New Guidelines on video surveillance have been issued by the EDPS. The Guidelines set out the principles for evaluating the need for resorting to video-surveillance and give guidance on how to conduct it, with effective safeguards in place, in a way which minimises impact on privacy and other fundamental rights.
The Guidelines apply to existing as well as future systems: each institution has until 1 January 2011 to bring its existing practices into compliance. A consultation draft was published on 7 July 2009.
Giovanni Buttarelli, Assistant EDPS, in his Foreword to the Guidelines, writes:
Well-designed and selectively used video-surveillance systems are powerful tools for tackling security issues. On the other hand, badly designed systems merely generate a false sense of security while also intruding into our privacy and negatively impacting other fundamental rights.
Indeed, fundamental rights and security do not have to be mutually exclusive. Using a pragmatic approach based on the twin principles of selectivity and proportionality video-surveillance systems can meet security needs while also respecting our privacy. Cameras can and should be used intelligently and should only target specifically identified security problems thus minimising gathering irrelevant footage. This not only minimises intrusions into privacy but also helps ensure a more targeted, and ultimately, more efficient, use of video-surveillance.
Within the limits provided by data protection law, each institution and body has a degree of discretion on how to design its own system. At the same time, each institution must also demonstrate that procedures are in place to ensure compliance with data protection requirements. Recommended organisational practices include adopting a set of data protection safeguards that are to be outlined in the institution’s video-surveillance policy and periodic audits to verify compliance.
In some cases where the risks of infringement of fundamental rights are particularly high (for example, in case of covert surveillance or dynamic-preventive surveillance), a privacy and data protection impact assessment should also be carried out and submitted to the EDPS for prior checking. However, apart from these exceptions, there is no need to closely involve the EDPS in the decision-making on how to design a particular system.
Data protection should not be viewed as a regulatory burden, a “compliance box” to be “ticked off”. Rather, it should be part of an organisational culture and sound governance structure where decisions are made by the management of each institution based on the advice of their data protection officers and consultations with all affected stakeholders.
The Guidelines (64 pages in pdf) can be accessed at http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Guidelines/10-03-17_Video-surveillance_Guidelines_EN.pdf