After federal states decided to equip the police with body cam technology, and this has already been successfully introduced in some federal states, private security companies are now also following this path and equip their employees with body cams.
Not a bad idea, one might think, but how does it look in reality, how are the requirements of data protection fulfilled?
If you take a closer look at the reality and deal more intensively with the topic of data protection and body cam, you can hardly imagine that the implementation of data protection can even be fulfilled or guaranteed. If you take a look at the guidance provided by the data supervisory authorities on the use of body cameras, it seems that companies quickly reach their limits.
So what exactly is important when using body cam in the private security industry?
GUIDELINE GDPR-COMPLIANT USE OF BODY-CAMS IN THE PRIVATE SECURITY INDUSTRY
I would now like to describe in more detail here exactly what private security companies must adhere to and demonstrably implement in order to be able to use body cam technology in a GDPR-compliant manner.
The GDPR components of the use of body cams
Basically, the following circumstances must be checked when purchasing body cam:
- Which hardware/software will be shortlisted?
- Who is responsible for hosting and administration of the technology?
- For what purpose is the camera technology used?
- Were all the documents created for the operation of the body cam technology?
- Are all necessary contract documents available?
- Were all employees trained accordingly?
- If a daily assignment log is maintained?
- Has the use of the body cam been taken into account in the service instruction?
Basically, it is now only a matter of working through the above 8 points properly and conscientiously in order to achieve a high level of data protection. Here are some tips and information on how you can accomplish these points without much stress, without high costs and with as little time as possible.
Point 1: Which Hardware/Software Is Shortlisted?
There are numerous products and solutions on the body cam technology market. Basically, the decision which body cam technology and software to use can be made quite easily. It is important to avoid products that are manufactured and hosted in so-called unsafe third countries, e.g. the USA or China. Certainly, the purchase price may be quite smart and attractive, but in terms of data protection, there are definitely hurdles to overcome that make the savings forgotten quickly. The shortlist should only include technology that is manufactured in Germany or within the EU and complies with the German Data Protection Act (GDPR). This will save you a lot of hassle and minimize the data protection effort involved considerably.
We can recommend the body cam of the company NetCo Professional Services GmbH from Blankenburg in the Harz region. The NetCo Body Cam fulfills the requirements of the GDPR in terms of technology and software and can also convince with an interesting price / performance ratio.
Point 2: Who Is Responsible For Hosting / And Administration Of The Technology?
Let’s stay with NetCo’s body cam to better illustrate the topic. A body cam always consists of three essential components. These are:
- The body cam
- The server software
- The client software for the PC
The operation of the server application can be realized in two ways:
- Third party hosting by NetCo
- Self-hosting by the client
Description Third Party Hosting by NetCo
In order to be able to fully use, administer and adjust the body cam, the corresponding administration software (server application) must be installed and operated on a web server. Here NetCo offers the full service, i.e. NetCo takes over the hosting for the company and also ensures the secure and current status of the server technology and software. This procedure is described as third-party hosting and requires a list of technical and organizational measures (TOM), which must be proven in a data protection documentation (see point 5). In order to fulfill this point, NetCo provides this directory (TOM) to the customer. Similarly, NetCo provides a contract for the order data agreement, which is essential for point 6.
The advantages of this variant are obvious. The customer has very little work and does not have to create his own documentation in terms of GDPR, but it is instead provided by the manufacturer. In addition, the server location is in Germany and therefore meets the requirements of the GDPR.
Description self-hosting by the client
Of course there are reasons and requirements to run the body cam server application on own web servers. However, it should be noted that in this variant the customer must create the list of technical and organizational measures (TOM) for server operation and also provide proof of this. It is also important to ensure that the server is located within the EU and that no data is communicated to an unsafe third country. It is also important that operation in cloud applications from Google and Amazon (AWS) must be documented separately and proven by a so-called data protection impact assessment (DSFA).
Point 3: For What Purpose Is The Camera Technology Used?
When it comes to using body cam technology for one’s own company or on behalf of third parties, the hurdles of data protection are relatively high and many often presented references to the purpose of use turn out not to be GDPR-compliant. This raises the question: When is the use of a body cam compliant with data protection?
