Appendix: GDPR compliance

Conducting an impact assessment

Before installing and implementing video surveillance systems, you should conduct a privacy and Data Protection Impact Assessment.

The purpose of an impact assessment is to determine the impact of the proposed system on individuals' privacy and other fundamental rights, and to identify ways to mitigate or avoid adverse effects.

How much effort should go into the impact assessment? It depends on the circumstances. A video surveillance system with a high risk of encroaching on privacy warrants a greater investment than a video surveillance system with limited impact on privacy, for example, a conventional static CCTV system.

At a minimum, according to Article 35 (7) of the GDPR, the assessment must contain at least:

• A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller

• An assessment of the necessity and proportionality of the processing operations in relation to the purposes

• An assessment of the risks to the rights and freedoms of data subjects referred to in Article 35 (1) of the GDPR:

  Where a type of processing in particular using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

• The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

In any event, and in all cases, you must assess and justify whether to resort to video surveillance, how to place the cameras, select and configure the systems, and how to implement the required data protection safeguards. For information about securing your XProtect VMS installations, see the hardening guide and the certificates guide.

Right to access

Under Article 15, the GDPR gives individuals control over their personal data, including the right to see that data. Particularly important is the right that data subjects can get a copy of their data and that third persons are masked (using third-party tools).

Upon request, organizations need to deliver to a data subject all the personal data collected about them, including video collected by a video surveillance system.

Ensure that you establish formal procedures and policies for handling right to access requests, described in Register of transfers and disclosures.

Transfers and disclosures

There are three main rules in the GDPR governing transfers, depending on whether the recordings are transferred:

• To a recipient within the organization or in another organization

  In this case, the GDPR provides that the recordings can be transferred to others within the organization or in another organization if this is necessary for the legitimate performance of tasks covered by the competence of the recipient.

• To others within the European Union

  In this case (transfers outside the organizations but within the European Union), these are possible if this is necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority, or if the recipient otherwise establishes that the transfer is necessary and there is no reason to assume that the legitimate interests of those whose images are transferred might be prejudiced.

• Or to outside the European Union

  In this case, transfers outside the European Union can be made: (i) if done solely to allow the organization’s tasks to be carried out and (ii) only subject to additional requirements, mainly to ensure that the data will be adequately protected abroad.

Register of transfers and disclosures

The organizations should keep a register—whenever possible, in an electronic form—of transfers and disclosures. In it, each transfer to a third party should be recorded. (third parties also include anyone within the organization to whom a transfer is made by those having access to the recordings in the first place. This typically includes any transfer outside the security unit.) The register, in addition, should contain all instances where, although the copy of the video surveillance recording was not transferred, third parties were shown the recordings or when the content of the recordings was otherwise disclosed to third parties.

The register should include at least the following:

• Date of the recordings
• Requesting party (name, title, and organization)
• Name and title of the person authorizing the transfer
• Brief description of the content of the recordings
• Reason for the request and the reason for granting it
• Whether a copy of the recording was transferred, the recording was shown, or verbal information was given

Right to be forgotten (Right to erasure)

Under Article 17, the GDPR gives individuals control over their personal data, including the right to have their personal data erased if it is no longer necessary for the intended purpose of the system.

According to Article 17 (1)(c) of the GDPR, the data controller must handle objections of data subjects. Since deleting a specific subject from video is not practical, data-processors should strictly limit how long video is retained in accordance with the documented purpose of the system.

What should you do?

Review retention time for all cameras, and ensure it is set in accordance with the documented system purpose.

The right to be forgotten does not often apply to video surveillance, since retention time is usually short and since other lawful basis overrule 'reasonable' technical and legal interests such as legal obligation (employment act), public interest (crime prevention, public health & security), vital interests (life & health critical data, hazardous and dangerous environments), legitimate interests (fraud detection, employment, product development), or even contractual fulfillment (employment, subscriptions and licensing). An example of a legitimate interest is that video surveillance recordings must be a trusted source of evidence at any given time, therefore, the VMS primarily protects video evidence from being tampered with and assuring its authentication, making the right to be forgotten secondary.

