Data Privacy and Video Surveillance

Many of us read about the USD 41 Million fine imposed on H&M by the German data protection authority. GPDR is coming to India too. Are we ready? The Supreme Court of India has already declared the Right to Privacy as a fundamental right. India’s Personal Data Protection Bill (PDPB) was introduced to parliament in December of 2019 and is likely to pass shortly.

The H&M story throws a light on a situation which most of us in India will not consider as a problem. Here, while senior management may have been advised properly about what is construed as personal information, the mid-level managers and below may not have any understanding or making their own wrong assumptions as per their Indian sensibilities. After being hit by the massive fine, H&M asserted that since the October 2019 breach, it has adopted a “comprehensive action plan to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment and continue to train and educate both staff and leaders in this area.” Too late, the horse has bolted. And do note, the Indian law also suggests similar large fines up to 4% of global turnover.

Let me draw attention to the point that Video Surveillance also comes under the ambit of GDPR. Privacy and Data Protection laws require that a company must obtain explicit permission from a user before collecting their data. The cameras recording entry exit of your employees, monitoring shop floors, covering public roads while monitoring private premises are capturing personal data and are subject to privacy laws. Whenever the video of any person is captured through the CCTV system, that may be used to identify that person it immediately becomes personal data and privacy laws are applicable. The wrong assumption that personal data means only name, address, email IDs, phone numbers needs to be corrected. Just to make things a bit more clear, unless our CCTV System captures footage lacking any personal data e.g. research cameras that solely monitor wildlife creatures, the night sky, or microscopic organisms, then we have to ensure that we are ensuring compliance and proper safeguards are in place.

6 Key Principales of GDPR with respect to Video Surveillance :

1. Lawfulness, Fairness and Transparency – The footage should be processed lawfully and transparently.
2. Purpose Limitation – The purpose of creating the video surveillance data, storing and processing it should be explicitly clear.
3. Data Minimization – The stored surveillance data should be specific to the purpose and limited to what is necessary
4. Accuracy – Trueness or accuracy of stored data is the responsibility of the data controller and any inaccurate data has to be removed
5. Storage Minimization – Any data which has personal information that is identifiable should not be stored beyond a specific period of time.
6. Integrity and Confidentiality – It is the data controller’s responsibility to ensure that the video footage stored is securely stored and access is restricted.

Is your CCTV system compliant? You should be concerned and ready for the law. Some quick suggestions:

• Only areas that need to be covered should be brought under surveillance eg. Public roads should be avoided, views of neighboring campuses should be masked. Collecting irrelevant footage should be minimized.
• Simple signages stating that the area is under video surveillance may be acceptable at a bank or a jewelry store. However, if cameras are recording a workplace or a hotel lobby, or a medical clinic entrance, there should be much more detailed messages mentioning the right of the data subjects and the contact details of the data protection officer.
• The principle of data minimization – only collecting that data which is strictly necessary – as enshrined by the GPPR needs to be complied with. European GDPR from which the draft Indian law draws heavily stresses that personal data should not be stored for longer than is necessary. In most normal circumstances, storing video surveillance data for more than 7 days unless required by law or contractual obligations is beyond legitimate levels.
• The GDPR requires that personal information should only be accessible to those who need to it complete a function of their job. This means keeping the footage in a secure location. Measures to protect against cybersecurity threats are essential and the responsibility of the organization which is using the data.
• A System Integrator who understands video surveillance and issues of privacy and data protection are brought in not as an installation vendor but as a partner as expertise of the partner will be vital for achieving GDPR compliance for video surveillance applications.

Careful due diligence of any video surveillance that you might carry out or think about carrying out has become important. Experts on technology and privacy laws should be consulted now more than ever for existing video surveillance installations and a proper Data Protection impact assessment should be done if considered high risk.