We all expect to live in a safe, secure, comfortable home. Often the responsibility for safety lies not with the resident but with their housing provider, and CCTV tends to be the method of choice for monitoring public areas. But many CCTV systems are inefficient and their compliance with data protection legislation questionable.
The GDPR, which comes into force in May 2018, brings in new responsibilities for CCTV users, including housing providers. These should be viewed not as a burden but as an opportunity to overhaul existing systems, develop their capabilities, and give them a new lease of life.
Reviewing risks and responsibilities
The GDPR requires that when installing a new system or upgrading an old system, users will be expected to have identified privacy and security risks, and to have clearly identified how those risks are to be addressed. This responsibility is likely to continue through the lifetime of a system as an expectation of ongoing review.
CCTV cameras are among the most vulnerable devices when it comes to being hacked for access into networks or to support botnets, thanks to poor, sporadic firmware updating and weak, manufacturer supplied passwords that the user often does not change. The advent of this requirement in the GDPR gives housing providers a great opportunity to rectify any existing security problems, ensuring that passwords are secure and firmware up to date. Once that’s been done, it would be a good idea to schedule regular checks to ensure systems always have the latest firmware, and to bring passwords into the organisation’s broader password management and review system.
The new legislation also requires a Privacy Impact Assessment (PIA) for ‘high risk’ situations. This could include any that involve children or vulnerable people or, indeed, any recording of the general public. A PIA will need to include a description of planned processing of any visual data, the purpose of that processing, an assessment of the necessity and proportionality of the processing, an assessment of risks to rights and freedoms, and details of measures envisaged to address the risks, for example safeguards, security measures and mechanisms to ensure protection of personal data.
While some might see this as the imposition of a bureaucratic burden, in fact it is another great opportunity. Housing providers could take the preparation of a PIA as a chance to review how and why they use CCTV, moving beyond pure ‘surveillance’, and to involve residents in holistic discussions about the current and potential uses of CCTV.
A wider review of the technology
As well as finding opportunities in specific requirements of the GDPR like those above, housing providers could make early 2018 the time for a full review of their CCTV technology. There is a tendency to think of CCTV as a ‘fit and forget’ system. Once it’s in place, it does its job, and never needs to be serviced again. That’s a long way from the reality. Like any technology, CCTV should be subject to a regular full systems review.
The majority of CCTV systems save their visual data to local digital video recorders (DVRs), a technology that was developed prior to the connected age in which we live and was never intended to be connected to the internet. DVR based CCTV systems are riddled with security issues, inefficiencies and risks.
Footage needs to be extracted manually, for example copied on to a USB stick, at the location of the recorder – which is usually on site. It can be tricky to create still images directly from the system, and it’s invariably impossible to live stream footage. Cameras have to be checked manually to ensure they are functioning properly.
In contrast, cloud based systems have a broader scope of use and are more time efficient. They move CCTV on from a role purely about safeguarding against crime or antisocial behaviour. Remote access at any time, from laptop, tablet or phone, means cameras can be used to monitor the efficiency of service providers like refuse collectors, controlled parking agents and cleaning contractors. With relevant permissions, they can keep an eye on the front doors of vulnerable residents, to make sure they are active, or that their carers are visiting regularly. Real time alerts can be triggered by sensed movement, and administrators alerted if cameras go offline. And if necessary, live feeds can be shared with first responders by a housing manager who might be many miles away.
The GDPR places some requirements on housing providers, and there is no ignoring that fact. While meeting those requirements, housing providers can use the opportunity to rationalise the jumble of CCTV systems and DVR recorders throughout their estates by moving to cloud based systems which are easier to manage and provide more flexible access to visual data. It is the ideal opportunity for housing providers to take back control.
By James Wickes, co-founder and chief executive, Cloudview
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.