Background to GDPR

The General Data Protection Regulation (GDPR) is a piece of European-wide data protection legislation that becomes fully enforceable in May 2018, following a 2-year grace period.  It was approved by the European Parliament in December 2015 and subsequently published in the EU Official Journal in May 2016. It will replace EU data protection directive 95/46/EC and country legislation such as the UKs Data Protection Act.

The act recognises that rapid technological developments and globalisation have transformed both the economy and social life. People are increasingly making personal information available publically and globally and that the free flow of personal data within the EU and globally must be facilitated whilst still ensuring a high level of protection of this data.

Whilst GDPR may contain many similarities to existing national data protection legislation, it strengthens the rights of individuals (‘data subjects’) and contains some notable clauses. A few of the key ones are:

The Right to Access – data subjects have the right to obtain from data controllers confirmation as to whether or not and for what purpose personal information concerning them is being processed. Furthermore, the data controller is obliged to provide an electronic copy of that data free of charge.

Right to be Forgotten – data subjects have expanded rights to require the data controller to erase and prevent personal information being disseminated further.   The conditions for erasure include the data no longer being relevant to the original purpose or the withdrawal of consent. However, this right is not straightforward as it requires the controller to compare the individual’s rights to ‘the public interest in the availability of the data” when considering such requests.

Privacy by design – The GDPR now sets a legal requirement for the privacy and the protection of data to be designed into systems from the outset and not just as an add on. In addition, data controllers are required to hold only that data which is absolutely necessary (data minimisation) to carry out his duties and to limit the access to personal data to only those needed to carry out the processing.

GDPR will apply to the processing of all personal data by EU controllers and processors, irrespective of whether or not that processing takes place in the EU. It will also apply to the processing of personal data relating to EU subjects by controllers outside the EU where the activity relates to offering goods or services to EU citizens. However, whilst GDPR is fully applicable to private entities, there are cases where it is not fully applicable to public bodies such as police and law enforcement.  These exclusions usually only apply for specific matters of national security or in the investigation of crimes and is not a blanked exclusion. It should also be noted that GDPR “…does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.”

For the rest of this article, the focus shall be on the private/public (non law enforcement) sectors and implications GDPR has on them.

Why GDPR is relevant to security and video surveillance – processing biometric data

Use of security and video surveillance systems continues to expand at an enormous rate both in the private and public sectors. These systems include technologies such as:

• Video surveillance & recording
• Facial recognition
• Automatic licence plate readers (ANPR)
• Body worn cameras
• Access control systems
• RFID tracking
• Personnel and vehicle locators

All of these systems are capable of directly or indirectly collecting ‘biometric’ data including facial images and fingerprints that can uniquely identify a person, or other data which can be uniquely related to an individual. Therefore, the scope of these systems falls under GDPR.

Processing of biometric data – definition and restrictions

Within GDPR, biometric data is defined as follows:

‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

GDPR article 9 specifically prohibits the processing of “…biometric data for the purpose of uniquely identifying a natural person…” as well as the “Processing of personal data revealing racial and ethnic origin…”. However, there are a number of subsequent waivers on these clauses, with the most relevant to private sector being that the clause does not apply providing the subject has consented to the processing of their personal data for one or more specified purposes, and where EU or member state law does not prevent the individual lifting this prohibition.

However, according to article 11, in the case of processing of personal data that does not require identification, the data controller is not “…obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation…” and where “…the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible.” This article, whilst appearing to offer a waiver to those operating simple video surveillance of public spaces such as shopping malls, actually introduces some ambiguity.

Whilst the controller (CCTV system operator) may be able to argue that he has no means to identify the majority of individuals who are recorded on CCTV, as has been demonstrated, for example, in the Virgin Trains v Jeremy Corbyn case this year, it is far easier to identify public figures and celebrities simply by virtue of their exposure in the media. Therefore, it is perhaps only a matter of time before this clause is put to the test in the courts.

For security systems operators, GDPR applies some very real limitations on what can be done lawfully with video and other biometric data, particularly with regard to open and publically accessible spaces. It would appear, for example, that using facial recognition technology within a shopping mall to identify known troublemakers would be unlawful unless those persons had previously given consent; operators of such systems may need to seek further legal advice.

In the case of controlled and private spaces there is more freedom to use biometric technologies provided that the purpose is clearly and unambiguously defined and the consent of each individual is positively obtained (not doing anything does not constitute consent, for example). An example of this type of technology is using biometric access control and video surveillance to control access to areas of a building.

Nevertheless, in the context of employment, member state laws or collective agreements may provide further specific rules designed to ensure the protection and freedom of rights of employees. Therefore, these must also be considered along with GDPR.

Getting Prepared for GDPR

Most organisations that have established security systems and have already endeavoured to comply with existing data protection legislation should already be reasonably well prepared for GDPR. Even so, all organisations should consider the following (in both the context of security systems and the broader processing of personal data).

Get familiar

The first step is for the leaders and executive to familiarise themselves with the additional burdens of GDPR, making sure there is sufficient resource to deal with the changes and make sure any gaps are covered.

What is the lawful reason for processing personal data?

Whilst organisations may be clear about why they are processing many forms of personal data that is directly related to specific business activities, they may be less clear about why they are processing biometric and other related data from security, PSIM and surveillance systems. Therefore, organisations should establish why they have installed devices and what data they are collecting in conjunction with an audit. If there is no clear and legitimate/legal reason why a camera or other sensor is installed in a particular location then it probably shouldn’t be there.