There are usually two reasons for data subjects to object to the storage of video recordings:

• The interests of the data controller to store the data are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 17 (1)(c), GDPR)
• The personal data have been unlawfully processed, for example the surveillance of a kindergarten or a locker room (Article 17 (1)(d), GDPR)

Therefore, each request must be examined thoroughly.

How long should the recordings be kept?

The general principle is that recordings must not be retained longer than necessary for the specific purposes for which they were made. It must also be considered whether the recording is necessary in the first place and whether live monitoring without recording would be enough.

If an organization opts for recording, it must specify the period for which the recordings will be retained. After the lapse of this period, the recordings must be erased. Milestone XProtect VMS automates the process of erasure, by automatically deleting recordings older than the set retention time.

When files containing the recorded video data are deleted by the VMS, the files and their content are actually not erased from the data blocks on the storage system but simply marked as free in the file system, allowing other files to be written to this location on the storage system. Until the data blocks are actually overwritten with new data, the old deleted video data may potentially be restored, providing access to recordings older than the set retention time.

Because of this, it is recommended not to over-dimension the storage system, because the risk becomes larger with the size of the overhead.

For example, if the allocated storage system is twice as large as the amount of video data stored for the set retention time – for example seven days - the deleted data blocks containing old deleted video data may statistically lurk around on the storage system for an additional seven days before they are overwritten.

To further reduce the risk of accessing old video data that has been deleted, and for security in general, it is recommended to enable encryption of the media databases, because this, in addition to restoring the deleted files, now also requires the encryption to be broken.

Regardless if the video data has been encrypted or not, once the disks in the storage system are no longer useable, it important that you sanitize or physically destroy the hard disks that have been used to store media databases before you dispose of them (for example, by shredding or other equivalent means).

For information about how to set this up in Milestone XProtect, see the Storage and archiving (explained) section in the administrator manual for XProtect VMS.

If the purpose of the video surveillance is security, and a security incident occurs and it is determined that the recordings are necessary to further investigate the incident or use the recordings as evidence, the relevant recording may be retained beyond the normal retention periods for as long as it is necessary for these purposes. Thereafter, however, they must also be erased.

Retention period for typical security purposes: one week to one month

When cameras are installed for purposes of security, one week to one month should be enough time for security personnel to make an informed decision whether to retain a recording for a longer period to further investigate a security incident or use it as evidence.

An example of local law: according to some German Data Protection Authorities and most of the data protection literature, this retention period is from 48 to 72 hours as a guideline for access control and investigation of criminal offenses.

Member State or third-country territory: 48 hours

In case the surveillance covers any area outside the buildings on Member State (or third-country) territory (typically those near entrance and exit areas) and it is not possible to avoid that passers-by or passing cars are caught on the cameras, it is recommended to reduce the retention period to 48 hours or otherwise accommodate local concerns whenever possible.

Right to restriction of processing

The data subject may, with reference to Article 18 (1) of the GDPR, claim the right to restriction of the processing. In a basic VMS scenario, the data subject may claim that the VMS processing is unlawful, for example if the data subject is unaware that video surveillance of a public space is performed with privacy mask protection. It is recommended to use a Data Subject Request template to document the claim (see Data subject request). For a sample template of a Data Subject Request, see the Milestone Data Subject Request template.

The claim should be processed within a reasonable time-frame, faster than the retention period to avoid automated retention or deletion of the VMS evidence in the claim. It is generally advised to seek legal counsel concerning the restriction of processing. One way to handle such a request is to let the VMS administrator limit VMS supervisors or operators by role assignment to only be able to playback recordings within a short time after they have been recorded – for instance, four hours or one day (see What should you do?: "Consider restricting access to recorded video for operators, either completely, to only the video recorded in the past few hours, or only with dual authorization"). Limitations of playback also apply to evidence locks. If further restrictions of processing are required, it is recommended to conduct both a business impact assessment and a Privacy Impact Assessment (see Conducting an impact assessment) as part of the claim handling.