The answer to this is given by the German Data Protection Conference as follows:
The use of the body cam in accordance with data protection must be measured against Article 6 (1) f of the General Data Protection Regulation (GDPR) and Section 4 of the Federal Data Protection Act (BDSG). According to this, the processing of personal data is permissible insofar as it is necessary for
the exercise of domiciliary rights or the safeguarding of legitimate interests (1.) of data controllers or third parties is appropriate (2.) and necessary (3.) and provided that the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not prevail.
Basically, as far as the use of body cams and mobile cameras (e.g. for construction site monitoring) is concerned, the following reasons can be used for earmarking purposes:
- Protection of security service employees from assaults
- Subsequent identification of the crime suspect
- Securing evidence for possible civil claims
Note: reasons that may be given for the purpose of solving crimes should be avoided here, however, as these are the sole responsibility of the law enforcement authorities.
Item 4: Have All Documents For The Operation Of The Body Cam Technology Been Prepared?
The GDPR-compliant use of body cam and mobile camera technology must always be considered from two sides. On the one hand, there is the manufacturer of the technology and, on the other hand, the user, i.e. the responsible party. If we now assume that the manufacturer has taken into account all the requirements of the GDPR, it is now up to the responsible body to correctly process its GDPR implementations and document them accordingly. This includes the following activities:
- Creating a camera security concept
- Creation of a processing directory for the camera technology and for the corresponding software
- Creation of a list of technical and organizational measures (TOM) for internal measures
- If the software technology is operated on its own server, a list of technical and organizational measures must also be drawn up for it
- Creating an authorization concept (Who is allowed to work with the camera? Who administers the server software? Who operates the client software? Who has access to the data and when, etc.?)
- Creating a deletion and back-up concept
- Creating the daily operation protocol for the camera deployment
- Do all employees who work with personal data have appropriate training certificates?
Admittedly, a lot of paperwork, but absolutely necessary. In order to be able to fulfill these documentation requirements 100%, the use of so-called data protection management software is recommended.
Data Protection Management Software
We recommend our data protection management software so that you can document and prove your data protection clearly and up-to-date. With our DMS, you can create all the necessary documents (processing directories, TOM, DSFA) with just a few clicks and also receive all the necessary information provided. In addition, our software has an integrated and GDPR-compliant video conferencing system, a whistleblower system and an eLearning platform for internal training.
Point 5: Are All Necessary Contract Documents Available?
Without contract documents, a complete and GDPR-compliant documentation is inconceivable. In basic terms, you must commit all partners and companies that have an indirect and direct influence on your body cam use with contracts for commissioned processing and also guarantee the suitability of the corresponding companies. To briefly mention some examples of which contractual partners can be considered for your project, here is a small overview:
Contract for commissioned data processing
- Manufacturer / Distribution of the body cam
- For hosting on own server contract hosting provider
- When using an external data protection officer
- When using external DPM software
Joint responsibility contract
In the case of private security companies, it is also important to ensure that, if the body cam is used on behalf of the customer (e.g. for ShopGuards, Doorman, etc.), a joint responsibility agreement is in place.
Point 6: Have All Employees Been Trained In Data Protection?
When using body cam technology, there are 3 types of employees to consider.
- Employees who operate a camera in the field
- Employees who edit corresponding image / video material in the follow-up
- Employees who administer the software and servers in the case of “self-hosting
The training courses should have different focuses, depending on the type of handling of the technology, so that the relevant employees are precisely trained for their work and can demonstrate the corresponding expertise. The training courses should be repeated every 12 months.
All training courses are already prepared in the Pro Version via the DPMS Management System provided by us, thus enabling fast and smooth training success.
Item 7: Is A Daily Operations Log Maintained?
In order to be able to record and prove the period of use and the actual recording times without any gaps, it is mandatory to keep a so-called use log. How this is kept and which software is used for it plays a subordinate role. Certainly, some people think that the camera technology logs all essential details and stores them in so-called log files, but some data is required that cannot be recorded by the technology.
For interested users, we offer our digitalized application protocol for body cams in two different application forms.
- Deployment protocol for shared responsibilities
- Deployment protocol for public transport deployment
You are welcome to take a look at our digital deployment protocol for shared responsibilities without commitment. Please use the following link and the following user data:
Client ID : 86e0b665-2022 | Client Number : 50500
Questions About Data Protection And Body Cam?
If you have any questions and/or if you want additional information about data protection for body cams, you may contact us at any time . We will be happy to answer your questions and advise you on this subject.