Individuals’ rights

Make sure you are fully aware of all the rights of an individual, that these rights are respected and that you have put in place and tested procedures that deal with these rights. For example, if you receive a request for CCTV footage from an individual are you prepared to deal with and comply with this request?

Communicating privacy notices

A privacy notice must be clear, concise and easy to understand and is used to communicate to concerned individual who you are, the fact that you are collecting and processing personal data and what you intend to do with it. Existing privacy notices will need to be updated to reflect additional requirements of GDPR such as your lawful basis for processing the data, how long you hold the data (retention time) as well as and individual’s right to complain if they think there is a problem with the way you are processing their data. A good example of a privacy notice is that of Transport for London.

For public space systems operators, clearly placed signage should indicate not only that an area is under surveillance but also where people can go to get more information or raise privacy concerns. Privacy notices are probably best published on the Internet so that they can be easily kept up to date and are the most accessible. Other formats such as print media and braille should be made easily available for persons who have this need.

Consent

If you are processing biometric data (for an access control system for example), make sure you have consent from all employees or users. Again, this needs to be a positive consent, not implied or automatic. Review any existing consents to ensure that they are up to date, reflect any changes in the system and comply with GDPR.

Do you need to appoint a data protection officer?

GDPR requires a data protection officer to be appointed in any case where:

1. the processing is carried out by a public authority or body (except for courts acting in a judicial capacity);
2. an organisation carries out regular and systematic large scale monitoring of individuals;
3. an organisation is processing on a large scale special category data and personal data relating to criminal convictions and offences.

A group of undertakings may appoint a single data protection officer, providing that officer is easily accessible to each establishment. For public authorities, it is possible to have a single officer for multiple authorities, subject to size and structure.

Data protection Impact Assessments

GDPR requires that a data protection impact assessment is carried out particularly when using new technologies or where the processing is likely to result in high risk to the rights of natural persons (individuals). These are particularly required in the case where there is “… a systematic monitoring of a publicly accessible area on a large scale.”

In the case where the impact assessment indicates that there is high risk without the controller implementing measures to mitigate the risk, then the controller must consult with the data protection supervisory authority before commencing any processing. If the supervisory authority is not satisfied that the risks have been sufficiently mitigated they must provide written notice to the controller and may use any of their powers that are defined in the GDPR. These include but are not limited to imposing a temporary or definitive ban on processing and imposing administrative fines.

Exceptions

As mentioned above, there are some exceptions where GDPR does not apply and the majority of these apply to law enforcement/criminal investigation and national security. However, there is one exception that applies to small/medium enterprises/organisation with fewer than 250 employees. This exception applies to records keeping requirements but is still only applicable where the processing does not present a risk to the rights and freedoms of the data subjects, is of an occasional nature and does not include the processing of criminal convictions or offences.

Codes of Conduct and Certification

GDPR supports two voluntary measures, which whilst they don’t relax the requirements, allows organisations and bodies to demonstrate that they are complying with the law.

Codes of conduct

Associations and other bodies representing controllers of data may draw up codes of conduct that are intended to contribute to the proper application of the regulation and reflect the special features of a particular sector. Codes of conduct must be approved by the appropriate national supervisory body and can then be adopted on a voluntary basis. This would be a particularly useful way for the security industry to support end users and at the same time, in conjunction with a suitable awareness campaign, provide confidence and reassurance to the general public.

Certification

As with codes of conduct the GDPR encourages the establishment of data protection certification mechanisms, for the purpose of demonstrating compliance with the regulation by the data-controller. This certification could also demonstrate the existence of appropriate safeguards by data-controllers that are not subject to the regulation. Certification is valid for a maximum of three years.

Within the UK organisations such as the NSI are already working in conjunction with the Office of Surveillance Commissioners and now offer a route to obtain a certificate of compliance from the Surveillance Camera Commissioner. Whilst this may be of benefit to large public organisations that wish to demonstrate compliance and provide reassurance to the local community, this does have a cost and resource overhead and for others simply completing their own self-assessment could be sufficient to be satisfied that their installations and processing of data meets the regulations.

Failure to comply with GDPR – Administrative fines

GDPR sets out a number of measures that can be taken by the supervisory authority in the event that the regulation is not followed. The regulation allows for the authority to impose a fine of up 20m Euros or 4% of international turnover, whichever is greater. Fines can be used instead of or in addition to other measures. In the case of minor infringements or where a fine would be a disproportionate burden to an individual then a reprimand may be issued.

Member states are also able to lay down rules on criminal penalties for infringements of the regulation. These criminal penalties may also allow for the deprivation of profits obtained through the infringement of the regulation.

Summary

GDPR will provide a common set of data protection regulations for all EU member states and comes into effect in May 2018. These regulations provide greater rights to individuals concerning the processing of personal data including biometric data that may be collected by security and surveillance systems.

Security system operators must ensure that they fully understand the GDPR and are prepared for it.  This includes putting in place all the necessary procedures to process requests relating to personal data as well as publishing privacy notices and ensuring they have all the necessary consents.  For operators of systems that collect biometric data that could or do identify individuals, they must ensure that these systems are compliant with GDPR and may need to seek the appropriate legal advice.

Furthermore, industry bodies should be encouraged to implement codes of practice which will help steer end users when implementing systems and provide greater confidence to the general public that their rights are being respected.

Failure to pay attention to and comply with GDPR could result in a very substantial fine!

References:

1. ST_5419_2016_INIT_EN – Position of the Council at first reading with a view to the adoption of a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
2. Preparing for the General Data Protection Regulation (GDPR) – ICO – https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
3. Surveillance cameras and GDPR – https://videosurveillance.blog.gov.uk/2017/06/30/surveillance-cameras-and-gdpr/