What should you do?

• Document the resolution of different points in the camera scene
• Document the intended retention time
• Consider applying privacy masking – permanent or liftable
• Consider setting up permissions for viewing live videos, recordings
• Consider restricting access for exporting recordings and for lifting privacy masks
• Regularly review roles and responsibilities for operators, investigators, system administrators, and others with access to the system
• Consider restricting access to groups tasked with investigations for cameras that are specifically positioned to capture identity (for example, faces of people entering a store)
• Consider restricting access to the recorded video for operators, either completely, to only the video recorded in the past few hours, or only with dual authorization
• Limit the number of users who have an administrator role

Requirements for privacy by design

Privacy by design and privacy by default

According to GDPR, the controller of personal data, when processing such data, must implement technical or organizational measures which are designed to implement the data protection principles set out in GDPR. GDPR refers to this as privacy by design.

In the context of a camera, a relevant example of privacy by design would be a feature that digitally allows the user to restrict image capture to a certain perimeter, preventing the camera from capturing any imagery outside this perimeter that would otherwise be captured.

In the XProtect VMS, there is support for privacy masking in two forms: permanent masks that cannot be removed, and liftable masks that (with the appropriate permissions) can be lifted to reveal the image behind the mask.

The data controller must also implement technical or organizational measures which by default ensure the least privacy intrusive processing of the personal data in question. GDPR refers to this as privacy by default. In the context of a camera, a relevant example of privacy by default could be using privacy masking to keep a sensitive area within the view of the camera private.

What is an example of an XProtect feature that supports the privacy by design approach?

Milestone develops its portfolio of products continuously, and privacy by default is a key evaluation criterion in making XProtect GDPR compliant. For more information, see the guide about the secure development lifecycle at Milestone. This guide is an integral part of privacy by default, applying principles such as "defense-in-depth," "least privileges," and avoiding less secure default settings and turning off infrequently used features by default.

What should you do to ensure privacy by design?

• Consider the resolution of different points in the camera scene and document these settings

  Different purposes require different image qualities. When identification is not necessary, the camera resolution and other modifiable factors should be chosen to ensure that no recognizable facial images are captured.

• Encrypt your recordings

  Milestone recommends that you secure your recordings by enabling at least Light encryption on your recording servers' storage and archives. Milestone uses the AES-256 algorithm for encryption. When you select Light encryption, only a part of the recording is encrypted. When you select Strong encryption, the entire recording is encrypted.

• Encrypt investigations database

  Milestone recommends that you secure the investigations database on the Mobile Server.

• Secure the network

  Milestone recommends that you select cameras that support HTTPS. It is recommended that you set the cameras on separate VLANs and use HTTPS for your camera to recording server communication, as well as clients to recording server communication.

  It is recommended that you enable encryption for all communication between all servers and clients. For information about securing your XProtect VMS installations, see the hardening guide and the certificates guide.

  It is recommended that XProtect Smart Client and XProtect Smart Wall are on the same VLAN as the servers.

  Use a VPN encrypted network or similar if using Smart Client or Smart Wall from a remote location.

• Enable and document the intended retention time

  According to Article 17 (1)(a) of the GDPR, recordings must not be retained longer than necessary for the specific purposes for which they were made. Milestone recommends that you set the retention time appropriately. This, then, automates the disposal of video.

• Secure exports

  Milestone recommends that you only allow access to export functionality for a select set of users that need this permission.

  Milestone also recommends that the Smart Client profile is changed to only allow export in XProtect Format with encryption enabled. AVI and JPEG exports should not be allowed, because they cannot be made secure. This makes export of any evidence material password-protected, encrypted, and digitally signed, making sure forensic material is genuine, untampered with, and viewed by the authorized receiver only.

• Enable privacy masking – permanent or liftable

  Use privacy masking to help eliminate surveillance of areas irrelevant to your surveillance target.

• Restrict access permissions with roles

  Apply the principle of least privilege (PoLP).

