With the new General Data Protection Regulation (GDPR) coming into force in May 2018, we have taken a close look at the key aspects of how it will impact on the deployment and operation of video management platforms. We also explain how we have anticipated and resolved any issues so that end-user clients can be assured that they are compliant with the Regulation when operating a Wavestore VMS solution.
GDPR stipulates data should only be kept for as long as necessary. An end-user’s data controller, e.g. a control room manager, is afforded the freedom to decide how long data needs to be retained for their requirement. To ensure that this duration is adhered to, Wavestore’s ‘Maximum Recording Duration’ feature can be enabled which means stored video and other related data will automatically be deleted after a specified period, even if there is sufficient spare disk space. To protect critical video evidence, Wavestore’s ‘Recording Lock’ feature can be used to protect selected footage from automatic deletion whilst investigations are taking place (see ‘Right to Erasure’ below).
Right to Erasure
The subject of any data recorded and stored by Wavestore cannot object to the data being kept for long periods of time if there is a good and lawful reason to do so, such as an ongoing investigation into a crime or pending court action. ‘Locked’ recording areas are therefore allowed, providing that the data controller logs the reason and unlocks the data as and when the reason has passed. Wavestore’s ‘Recording Lock’ feature can be used to ensure that this data is kept safe.
Right of Access
The Regulation states that a data controller has up to a month to comply with requests for access to data and usually cannot charge for this unless the number of requests are excessive or repetitive. The applicant should be asked to provide identification which should include a photo of themselves and specify where and when the requested images were captured.
To help data controllers comply with the ‘Right of Access’ section of the Regulation, operators can quickly and easily search for a specific date and time of day and forensically search data via Wavestore’s play-bar search feature. If required, Wavestore allows data to be exported in a variety of video formats, such as .avi files, with just 3-clicks of the mouse, whilst widely available third party ‘blur’ tools can be dynamically applied to obscure sensitive parts of a scene.
Camera View and Privacy Areas
The Regulation provides for the provision of privacy areas which prevent unauthorised users from viewing video captured in restricted areas. Wavestore provides the opportunity to apply dynamic ‘Privacy Masks’ to single or multiple areas of a field of view onto recorded video and/or live display by user privilege. These masks can be removed if necessary, on playback for example, by an authorised administrator to investigate an incident.
Lawful Processing and Opt-in
Although not directly related to Wavestore functionality, it is important to point out the need for the data controller to ensure there is a display of appropriate signage or otherwise obtain an opt-in agreement from the data subjects. This is particularly relevant where cameras are discreetly situated and/or in locations where people might not expect to be monitored.
To ensure only authorised individuals can log in, it is important that secure passwords are created for both Wavestore and the connected cameras. ‘Password Policies’ can be set by the system administrator to enforce secure password practices and it is recommended that ‘user’ level accounts are used for normal viewing. If appropriate, Wavestore can restrict an individual user’s permissions to monitor live images but prevent the review or export of recorded video. Although the export of data is logged, it is also recommended that data controllers operate a policy of tracking the movements of the data after it has been exported. In addition, Wavestore can securely encrypt data from the point of capture through to when it is viewed.
The Regulation states the need to restrict access to recorded data and to ensure there is no ability for unauthorised access. Wavestore has been designed to be a highly secure system and has no ‘back door’ access. It assigns the system’s administrator with the ability to open a port to permit authorised personnel to gain access to the recording system; even then a valid username and password set by the system administrator is required. They also have the ability to close that port when the need for external access is concluded.
For convenient and efficient management of user privileges, Wavestore is able to securely interact with Active Directory.