Whether you’re enthusiastically waving at cameras today or would rather zap them away, we can’t ignore it: Cameras are everywhere. You’ll find them in the workplace, on the streets, and yes, even inside homes. For many, this brings a sense of security and convenience, but it can also significantly impact our privacy.
For this reason, specific regulations exist when it comes to using cameras for surveillance: the camera law. Depending on the situation, GDPR also comes into play, and there’s CBA 68 when you want to place cameras in the workplace. So, it’s best to think twice before you start filming everything and everyone. Moreover, how can you best apply Data Protection by Design?
The increasing role of camera use in society
Camera use has rapidly become an integral part of our society. From security cameras in public places to smart cameras in our homes, they play a crucial role in ensuring safety and offer numerous other applications, such as visitor analysis in shops and traffic monitoring. However, with this growing role of cameras, challenges also arise in the field of data protection and privacy.
The concept of Data Protection by Design and cameras
Essential is the Data Protection by Design principle (sometimes also called “privacy by design”, Article 25 of GDPR). This principle encourages organisations to consider the what and why, and thus also the protection of personal data (which is inherently often present in camera footage), from the initial phase of a processing activity.
Moreover, it’s important to apply this principle before starting a camera project, not the other way around. You don’t build a house first and then think about your room layout. That causes problems. With camera projects and privacy, it’s no different.
By proactively incorporating data protection into the design and involving the right stakeholders in the project, privacy risks can be limited, and companies can comply with data protection laws and regulations. So, Data Protection by Design and cameras certainly go hand in hand.
How to apply Data Protection by Design to camera use in an organisation?
Suppose you want to place a camera within your organisation, for whatever reason. How do you start with that?
- Identifying the objectives The first and most important step is to establish the specific purpose of your camera use. Why do you need that camera? What data will it collect, and what will this footage be used for?
Additionally, you should also question whether the camera is the only and best solution (and not just the easiest). Is the camera use proportional to the proposed goal? Often, there are other valid alternatives that can achieve the same goal.
Specifically, you obtain this information by sitting down with the various stakeholders and asking them critical questions. During these conversations, it’s best to also manage expectations so that it’s clear from the start what is possible and what isn’t.
- Conducting a Data Protection Impact Assessment (DPIA) A second, equally important step is determining the risks associated with placing that camera. You can do this in a Data Protection Impact Assessment (better known as a DPIA). More than just a buzzword for Scrabble, this is an assessment with which you’ll list all potential privacy risks associated with the project. Based on these risks, you’re then able to take appropriate measures to reduce risks to an acceptable level and comply with regulations.
An example of a risk is placing a camera in a warehouse solely to prove that people have picked up their packages. How long will you keep that data to use as evidence? This would be a disproportionate processing if you know that people can simply sign upon delivery.
- Selecting suitable camera applications and technologies The purpose of your camera project is set, and the risks are manageable? Then you can now look at the technological aspect of your project.
When choosing camera applications and technologies, it’s also important to consider data protection considerations. Choose cameras that can comply with applicable privacy rules and offer advanced security features.
Also opt for cameras that don’t collect more data than strictly necessary (data minimisation) for the intended purpose, and that can be easily integrated into a secure IT ecosystem. You can do this, for example, by working with cameras that only film when there’s movement in a certain part of the image, or are activated by a motion sensor. You can also play with resolution or number of frames per second, so you record as little footage as possible while still achieving your goal.
Can you remove a camera again once it has been installed?
After some time, it’s wise to evaluate your camera project. Installing and maintaining a camera can be costly. It’s best to assess whether you’ve achieved your intended goal, or whether you can use your camera for another purpose.
In this case, you need to go through the same steps again. You may only use your camera for your initial purpose. If you want to adjust or expand this after some time, you need to perform a new risk analysis.
All this because the GDPR clearly stipulates that data cannot just be used for an additional purpose (art 5; it’s even one of the principles).
We must also prevent “Function Creep”. With “Function Creep”, the use of a particular technology gradually and often imperceptibly expands beyond the original purpose of the project. This can result in a breach of the data subject’s privacy.
For example: There are municipal cameras in the market square as surveillance cameras. The market vendors ask if the municipality can map out how people walk around the market, to better organise the placement of their stalls. With these cameras, and their intelligent processing, this is practically possible. But just because it can be done, doesn’t mean it’s allowed. In this specific case, it’s even almost impossible to comply with the legislation. How would you feel if you knew cameras were following you throughout the city?
Some practical tips for Data Protection by Design and camera use
- Always be transparent and inform data subjects about the use of cameras and collected data. You’re usually legally required to place a camera pictogram when you’re filming data subjects. This pictogram must be visible before the data subject is filmed.
- When installing, already plan a moment for future evaluation. This way, you can regularly review your assessment and adjust where necessary. It can be helpful to revisit your DPIA after some time and evaluate whether the proposed goal has indeed been achieved and whether the risks are still under control. Further adjustments are often necessary.
- Also, definitely check whether all formulated requirements in the context of the DPIA have been followed up.
- Using cameras for purposes other than the initial ones is a good economic idea, but don’t forget to go through the entire exercise for these other purposes as well.
- Nowadays, even cheap cameras are equipped with smart technologies, make use of them and film as little unnecessary material as possible while still achieving your purpose.
A camera doesn’t necessarily have to conflict with the privacy of the data subjects. However, it’s important to always be critical and not just place cameras and start filming people haphazardly. Nobody likes that, and certainly not the authorities.