  Milestone recommends that you only allow access to functionality for a select set of users that need this permission. By default, only the system administrator can access the system and perform tasks. All new roles and users that are created have no access to any functions until they are deliberately configured by an administrator.

  Set up permissions for all functionality, including viewing live video and recordings, listening to audio, accessing metadata, controlling PTZ cameras, accessing and configuring Smart Wall, lifting privacy masks, working with exports, saving snapshots, and so on.

  Restrict access to recorded video, audio, and metadata for operators, either completely, or restrict access to only the video, audio, or metadata recorded in the past few hours or less.

  Regularly assess and review roles and responsibilities for operators, investigators, system administrators, and others with access to the system. Does the principle of least privilege still apply?

• Enable and use two-step verification

  Milestone recommends that you specify an additional login step for users of XProtect Mobile or XProtect Web Client by enabling two-step verification.

• Restrict administrator permissions

  Milestone recommends that you limit the number of users that have an Administrator Role.

Setting up and configuring the video surveillance system

The guiding principle in connection with all items addressed in this section should be to minimize any negative impact on the privacy and other fundamental rights and legitimate interests of those under surveillance.

Camera locations and viewing angles

Camera locations should be chosen to minimize viewing areas that are not relevant for the intended purposes.

As a rule, where a video surveillance system is installed to protect the assets (property or information) of the organization or the safety of staff and visitors, the organization should restrict monitoring to

• carefully selected areas containing sensitive information, high-value items, or other assets requiring heightened protection for a specific reason,
• entry and exit points to the buildings (including emergency exits and fire exits and walls or fences surrounding the building or property), and
• entry and exit points within the building connecting different areas which are subject to different access permissions and separated by locked doors or another access control mechanism.

Number of cameras

The number of cameras to be installed will depend on the size of the buildings and the security needs, which, in turn, are contingent upon a variety of factors. The same number and type of cameras may be appropriate for one organization and may be grossly disproportionate for another. However, all other things being equal, the number of cameras is a good indicator of the complexity and size of a surveillance system and may suggest increased risks to privacy and other fundamental rights. As the number of cameras increases, there is also an increased likelihood that they will not be used efficiently, and information overload occurs. Therefore, the European Data Protection Supervisor (EDPS) recommends limiting the number of cameras to what is strictly necessary to achieve the purposes of the system. The number of cameras must be included in the Video Surveillance Policy.

Times of monitoring

The time when the cameras are set to record should be chosen to minimize monitoring at times that are not relevant for the intended purposes. If the purpose of video surveillance is security, whenever possible, the system should be set to record only during times when there is a higher likelihood that the purported security problems occur.

Resolution and image quality

Adequate resolution and image quality should be chosen. Different purposes will require different image qualities. For example, when the identification of the individuals is crucial, the resolution of the cameras, compression settings in a digital system, the location, the lighting, and other factors should all be considered and chosen or modified so that the resulting image quality would be sufficient to provide recognizable facial images. If identification is not necessary, the camera resolution and other modifiable factors can be chosen to ensure that no recognizable facial images are captured.

Who should have access to the VMS?

Access permissions must be limited to a small number of clearly identified individuals on a strictly need-to-access basis. VMS access policies should be defined following the principle of “least privilege”: access is permitted to users for only those resources that are strictly necessary to carry out their tasks.

Only the data controller, the system administrator, or other staff members specifically appointed by the data controller for this purpose should be able to grant, alter or annul access permissions of any persons. Any provision, alteration, or annulment of access permissions must be made in accordance with criteria established in the organization's Video Surveillance Policy.

Those having access permissions must always be clearly identifiable individuals.

