Podcast: VPNs, Cybersecurity, and Data Privacy During COVID-19
As a company owner, you may well think that you can install closed-circuit television (CCTV) cameras as you see fit on company premises, but the reality is a little different.
Whatever the reason for deploying CCTV or any other form of video surveillance, there are compliance issues that vary according to jurisdiction. Many differences relate to the privacy of those under surveillance or the location of positioned cameras. Before exploring these, let’s review some of the reasons that companies and organizations employ video surveillance.
Common CCTV Scenarios
The primary reason for CCTV usage is, of course, security (with a little cost-saving thrown in). Why employ a large security team to perform random patrols when cameras are so easy to install and monitor? Cameras can monitor the outside of the premises, the customer/employee car park, the interior of a shop, the checkout counters, and any other area you can think of. All act as a crime deterrent or offer evidence to law enforcement if a crime takes place. Sounds good, right? Cameras promote a sense of safety. Now, look at the other side of the coin.
Employee monitoring, depending on your point of view, is seen as either beneficial or intrusive. There is no middle ground. The company motivation may include theft prevention, productivity analysis (are employees spending too much time around the water cooler, for example?) or simply remote supervision, where overly hands-on managers direct employees to perform tasks as if they are marionettes in their own personal theater. Obviously, you can guess where my opinions lie. And embedded biometric chips are not the answer to employee monitoring.
If you make the decision to install CCTV on your premises, be aware of the governing regulations for usage in your jurisdiction, some issues are industry-specific and may not even be immediately apparent but, even so, they exist.
For example, if your camera is located in a U.S. hospital emergency room and is capturing a computer screen, it will violate HIPAA regulations as the possibility exists that the data stored will compromise a patient’s private medical data. Ditto for any other U.S. based healthcare organization.
Similarly, banks and other financial institutions must comply with laws and regulations surrounding the storage and dissemination of financial data. What regulations are you breaking if video captures include screenshots of financial data?
All industries: Personally Identifiable Information (PII)
Again, there is undoubtedly a case for security cameras violating privacy regulations if capturing computer screens that display PII.
What does it all mean? Well, not pointing cameras at computer screens is a good start. You cannot assume that security footage is secure or inaccessible, given that many solutions involve third-party cloud services. Malicious insiders are also a risk. Now consider monitoring an office with multiple computer screens. Where will you place the cameras? Suppose an employee has an open spreadsheet (containing all employees’ or clients’ contact information) on a mobile device as they walk under a camera?
Before committing to CCTV adoption, know your obligations.
How to Bring Your Powershell Modules to the Cloud
Some of The Regulations
As it’s impossible to cover all jurisdictions and regulations in an article of this type, let’s look at a few. It’s generally accepted that locations where we expect privacy (such as bathrooms and changing rooms) are not subject to surveillance, except in defined situations involving suspected criminal activity or drug use.
If you process PII, you must register with the Information Commissioner’s Office (ICO). CCTV usage is governed by the GDPR and by the Data Protection Act 2018. In terms of data protection, staff monitoring is allowed, but they have a right to be informed when it takes place. You must display signs informing staff that they may be recorded. As part of a specific investigation only, covert surveillance is allowed and must cease when an investigation is over.
However, if CCTV is used, it must only be used for a single purpose. You must control who can view recordings. Those you’re recording can request to see the footage, and you must provide it free within one month. The ICO also provides a code of practice for added insights on video surveillance.
The ICO has been handing out fines on a regular basis. Don’t believe me? You can see a list of all the GDPR penalties that have been levied since its enactment in 2017. A quick search for CCTV on enforcementtracker.com will get you a plethora of fines and investigations underway. Many of them were initiated as complaints by disgruntled employees.
I’ve selected one example – The Workplace Video Surveillance Act 1998 (NSW). This makes a clear distinction between overt and covert video surveillance. Overt surveillance overlaps with the U.K.’s position, but staff must also be informed in writing. For covert surveillance or hidden cameras, permission must be obtained from a magistrate. The covert surveillance is overseen by a licensed security operator, and placing cameras in change rooms, toilets, shower, or bathing facilities is not permitted.
Saving the best for last, it seems no specific right to privacy is defined in the United States Constitution. In fact, there are no federal laws prohibiting video surveillance (covert or otherwise) in the workplace, regardless of location. Some states, such as New York, California, and Rhode Island do not permit cameras where there is a reasonable expectation of complete privacy.
Other states inform employees if these areas are being monitored. Perhaps the most interesting aspect of CCTV usage in the U.S. is that audio is an issue. Recording audio via CCTV violates wiretapping laws (Electronic Communications Privacy Act of 1986). I’m ignoring amendments such as the Patriot Act and other amendments such as CALEA that serve the ‘needs’ of law enforcement and the intelligence community.
If in the USA, consult your legal counsel for the relevant industry-specific and state law requirements. I mentioned HIPAA earlier.
For other locations, refer to privacy and data protection regulations. H.R. and legal professionals will be familiar with all requirements in your jurisdiction.
In conclusion, at this point in human evolution, the fact is that cameras are everywhere. We’re all captured by a multitude of them and many times each day in both public and commercial premises. In addition, company vehicles may have dashcams installed, and law enforcement will certainly have dashcams but could also wear bodycams. There are traffic cams. It’s impossible to list every possible scenario involving CCTV usage, but in real terms, we cannot escape daily surveillance.
But that doesn’t mean we can all place cameras wherever we like. You must be compliant with the appropriate regulations in your jurisdiction, which is why it’s worth involving a certified security company in your area. They will know what you can and can’t do in terms of camera placement and usage. It’s also worth consulting your legal team to prevent future lawsuits. Staff morale is yet another consideration… Are you absolutely certain that your CCTV setup is compliant?
MOVEit 2020 Released: Managed File Transfer For Mobile Users