An alarming number of video surveillance systems could be in breach of GDPR, an investigation has revealed.
More than a year on since the EU data protection regulation came into force, vacant-property security firm Clearway discovered myriad examples of bad practice during investigations of its nationwide client base.
In one instance a court case was dismissed due to lack of evidence after it emerged that two systems on which an intruder was filmed were set to times 17 seconds apart.
“That might sound petty,” said Clearway in its press release, “but the defence barrister asked for all camera footage to be played at the same time. As the intruder was seen on two systems at the same time (due to the timers not being synced) the barrister claimed the evidence was inadmissible […] since how could the intruder be in two places at once?”
At another site, investigators discovered someone leaning over an unmanned reception desk to view the CCTV monitor to see if their taxi had arrived (see picture below).
The picture below shows a (redacted) username and password on a sticker attached to a monitor.
And at another site, the Clearway team found CCTV signage with faded, illegible contact details:
Other problems found at one or more sites included:
- Failure to fit, or ensure accuracy of, signage
- Failure to carry out a GDPR risk assessment prior to CCTV deployment
- Leaving DVRs (digital video recorders) unlocked or unsecured – and thus accessible to unauthorised parties
- Failure to ensure camera lenses were directed to capture appropriate, relevant footage
- Sharing images with organisations – like the police, TfL or other security service providers – in ways that didn’t conform to regulations. This often included a failure to ‘mask’ (blur or pixellate) faces of innocent people (software is available to do this)
- CCTV monitors being visible to the public
- CCTV images being monitored by staff without sufficient training
- Failure to change default usernames and passwords or writing them down near to the equipment
Complacent
Clearway says these problems suggest that many facilities managers, security managers and property owners either haven’t read GDPR regulations, simply don’t understand them, don’t think they apply to CCTV systems or are complacent about the risks.
Divided into tiers, maximum penalties for GDPR non-compliance are either €10m or 2% of annual global turnover; or €20m or 4% of annual global turnover (whichever is greater in each case).
The estimated 4-6 million CCTV cameras in the UK include 750,000 in ‘sensitive’ locations such as schools, hospitals and care homes, and 15,600 on the London Underground network alone. The emergence of AI-driven video analytics and facial recognition software is heightening privacy concerns expressed by civil liberties groups.
“The whole point of CCTV is security, and its deterrent factor in part, as well as recording the criminal activity to assist law enforcement bodies in detecting the perpetrators,” said Clearway’s UK CCTV Manager, Andrew Crowne-Spencer. “Therefore, if trespassers or criminals don’t even realise they’re on camera, as is what we suspect in a lot of cases, what sort of useless deterrent is that?
“And just how good are the images the cameras are supplying? If they’re grainy or blurred due to old or faulty equipment, or not set up correctly, that doesn’t help anyone except the trespassers or criminals.
“Ten years ago it was reported that 95% of murder cases investigated by Scotland Yard used CCTV footage as evidence, yet latest data suggests 80% of footage now available is of such poor quality it’s almost worthless. That apart, don’t these companies or organisations, even public sector ones, realise if they’re not properly complying with the GDPR regulation they can be penalised because of it? Sometimes to the tune of many thousands of pounds?”
Clearway advises: “The message from all this is simple. Check your CCTV systems are doing what they should and you are complying with the Regulations. Because someone, somewhere will be watching what you’re doing sooner or later.”
Platinum Asset Protection pride ourselves on being fully GDPR compliant and work to all the latest standards and accreditations. Contact us to see how we can help you secure your site or premises whilst still remaining fully GDPR compliant
Original Article from ifsecglobal.com