Help with your Impact Assessment
Edesix shall not add to, modify, access or delete personal data captured during the normal operational use of VideoManager or associated supplied equipment deployed at customers, whether VideoManager and data storage is on-site or on-cloud. Thus, our expectation would be that the customer is both Data Controller and Data Processor (if storage is on-cloud then the cloud storage suppliers might also be Data Processors) for that data. Therefore, customers will need to appoint a responsible person to understand and own data protection issues, and become familiar with how the legislation applies within their own environment. However, some key pointers to this are included below:
GDPR Article 2: "Material scope"
2) This Regulation does not apply to the processing of personal data:
- by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
GDPR Article 5: "Principles relating to processing of personal data"
1) Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
Data from body-worn cameras is generally collected for a single or small set of related purposes. E.g. it is collected to protect staff safety or prevent crime, and not re-used for marketing or other purposes. This makes things simple because having a single purpose for the collected data means you only need:
- One legal reason to collect the data (“a legitimate interest”), or
- One set of consents from data subjects to collect the data.
Many companies currently rely on implied consent to justify monitoring, but the GDPR’s consent requirements mean other legal grounds should be identified where possible. The most appropriate grounds will probably be legitimate interests or legal obligations. There are legitimate interests that allow processing for prevention of crime and fraud, or security. To support this use, in most instances the GDPR states that a Data protection impact assessment (DPIA) should be completed and retained within your files.
GDPR Article 35: "Data protection impact assessment"
1) Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Suitable templates for a Data Protection Impact Assessment (DPIA) and Data Register (of data types being processed by you) can be located online or from your National Data Protection Commission or equivalent body, and these will provide guidance on the types of items to consider, including: the specific purpose in collecting the data, secure handling and storage processes using technologies such as encryption, and the duration you will hold the data for. With some exclusions, any identifiable individual might request access to this data (GDPR Article 15), rectification of inaccurate data (GDPR Article 16), or erasure of that data (GDPR Article 17).
A key principle of the GDPR is to ensure that you only use personal data for the purposes it was collected. VideoManager aids in this through a strong access control scheme, preventing unauthorised access to data. It also logs every action allowing abuse of personal data to be identified and stopped. VideoManager provides best-in-class search functionality to help you find records which need to be shared with data subjects.
Continuing with other GDPR "Principles relating to processing of personal data" (Article 5):
1) Personal data shall be:
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
VideoManager has been designed to require no mandatory personal data e.g. it doesn’t require you to provide an age or ethnicity for subjects in order to be able to process a video as evidence. To support some functionality, email addresses can be used, but this can be anonymised. So too can the user names created on the system to assign a camera and create incidents.
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
VideoManager provides advanced search functionality. This means that if you are notified of a change in personal data, you have a programmatic method to find and correct as many of the related records as can be expected.
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
VideoManager provides and implements data retention rules which include automatically deleting video after a short time, if that is appropriate to the purpose for which the data has been categorised.
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
This is the main area where VideoManager is able to assist. VideoManager includes strong access controls, ensuring only the relevant trained or licensed staff can access recorded video. All interactions with the system are audit-logged to ensure that any inappropriate use of data can be identified. VideoManager also includes redaction technology, enabling the removal of personal information from video before it is shared.
A key feature to enable security of data is encryption.
Article 32 of GDPR, “Security of processing”
1)...the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: a) the pseudonymisation and encryption of personal data.
All Edesix cameras protect the footage as it is recorded on the camera using encryption.
When uploading data, devices will not allow footage to be transferred to any server which is not in possession of the correct device access key. This is verified with public/private cryptography. This means that if a device is lost/stolen/misused by an employee, recorded footage cannot be accessed and misused by anyone else. All Edesix-supplied VideoManager cloud services implement at least TLS 1.2 to secure the footage in transit during upload, and this capability is available to all VideoManager enterprise customers. Recordings received by all Edesix-supplied VideoManager services are encrypted at rest using AES-256 encryption, and this capability is available to all VideoManager enterprise customers.
We trust that you found this brief summary helpful and are happy to provide further support on request.