GDPR - keeping peoples personal data safe and secure
The GDPR (General Data Protection Regulation) is EU legislation that replaces the existing UK Data Protection legislation on 25th May, 2018. It applies to every organisation that holds (data controllers) and/or processes (data processors) personal data. Full details can be found at the Information Commissioner’s website.
TouchByte views good data protection as a continuous process and have always sought to uphold the highest data protection standards and we’ve compiled this document to cover the Video Analytics and Recognition features of our solutions.
- Customer – a client of TouchByte
- Data Controller – ‘A controller determines the purposes and means of processing personal data’. In TouchByte’s Video Analytics installations, our Customer is the Data Controller.
- Data Processor – ‘A processor is responsible for processing personal data on behalf of a controller’. In a typical TouchByte Video Analytics installation either TouchByte or the Customer would be the Data Processor
- End User or Visitor – a client of the Customer.
- Personal data – ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’. If processing personal (or sensitive) data, there must be a lawful basis.
- Sensitive personal data – these are special categories of personal data which include biometrics ‘where processed to uniquely identify an individual’.
Summary of GDPR requirements
In summary, the GDPR demands that organisations comply with data protection legislation and good practice including:
- Processing personal information only where this is strictly necessary for legitimate organization purposes:
- Collecting only the minimum personal information required for these purposes and not processing excessive personal information
- Providing clear information to individuals about how their personal information will be used and by whom
- Only processing relevant and adequate personal information
- Processing personal information fairly and lawfully
- Maintaining an inventory of the categories of personal information processed
- Keeping personal information accurate and where necessary up to data
- Retaining personal information only for as long as is necessary for legal or regulatory reasons or for legitimate organization purposes
- Respecting individuals’ rights in relation to their personal information, including their rights of subject access
- Keeping all personal information secure
- Only transferring personal information outside the EU in circumstances where it can be adequately protected
- The application of the various exemptions allowable by data protection legislation,
- Developing and implementation a PIMS to enable the policy to be implemented
- Where appropriate identifying internal and external stakeholders and the degree to whom these stakeholders are involved in the governance of TouchByte’s PIMS and
- The identification of workers with responsibility and accountability for the PIMS. ….
Therefore, the following information outlines TouchByte’s methods and guidelines to comply with the GDPR requirements within the remit of the services and solutions provided by TouchByte to our customers. In addition, this document outlines the GDPR responsibilities of TouchByte and also the responsibilities of the Customer, when utilizing TouchByte services and solutions.
TouchByte Services – Single and Multi-Visit Categories
TouchByte provides Video Analytics systems which analyse video streams and identifies faces which it subsequently uses to determine age and gender via the use of a facial recognition algorithm. If required, the system can store a face’s biometric for a defined period of time in order to determine whether an individual face has been seen across multiple cameras, e.g. an entry and exit camera which would then allow an average dwell time to be calculated. The system can also allow the storing of an individual face in a ‘gallery’ along with an identifier. This would allow the subsequent identification of that person for as long as they remained in the gallery.
The data captured is split into the following two categories, each of which has different GDPR implications for both TouchByte and our customers.
- Single visit anonymous category
- Multi-visit category
Single Visit Anonymous Category
TouchByte Solutions allow customers to capture data relating to single visit categories. A ‘single visit’ is described as a single data entry by an end user which can be picked up by multiple cameras at different locations at the site. For example, a single visit category is where a visitor to a store is captured on a camera at entry, at multiple points at the location and the exit. This data is retained only for the duration of the visit and is not linked to any other historic or future visits or other data points. From a single visit, the information captured is utilized for the recording of footfall (number of visits to a store), demographic information (age and gender only), dwell time (how long in store) and flow (how the visitor travelled through the store).
The relevance of single visits to GDPR are that no biometric data is retained once the visitor has left the location and therefore data requests are not relevant. The Video Analytics system is configured for anonymous footfall and demographic purposes, images and videos are deleted once the customer has been counted and demographic data has been determined. In this instance, the system would not be considered to be processing personal or sensitive personal data. The only individual information that is captured and utilized is the count, date, age and gender that is non-traceable to individuals.
The responsibilities of TouchByte with regards to GDPR for the data from single visits is only that all biometric information is deleted.
The responsibilities on the Customer is to ensure that their IT, CCTV and Video systems are secure from external threats.
Multi Visit Category
TouchByte Solutions allow customers to capture data relating to multi visit categories. A ‘multi visit’ is described as an end user with multi entries into one or multiple locations within the customer’s network. For example, a multi visit category is where a visitor’s biometric data is used to link several visits a number of locations at different times / dates,
Visitors for this category have either
- Voluntarily opted into the scheme and therefore have provided ‘consent’ (membership, loyalty schemes etc.) disability inclusive development or ‘contractual obligations’ (employee access.) under ICO guidance
- Classified as ‘legal obligation’, ‘vital interest’, ‘public interest’ and ‘legitimate interest’, Examples would include where data is captured of individuals of known shop-lifters / troublemakers or individuals that pose a security risk.
For this category, biometric has been initially captured and stored in advance. When a visitor subsequently visits a site, their biometric information is then matched to the initially stored data. TouchByte stores the resultant end-user biometric information and tracking data. TouchByte does not hold the personal information that was part of the initial entry process, as this is stored by the Customer. This initial data is the responsibility of the Customer’s GDPR responsibilities.
Therefore TouchByte holds the original image and the biometric data within the system. The personal information that matches to the biometric data is held by the Controller i.e. the Customer.
The responsibilities of TouchByte for the data from multi visits is to ensure that any initial biometric information provided is secure, up-to-date, with controlled access and deletion managed.
The responsibilities of the Customer/Data Controller for the data from multi visits are to ensure that they are fully compliant with GDPR requirements for the information that they are retaining within their systems.
TouchByte GDPR Data Security Safeguards
As part of TouchByte’s commitment to GDPR, for all systems implemented by TouchByte, the following data security precautions are taken:
- Cameras will be connected directly to an edge processing device and their video feed will not available over the general network
- All computer systems (including edge processing devices) will operate on software encrypted hard disks (Windows BitLocker)
- Where stored, biometric data cannot be reverse engineered to produce a human recognizable image
- All computer systems (including edge processing devices) will be configured with username / password logins and any default administration accounts will be disabled.
- Username access will be granted to named individuals only.
- All data will be stored in a database that does not allow any non-local connection
- No data will be shared, merged or combined with other sources without a privacy impact assessment being completed jointly by TouchByte and our customer.
TouchByte consulted the ICO with regard to our policies and ICO have provided the following response as to ‘category data’. “From the information you have provided when the video stream is being processed to produce biometric data then at this point you are processing special category data as the individual is identifiable. Once all the images etc are deleted and you only hold the estimated age and gender then it would not be special category data.” – ICO