The Video Surveillance Policy must clearly specify and document who has access to the video surveillance recordings and/or the technical architecture, for example VMS servers, of the video surveillance system, for what purpose and what those access permissions consist of. In particular, you must specify who has the permissions to

• View the video/audio in real-time
• Operate the pan-tilt-and-zoom (PTZ) cameras
• View the recordings
• Export, or
• Delete any recording

In addition, you must configure access to the following VMS features:

• Bookmarks
• Evidence locks
• Lift privacy masks
• Export
• Trigger events
• Start/stop recording
• Create/edit/delete/activate/lock/release PTZ presets
• Create/edit/delete/start/stop PTZ patrolling schemes
• Smart search
• Audio, metadata, I/O and event permissions

Protecting stored and transmitted data

First and foremost, an internal analysis of the security risks must be carried out to determine what security measures are necessary to protect the video surveillance system, including the personal data it processes.

In all cases, measures must be taken to ensure security with respect to

• Transmission
• Storage (such as in computer databases)
• Access (such as access to servers, storage systems, the network, and premises)

Transmission must be routed through secure communication channels and protected against interception, for example by doing the following:

• Encrypt the media database in the Recording Server and encrypt all communication between servers and clients. For information about securing your XProtect VMS installations, see the hardening guide and the certificates guide.

• Connect HTTPS camera to the Recording Server

• Use VPN for Smart Client or Management Client connected via internet

• Use HTTPS for XProtect Mobile client and XProtect Web Client

Protection against interception is especially important if a wireless transmission system is used or if any data is transferred via the internet. In these cases, the data must be encrypted while in transit, or equivalent protection must be provided.

Encryption or other technical means ensuring equivalent protection must also be considered in other cases, while in storage, if the internal analysis of the security risks justifies it. This may be the case, for example, if the data is particularly sensitive. This is done by enabling encryption of the media database.

All premises where the video surveillance data is stored and where it is viewed must be secured. Physical access to the control room and the server room where the VMS servers are placed must be protected. No third parties (for example, cleaning or maintenance personnel) should have unsupervised access to these premises.

The location of monitors must be chosen so that unauthorized personnel cannot view them. If they must be near the public areas, the monitors must be positioned so that only the security personnel can view them.

The XProtect VMS logs basic information by default, but we recommend that you enable user access logging in the Management Client for the audit log.

This digital logging system is in place to ensure that an audit can determine at any time who accessed the system, where, and when. The logging system can identify who viewed, deleted, or exported any video surveillance data (this requires that you enable user access logging).

For more information, see the administrator manual for XProtect VMS.

In this respect, and elsewhere, attention must be paid to the key functions and powers of the system administrators, and the need to balance these with adequate monitoring and safeguards.

Policies to safeguard use of mobile devices

It is recommended that you set up a policy for mobile devices and app usage with measures that include:

• Consider using Mobile Device Management (MDM) software

• Limit the number of employees with access to XProtect Mobile client or XProtect Web Client

• Do not allow XProtect Mobile client installations on private devices

• Do not use private e-mail addresses for accounts on business devices because Google or Apple might be able to identify the data subjects and may be able to link work and private profiles

• Create roles for mobile users that make use of time profiles

• Create pseudonymous accounts on mobile devices that will be used by roaming guards. These Google and Apple accounts could link to a pseudonymous business e-mail address such as "guard01@company-name.com" with the account name "Guard 01".

  Using such pseudonymous accounts limits the amount of personal data being processed by Google and Apple. As such, push notifications do not violate the Schrems II CJEU ruling because personal data involved with push notifications cannot be de-pseudonymised by any US-based organization or authority without the help of the organization that operates the VMS.

• Use two-step authentication

• If you use the operating system's biometric authentication feature, ensure that using this authentication mechanism provides an adequate security level. Biometric authentication improves the overall security as long as it is used in combination with a strong password policy.

  By adopting biometric authentication, you may become data controllers for the processing of special categories of personal data, according to Article 9 of the GDPR on biometric data.

• Limit the retention time of investigations to a minimum, and document it

• Advise mobile operators to delete screenshots immediately when they are not relevant anymore

• Disable automatic backup of image libraries from mobile devices to remote servers such as Google and Apple

You must also have policies and procedures in place in the event of lost or stolen equipment, particularly if that equipment can expose personal data.

If equipment such as a mobile device or smartphone is lost or stolen, you should:

• Disable the user account

• Force a password change for re-enabling the device