Faces as data: A guide to video surveillance and the GDPR

With personal data and its protection, we usually think about names, addresses, phone numbers birthdates etc. first, then other sensitive information, such as bank account details, medical records or places of work. But, given that personal data can be defined as “any information relating to an identified or identifiable person”, images must also be treated with the same care under the same GDPR regulations.

With this in mind, when is it okay to collect arguably one of the most personably identifiable pieces of data – images of someone’s face? The short answer, whenever there is a legitimate interest, such as in an environment that requires it for security. However, there is a thin ethical line on what is and is not acceptable. We must protect people, but we must also protect their privacy.

Why it’s essential to include video surveillance in the GDPR

You’d probably have a hard time finding someone on the street who doesn’t recognise at least some of the benefits of video surveillance. A camera placed in the right spot can help to catch a thief, prevent dangerous accidents, or even protect a town from a natural disaster. However, while the pictures cameras register are objective, they are not exempt from ethical and legal obligations.

They have the potential to protect, but cameras also have the potential to threaten people’s freedoms. Just think of the impact a sophisticated facial recognition and tracking system could have if installed in an autocratic regime – anyone who is familiar with Big Brother in George Orwell’s 1984 will shudder at the thought. While this may seem like a thing of science fiction, mass public surveillance is already being abused. The case of four British schools earlier this year, whose surveillance systems were hacked and the videos of children were streamed online, shows the ability to identify people without their permission from surveillance, if access falls into the wrong hands.

That’s why video footage is included in the GDPR as personal data. With this in mind, it is vital for those collecting and processing the data produced by video surveillance are ensuring they do so in line with guidelines.

 How to ensure your video data is compliant

It is a complex balance between making sure that you’re protecting people without compromising their privacy. Here’s some things to consider:

1. Use a secure system

Internet of things (IoT), sometimes referred to as smart or connected technology, is widely being applied to network cameras, from producing smart analytics that provide valuable trend insights, right through to streaming a video feed to an off-site surveillance controller. While the ability to connect a camera to the internet can offer many benefits, it also provides additional points of access for hackers, who could theoretically use it for malicious intent. To significantly reduce the chances of a breach, invest in high-end security software and secure hardware for your video surveillance and connectivity, stay abreast of the latest cybersecurity best practices and make sure your system is regularly updated and maintained in line with patches and guidance from the manufacturer.

2. Be selective

You don’t have to put cameras everywhere. Check where the major risk/interest points are on the site and focus your strategy on these areas. Also, remember when setting up a new system, there is an obligation to develop a Data Protection Impact Assessment (DPIA) with regards to “extensive systematic monitoring of publicly accessible premises”. Ask yourself whether they are areas someone would expect to be seen (i.e. not a restroom stall!) and also ensure you have a “legitimate interest” to put a camera there. By making your surveillance targeted, you are only gathering necessary data, meaning you have reasonable grounds to store it, analyse it and catalogue it. Furthermore, it makes the process easier than if you had to process footage from every single corner of the building. With the public’s right to ask about what data you hold on them, narrowing down the points of video data capture also speeds up the process if anyone ever makes an enquiry.

3. Work with trusted partners

GDPR compliance or instances of breach largely depend on how you are using the services provided by third parties. What type of GDPR obligations that arise – and who owns those obligations – must be examined on an application-specific basis. Let’s take a hosted surveillance service as an example of how the GDPR will typically be applied and who will be responsible for what:

  • Alarm operator’s customers: Data controller for personal data contained in the video material that is captured by the user’s camera surveillance system and uploaded in the system.
  • Alarm operator: Data processor on behalf of users for personal data uploaded in the system by the user (e.g. user employee information and captured video).
  • System provider: Data processor on behalf of alarm operator for personal data uploaded in the system by alarm operator (e.g. alarm operator employee information) and personal data sub-processor on behalf of alarm operator for personal data uploaded in the system by alarm operator’s customers (captured video).
  • Hosted Web Services: Data sub-processor on behalf of system provider for personal data uploaded in the system by alarm operator and alarm operator’s customers (users).

As you can see from the above there are multiple stakeholders contributing to the handling of the data, so it is vital to use a reputable company to ensure your footage is managed correctly.

Final thought

It is ultimately your responsibility as the user of surveillance equipment, surveillance solutions and surveillance services to ensure GDPR compliance and the safeguarding of the rights of the individuals whose personal data you process. It is therefore important to make sure you have done your homework on current requirements so you can manage your obligations as well as guarantee you partner with compliant suppliers and vendors. You should also be able to rely on technical aid from your suppliers and vendors to facilitate your GDPR compliance, via updates and maintenance support.



By Edwin Roobol, Regional Director, Axis Communications

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.