Cloud-based video surveillance company Cloudview is warning that many of the CCTV systems businesses employ to protect property, staff or tenants risk breaching current data protection-centric legislation, in turn placing companies at risk of fines, bad publicity and even criminal sanctions.
The warning comes after Cloudview commissioned a Briefing Note from independent solicitor Wright Hassall to clarify how the Data Protection Act (DPA) relates to CCTV systems. This sets out five key requirements for DPA compliance, from secure storage and encryption through to the ability to switch the surveillance system on and off so that recording is not continuous.
The detailed Briefing Note warns that even tighter regulations come into force in 2018, with fines of up to €20 million or 4% of global turnover (whichever is higher) for a serious breach of the European General Data Protection Regulation.
Cloudview’s co-founder and CEO James Wickes believes many organisations may not realise the extent to which their CCTV recordings are covered by the DPA.
Potential breaches of the DPA
“Poor image quality, inaccuracy in the time/date stamp and being unable to access recordings easily when requested are problems I hear about frequently when visiting CCTV end users, and these are all potential breaches of the DPA,” stated Wickes. “The Information Commissioner’s Office points out that, if data is to be recorded, this must be done securely and accurately in order to be used properly. If not, its capture is unjustified.”
Wickes continued: “Similarly, if recorded footage isn’t stored securely to prevent unauthorised access and hacking, then the host organisation is at risk of a fine or a more serious penalty. Many of the organisations we speak to don’t know how many CCTV systems they use or whether they’re actually working because they’re not managed centrally. This could make CCTV a litigation time bomb waiting to go off.”
The DPA requires all organisations that collect CCTV data to have a legitimate reason for doing so. The recordings must be of sufficient quality for their intended purpose. In other words, if the aim is to identify individuals performing criminal activity, then the recordings should be of sufficient quality to do so and must be easily accessible by members of the police service. They must be held securely, using encryption wherever possible, and should be stored no longer than is necessary.
Making older systems compliant
“Organisations use CCTV to provide security, but it’s vital that they remember it falls under the same regulations as all the other personal data they hold,” concluded Wickes.
“The simple truth is that it’s very impractical to try and make old style systems compliant. Adding security usually makes them less accessible and usable.”
*Cloudview has now made the briefing note available via its website
Founded in 2012, Cloudview is the developer of a corporate-grade, secure, cloud-based video surveillance system that enables authorised users to view, manage and share footage generated by CCTV from multiple locations on any smart phone, tablet or PC.
The company was recently awarded ‘Police Preferred Specification’ status: the only CCTV product of any description to have received this accolade.
Headquartered in Hampshire, the firm works in partnership with Care Protect, which has adopted Cloudview’s technology across a number of care homes to protect the well-being of thousands of residents and staff.