IFSEC Insider is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Adam Bannister is a contributor to IFSEC Global, having been in the role of Editor from 2014 through to November 2019. Adam also had stints as a journalist at cybersecurity publication, The Daily Swig, and as Managing Editor at Dynamis Online Media Group.
An alarming number of video surveillance systems could be in breach of GDPR, an investigation has revealed.
More than a year on since the EU data protection regulation came into force, vacant-property security firm Clearway discovered myriad examples of bad practice during investigations of its nationwide client base.
In one instance a court case was dismissed due to lack of evidence after it emerged that two systems on which an intruder was filmed were set to times 17 seconds apart.
“That might sound petty,” said Clearway in its press release, “but the defence barrister asked for all camera footage to be played at the same time. As the intruder was seen on two systems at the same time (due to the timers not being synced) the barrister claimed the evidence was inadmissible […] since how could the intruder be in two places at once?”
At another site, investigators discovered someone leaning over an unmanned reception desk to view the CCTV monitor to see if their taxi had arrived (see picture below).
The picture below shows a (redacted) username and password on a sticker attached to a monitor.
And at another site, the Clearway team found CCTV signage with faded, illegible contact details:
Other problems found at one or more sites included:
Failure to fit, or ensure accuracy of, signage
Failure to carry out a GDPR risk assessment prior to CCTV deployment
Leaving DVRs (digital video recorders) unlocked or unsecured – and thus accessible to unauthorised parties
Failure to ensure camera lenses were directed to capture appropriate, relevant footage
Sharing images with organisations – like the police, TfL or other security service providers – in ways that didn’t conform to regulations. This often included a failure to ‘mask’ (blur or pixellate) faces of innocent people (software is available to do this)
CCTV monitors being visible to the public
CCTV images being monitored by staff without sufficient training
Failure to change default usernames and passwords or writing them down near to the equipment
Complacent
Clearway says these problems suggest that many facilities managers, security managers and property owners either haven’t read GDPR regulations, simply don’t understand them, don’t think they apply to CCTV systems or are complacent about the risks.
Divided into tiers, maximum penalties for GDPR non-compliance are either €10m or 2% of annual global turnover; or €20m or 4% of annual global turnover (whichever is greater in each case).
The estimated 4-6 million CCTV cameras in the UK include 750,000 in ‘sensitive’ locations such as schools, hospitals and care homes, and 15,600 on the London Underground network alone. The emergence of AI-driven video analytics and facial recognition software is heightening privacy concerns expressed by civil liberties groups.
“The whole point of CCTV is security, and its deterrent factor in part, as well as recording the criminal activity to assist law enforcement bodies in detecting the perpetrators,” said Clearway’s UK CCTV Manager, Andrew Crowne-Spencer. “Therefore, if trespassers or criminals don’t even realise they’re on camera, as is what we suspect in a lot of cases, what sort of useless deterrent is that?
“And just how good are the images the cameras are supplying? If they’re grainy or blurred due to old or faulty equipment, or not set up correctly, that doesn’t help anyone except the trespassers or criminals.
“Ten years ago it was reported that 95% of murder cases investigated by Scotland Yard used CCTV footage as evidence, yet latest data suggests 80% of footage now available is of such poor quality it’s almost worthless. That apart, don’t these companies or organisations, even public sector ones, realise if they’re not properly complying with the GDPR regulation they can be penalised because of it? Sometimes to the tune of many thousands of pounds?”
Clearway advises: “The message from all this is simple. Check your CCTV systems are doing what they should and you are complying with the Regulations. Because someone, somewhere will be watching what you’re doing sooner or later.”
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
GDPR breaches rife among CCTV deployments, investigation findsIn one instance a court case was dismissed due to lack of evidence after it emerged that two systems on which an intruder was filmed were set to times 17 seconds apart.
Adam Bannister
IFSEC Insider | Security and Fire News and Resources
Related Topics
43% of UK retailers fined for video privacy breaches, according to survey
ICO publishes new guidance on domestic CCTV following multiple cases of misuse
Position Paper on EC proposal for Regulation of AI released
[…] Indeed, there is now the issue of facial recognition to think about. More and more vendors are now offering the technology as standard, but there is still much public debate over the usage of facial recognition – particularly in relation to data capture and GDPR. Once a face has been captured and identified as a ‘non-threat’, how long should this image be held for? And whose responsibility is it to delete this from the system? Should this be a built-in solution from manufacturers, or should the operator make the decision? There are numerous cases of GDPR breaches among CCTV… Read more »
[…] Indeed, there is now the issue of facial recognition to think about. More and more vendors are now offering the technology as standard, but there is still much public debate over the usage of facial recognition – particularly in relation to data capture and GDPR. Once a face has been captured and identified as a ‘non-threat’, how long should this image be held for? And whose responsibility is it to delete this from the system? Should this be a built-in solution from manufacturers, or should the operator make the decision? There are numerous cases of GDPR breaches among CCTV… Read more »