Prior to the prospective entry into force of the EU General Data Protection Regulation (“Regulation”; for reference, see: http://ec.europa.eu/justice/data-protection/reform/index_en.htm) the considerations as presented in some detail later in this article may seem unnecessary in the context of economic calculation and imposition of sanctions affecting your enterprise.
However, the closer we get to the date of entry of the Regulation, the more considerations of privacy will bear on our projects involving, even if only marginally or potentially, personal information. Suffice it to say that the EU lawmakers are currently deliberating about fines of up to 1,000,000 Euros or 2% of your annual income for infringement of provisions on the protection of personal data (see: http://europa.eu/rapid/press-release_MEMO-15-5170_en.htm); now, when compared to such sanctions, the cost of video surveillance seems trifling, and to the fore – instead of the property safety risk analysis – comes the analysis of necessity and degree of interference with the privacy of individuals monitored.
If you are already at the stage of verification of a contract with a monitoring system provider, you should still establish and sum up, for yourself, for a lawyer verifying the terms and conditions of a pertaining contract, and above all for the crew, the reasons for which video surveillance will in a moment become a permanent element of the plant’s landscape, and the functions it will serve.
Let us assume for the purposes of this article that the monitoring is to be used in your enterprise in order to support access control and ensure the safety of property, information, personnel and guests. Let us also assume that the monitoring system provides a record, not just live viewing, of the object of filming.
Suppose, finally, that the eye of the camera looks exclusively at passageways, exit and entrance to a building, or other sensitive places (e.g. rooms hosting critical IT infrastructure), as opposed to surveillance of a specific person or group of people. Formally, we are dealing with a system known as video surveillance, closed circuit television, or, in short, CCTV; in fact – with a relatively popular security system which seems to be modestly invasive and relatively safe.
The reasons and functions as established by you at such an advanced stage have most certainly one major drawback – they are based exclusively on your memory, knowledge, intuition and imagination. They represent a view which may be described as quite narrow and one-sided, and which can be unconvincing for agencies supervising your practices in terms of on-site compliance with the rules on personal data protection; it is also a view that can also be incomprehensible for the crew and consequently give rise to discontent affecting the economic results of your company.
However, suppose you have experienced a loss or destruction of some valuable property left unattended in one of the corridors of your establishment; an event that compromised your assessment of the then current security measures and cast a shadow over relations with, at least, part of the crew; a repeat of which event you wish to avoid, despite this gut feeling that video surveillance will provide much more data than needed to protect property and staff.
At this point it is worth noting that the constitutional rights and freedoms of an individual, including the employee’s right to privacy, need not preclude an effective protection of the interests of an employer, especially as regards its property. A pragmatic approach to monitoring based on the principles of selection and proportionality can procure both a sufficient level of security and respect for privacy.
It is all but a trite remark to say that cameras should be used intelligently, namely to solve specific security problems, without collecting unnecessary data. Such an assumption is conducive to reducing the degree of interference with privacy, and also leads to a more purposeful and effective use of video monitoring.
A chronological approach to the implementation of video surveillance dictates to start by answering a general question, whether the implemented system will in any way affect the privacy of personnel and bystanders. Obviously these considerations revolve around the issue of „privacy” which calls for some explanation, and such will follow.
Privacy in its broad sense can be defined as an individual’s right to be left alone. There are two basic forms, or aspects, of personal privacy: physical and informational; and corresponding forms of their infringement.
As regards informational privacy, which is of particular interest for our present considerations, its violation may, for instance, take the form of an excessive data processing, unauthorized disclosure, or misappropriation of entrusted data. Violation may also stem from monitoring images, sounds or content of transmitted messages. Invasion of informational privacy may result from the fact that processed information is: inaccurate, inadequate, outdated or excessive, unnecessary, stored too long or unprotected, disclosed to somebody who the data subject does not want it to be disclosed, or used in an unexpected or unacceptable for the data subject.
It seems that video monitoring can provide some information about individuals; these pieces of information meet the definition of personal data as primarily regulated by the Act on the Protection of Personal Data. And thus we have come across yet another important category, namely „personal data”.
Under Polish law, which follows the pattern set by EU law, personal data is defined to mean all the information relating to an identified or identifiable natural person, irrespective of the manner and form of its expression, such as the employee’s name, photos, movies or biometrics.
As can be read from the European Data Protection Supervisor Video-Surveillance Guidelines of 2010, recognizable facial images always constitute personal data. This rule applies regardless of whether the individual is known or identifiable to the operator of the monitoring system. Even poorly recognizable facial images can be personal data when identification is possible with the help of additional information. For example, a low resolution image can be sufficient for the police, in conjunction with other information obtained during the preparatory proceedings (witness statements, other available and admissible evidence), to establish the identity of the offender.
The conclusions of the preceding two paragraphs assert not only the need to analyze, but also to identify, the risks to privacy, including through company internal consultations.
The European Data Protection Supervisor recommends that employees should be consulted in all cases where the personnel may be captured by the eye of a camera, even where the objective of data processing is safety and access control and cameras are installed only at the entrances/exits to the building or other strategic places such as rooms housing the archives of your organization.
Consultations are an important part of the process of risk analysis as they create a unique opportunity to report problems and offer solutions to privacy issues directly by the data subjects concerned.
[Data Protection Officer]
The assessment of who is best placed to coordinate and implement risk analysis is an autonomous decision of the organization, conditioned by the circumstances of a particular case, and in the case of your company it is, by extension, you.
Large organizations have in their ranks the so-called information security administrator (local counterpart of a data protection officer; referred to as DPO, for the sake of clarity) who seems to have – on her or his own merits – an important role to play in risk analysis and who is able, because of her or his professionalism, discern the most from the existing processes in your organization.
At this point it is worth noticing that the DPO is an institution brought into existence by European law (see: Article 18 of the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data), and more precisely an official responsible for data protection, designated by the governing body of your company to carry out (i) duties associated with ensuring compliance with the rules on personal data protection and (ii) obligations related to keeping a register of personal data files, as defined by the Polish legislature (see: the Act on Personal Data Protection and the related Regulations of the Minister of Administration and Digitization).
Therefore, if you are verifying a contract with a video surveillance provider, please use the expertise of a lawyer so as to establish a wider legal context of the entire operation. Video surveillance is only one of the options, and perhaps a professional opinion of a lawyer or DPO will offer you other, less expensive, more adequate and staff-friendly solutions to choose from.