions must always be clearly identifiable individuals.

The Video Surveillance Policy must clearly specify and document who has access to the video surveillance recordings and/or the technical architecture, for example VMS servers, of the video surveillance system, for what purpose and what those access permissions consist of. In particular, you must specify who has the permissions to

  • View the video/audio in real-time
  • Operate the pan-tilt-and-zoom (PTZ) cameras
  • View the recordings
  • Export, or
  • Delete any recording

In addition, you must configure access to the following VMS features:

  • Bookmarks
  • Evidence locks
  • Lift privacy masks
  • Export
  • Trigger events
  • Start/stop recording
  • Create/edit/delete/activate/lock/release PTZ presets
  • Create/edit/delete/start/stop PTZ patrolling schemes
  • Smart search
  • Audio, metadata, I/O and event permissions

Protecting stored and transmitted data

First and foremost, an internal analysis of the security risks must be carried out to determine what security measures are necessary to protect the video surveillance system, including the personal data it processes.

In all cases, measures must be taken to ensure security with respect to

  • Transmission
  • Storage (such as in computer databases)
  • Access (such as access to servers, storage systems, the network, and premises)

Transmission must be routed through secure communication channels and protected against interception, for example by doing the following:

  • Encrypt the media database in the Recording Server and encrypt all communication between servers and clients. For information about securing your XProtect VMS installations, see the hardening guide and the certificates guide.

  • Connect HTTPS camera to the Recording Server

  • Use VPN for Smart Client or Management Client connected via internet

  • Use HTTPS for XProtect Mobile-klient and XProtect Web Client

Protection against interception is especially important if a wireless transmission system is used or if any data is transferred via the internet. In these cases, the data must be encrypted while in transit, or equivalent protection must be provided.

Encryption or other technical means ensuring equivalent protection must also be considered in other cases, while in storage, if the internal analysis of the security risks justifies it. This may be the case, for example, if the data is particularly sensitive. This is done by enabling encryption of the media database.

All premises where the video surveillance data is stored and where it is viewed must be secured. Physical access to the control room and the server room where the VMS servers are placed must be protected. No third parties (for example, cleaning or maintenance personnel) should have unsupervised access to these premises.

The location of monitors must be chosen so that unauthorized personnel cannot view them. If they must be near the public areas, the monitors must be positioned so that only the security personnel can view them.

The XProtect VMS logs basic information by default, but we recommend that you enable user access logging in the Management Client for the audit log.

This digital logging system is in place to ensure that an audit can determine at any time who accessed the system, where, and when. The logging system can identify who viewed, deleted, or exported any video surveillance data (this requires that you enable user access logging).

For more information, see the administrator manual for XProtect VMS.

In this respect, and elsewhere, attention must be paid to the key functions and powers of the system administrators, and the need to balance these with adequate monitoring and safeguards.

Accountability

Article 5 (2) of the GDPR states:

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Where the principles relating to the processing of personal data are: lawfulness, fairness, and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

The accountability principle requires you to take responsibility for what you do with personal data.

More specifically, Article 30 of the GDP states:

Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility.

The record must contain all of the following information:

  1.   the name and contact details of the controller and, where applicable, the joint controller, the controller's representative, and the data protection officer
  2.   the purposes of the processing
  3.   a description of the categories of data subjects and of the categories of personal data
  4.   the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations
  5.   where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49 (1), the documentation of suitable safeguards
  6.   where possible, the envisaged time limits for erasure of the different categories of data
  7.   where possible, a general description of the technical and organizational security measures referred to in Article 32 (1).

Accountability is one of the data protection principles - it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance.

You need to put in place appropriate technical and organizational measures to meet the requirements of accountability.

There are several measures that you can take, and in some cases must take, including:

  • Adopting and implementing data protection policies
  • Taking a ‘data protection by design and default’ approach (for more information, see Privacy by design)
  • Putting written contracts in place with organizations that process personal data on your behalf
  • Maintaining documentation of your processing activities
  • Implementing appropriate security measures
  • Recording and, where necessary, reporting personal data breaches
  • Carrying out Data Protection Impact Assessments for uses of personal data that are likely to result in high risk to individuals’ interests
  • Appointing a data protection officer
  • Adhering to relevant codes of conduct and signing up to certification schemes

Use a Record of Processing Activities template to identify and track accountability issues. For a sample template of a Record of Processing Activities, see the Record of Processing Activities template.

Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.

If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organization.

Being accountable can help you to build trust with individuals and may help you mitigate GDPR enforcement action.

Checklist for securing integrity and confidentiality

The GDPR requires organizations have comprehensive policies and procedures ensuring personal data always remains within the control of the organization. Additionally, personal data breaches must be reported within 72 hours to the competent supervisory authority appointed by their country’s government.

Take all appropriate organizational and technical measures to protect against compromising personal data.

What should you do?

  • Review security policies around password control and account use.
  • Consider setting minimum password strength requirements for all domain groups. Consider setting stronger requirements for administrative accounts on the domain level.
  • Have processes in place to audit protection status and detect breaches.
  • Ensure users do not share accounts, whether by sharing passwords or by not logging off/on at the end/start of their shift.
  • Maintain a documented policy and procedure governing appropriate actions in the event of a data breach.
  • You must ensure that you have appropriate security measures in place to protect the personal data you hold.
  • A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organizational measures’ – this is the ‘security principle’.
  • Doing this requires you to consider things like risk analysis, organizational policies, and physical and technical measures.
  • You must also take into account additional requirements about the security of your processing – and these also apply to data processors.
  • You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
  • Where appropriate, you should look to use measures such as pseudonymization (for example, using privacy protection with a blurring mask), and encryption.
  • Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
  • The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
  • You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures and undertake any required improvements.

Policies to safeguard use of mobile devices

It is recommended that you set up a policy for mobile devices and app usage with measures that include:

  • Consider using Mobile Device Management (MDM) software

  • Limit the number of employees with access to XProtect Mobile-klient or XProtect Web Client

  • Do not allow XProtect Mobile-klient installations on private devices

  • Do not use private e-mail addresses for accounts on business devices because Google or Apple might be able to identify the data subjects and may be able to link work and private profiles

  • Create roles for mobile users that make use of time profiles

  • Create pseudonymous accounts on mobile devices that will be used by roaming guards. These Google and Apple accounts could link to a pseudonymous business e-mail address such as "guard01@company-name.com" with the account name "Guard 01".

    Using such pseudonymous accounts limits the amount of personal data being processed by Google and Apple. As such, push notifications do not violate the Schrems II CJEU ruling because personal data involved with push notifications cannot be de-pseudonymised by any US-based organization or authority without the help of the organization that operates the VMS.

  • Use two-step authentication

  • If you use the operating system's biometric authentication feature, ensure that using this authentication mechanism provides an adequate security level. Biometric authentication improves the overall security as long as it is used in combination with a strong password policy.

    By adopting biometric authentication, you may become data controllers for the processing of special categories of personal data, according to Article 9 of the GDPR on biometric data.

  • Limit the retention time of investigations to a minimum, and document it

  • Advise mobile operators to delete screenshots immediately when they are not relevant anymore

  • Disable automatic backup of image libraries from mobile devices to remote servers such as Google and Apple

You must also have policies and procedures in place in the event of lost or stolen equipment, particularly if that equipment can expose personal data.

If equipment such as a mobile device or smartphone is lost or stolen, you should:

  • Disable the user account

  • Force a password change for re-enabling the device