Accountability. Implications for a Controller using CCTV.

But what is a controller I hear you ask?! Once again we return to the “purpose and means (essential elements) of processing”. Not trying to get boring about it but this is where the magic happens! We have some interesting and challenging situations to consider. We need to always come back to who is the real controller of the camera. Not just who put the camera up – but the why? to what purpose? who benefits? and who controls how?

We also need to consider the types of data being processed. For cameras, it’s images and sound, probably not a lot more. This data is central to our security and it is realistic to expect it will be held for a period of time.   

Cameras in communal areas of apartment blocks; cameras on the street; cameras in areas that are semi-public -they all pose challenges that are not easily explained by the GDPR. Public cameras are also on the increase. Police forces are protecting us as a community with strategically placed cameras. It seems that no matter how far we roam we are never too far away from a CCTV camera. The central question for all of us is “who is the controller?”.  

So does the right of the controller to use this camera to “prevent” or “solve” crime override your rights of data integrity. The European Data Protection Board suggests a particular methodology to follow for private persons.  The controller should have tried other methods and determined that this is the necessary solution. From there, they need to ensure that they are applying the minimisation principle. Video surveillance to “prevent accidents” is not proportional.  Individuals should not be monitored in places they don’t expect to be monitored. changing rooms or saunas.

Household or domestic exemption rule in GDPR is strictly viewed, and getting more strict following recent guidelines. These days if we buy a camera for our home – we must be prepared to take responsibility for it. This means that (among other things) we should be really clear about the purpose of the camera; positioning it correctly and having a sign letting people know there is camera surveillance.

The whispering protocol and covid-19

Covid-19 smart wearable using privacy enhancing technologies popped up in my LinkedIn feed just today…. I was sceptical until I started reading the academic paper for the Whisper Tracing protocol used by the product.

This is a product which is not installed on a smart device, it is something you clip to your shirt (or whatever) and warns you if you are too close to another individual. It does not link the wearer of the wearable with an identity. The data is collected centrally, but deleted after a short time.

What is good about this product is that with covid-19 the most vulnerable group apart from those with underlying illnesses are the elderly, but it is mainly this group that do not own a smart phone, if they do probably do not use it optimally, which means they are excluded.

This is great for the workplace. I know when I’m out that I’m rubbish at this social distancing. I live on an island, at least thats my excuse, I work mainly from home, or it’s just I get so focused on what I need to do that I don’t notice people around me. I really could do with a clip-on which beeps when I get too close to others.

It is a startup Nodle which produced this wearable. It will be interesting to read more on this -when I have time- and see where this wearable ends up.