GDPR Regulations for CCTV, Photography and Video equipment and drones.

CCTV

In general, CCTV is directed at viewing and/or recording the activities of individuals. Therefore, most uses of CCTV by organisations or businesses will be covered by the DPA. The ICO has also issued a code of practice that provides recommendations on the use of CCTV systems to help organisations comply with the DPA.

CCTV systems which make use of wireless communication links (eg, transmitting images between cameras and a receiver) should ensure that these signals are encrypted to prevent interception.

CCTV systems which can transmit images over the internet (eg, to allow viewing from a remote location) should ensure that these signals are encrypted to prevent interception and also require some form of authentication for access (eg, a username and secure password).

The devices used to store CCTV images are also a common target during a break-in (eg, to remove potential evidence of the crime). In the first instance, organisations should consider the physical security of the storage device such as whether it is kept in a locked room. Newer systems may allow for recordings to be stored in an encrypted format which will prevent unauthorised access in the event of loss or theft, and which could be considered in addition to a range of appropriate access controls.

In responding to subject access requests or other disclosures, data controllers should consider an appropriate format of the data to be disclosed, and appropriate security controls. During procurement, the capability of the device or prospective system to export data securely to third parties should also be considered.

Photography and Video equipment

Use of digital photography and video recording can provide a permanent record of an event for a range of different purposes. Consumer devices rarely contain the ability to encrypt images stored on the device. As a result there is a risk of unauthorised access if the device, or a removable memory card, is lost or stolen.

When encryption is not a reasonable option, it is important to consider the measures a data controller can take to ensure that the risk is reduced to a tolerable level. For example, transferring images from the camera to a secure location and securely deleting them from the memory card as soon as is practical.

It may also be possible to consider using an alternative device such as a smart-phone or tablet which does offer an encrypted file system and encryption of their memory cards. However, care should be taken that the device does not automatically upload images to a remote cloud service or social network and that the method used to transfer the images from the device does not present a further security risk (eg transfer as an email attachment).

Drones

Another emerging technology is the use of Unmanned Aerial Systems (UAS) also known as RPAS and drones. A common feature of UAS is the ability to record video footage.

Where images or other personal data are transmitted from the vehicle back to the pilot (eg a live feed of video footage over Wi-Fi to a smartphone app) then the data should be appropriately protected against interception by using an encrypted wireless communication link. Using an encrypted wireless communication link may also give some protection against potential hijacking of the vehicle.

Where images or other personal data are stored on the vehicle (eg an on-board memory card) then the data should be appropriately protected in the event of loss or theft (eg following a crash). The data can be appropriately protected using encryption.

Additional legal requirements or best practice will include flying RPAS within line of sight, retaining a log of usage, copying data to a secure location and securely destroying data on the device as soon as practical.

The data controller must also consider the security of footage once transferred from the device for longer-term storage.