A recent study by Clearway shows alarming levels of noncompliance with the new General Data Protection Regulation (GDPR) especially where CCTV is used, says Andrew Crowne-Spencer.
05 August 2019 | Andrew Crowne-Spencer
The UK has six million CCTV cameras, according to the British Security Industry Association (BSIA), while other estimates number them at fewer than two million. The average Briton is captured on CCTV around 70 times a day.
Debate rages about balancing the use of surveillance with the individual's right to privacy. Across the UK and EU there are now stringent GDPR covering of the use of CCTV but facilities, building and security managers and property owners have not been sufficiently compliant. They could face a hefty fine as a result.
Think about it: do you see or notice advisory signs about CCTV as often as you should? And have you any idea where all these images are stored or if they are deleted after a short time, or perhaps shared with other parties? The answers are probably 'no' in each case.
Common GDPR failings with CCTV equipment
Here are some of the key failures that came to light in Clearway's investigation of its own extensive nationwide client and contact list, in no particular order.
- Failure to fit signage or keep the information on it accurate.
- Failure to carry out a GDPR risk assessment before CCTV deployment.;
- Leaving DVRs (digital video recorders) unlocked or unsecured so anyone, not just designated security personnel, has access to footage.;
- Lenses of CCTV cameras misdirected or masked so that inappropriate footage is not recorded, and, if the data is shared with other parties to monitor specific individuals, for example, then innocent people are not blurred out - a simple matter to deal with using appropriate modern software.
- Having CCTV monitors viewable by the public.
- Failure to train staff to monitor the CCTV.
- Leaving usernames and passwords as default settings or noted next to the equipment.
- Failure to manage images shared with other organisations such as the police, transport system authorities, or other security service providers, in accordance with regulations.
Examples of compliance failings
This is what we recently found at a site. It is a great example of common compliance failings.
- DVR on reception desk with monitor on top - no one at reception - someone leaned over the desktop to look at the monitor to see if their taxi was at the front door.
- Username and password on a sticker attached to the monitor.
- We walked outside to find all of the CCTV signage was so worn and old that the contact details had faded away and were illegible.
At another site equipment settings were incorrect, specifically the date and time, and two systems on the same site had times set 17 seconds apart. That might sound petty but there was a break-in. Police arrested the intruder, but when they showed the CCTV footage in court, the defence barrister asked for all camera footage to be played at the same time.
As the intruder was seen on two systems at the same time (owing to the timers not being synced) the barrister claimed the evidence was inadmissible as it was clearly inaccurate because how could the intruder be in two places at once? Case dismissed owing to lack of evidence!
The message from all this is simple. Check your CCTV systems are doing what they should and that you are complying with the regulations because someone, somewhere will be watching what you're doing sooner or later.
Andrew Crowne-Spencer is UK CCTV manager at Clearway