GDPR

Documented description of: the purpose of the video system, what information is collected, what it will be used for, by whom, and for how long.

In specific cases deemed high risk of encroaching on privacy, a formalized data privacy impact assessment (DPIA) is required.

Ensure signs are posted including details on where data subjects can find more information.

Assure information is available to any data subject on: purpose of data gathering, type of processing done (e.g. live or recorded), data retention time, etc.

Consider whether a DPIA is required.

Organizations must carefully consider and document how systems are designed to stay within the stated objectives.

Care must be paid to not capture personal data of subjects who fall outside of the domain of the system (e.g. adjacent public areas).

Careful consideration of who needs to see what information (e.g. live/recorded, timeframe, resolution) and who can access what features (e.g. search).

Use the Avigilon System Design Tool (SDT) to document resolution at different points in the camera scene, intended retention, etc.

Review roles and responsibilities for operators, investigators, system administrators and others with access to the system.

Consider restricting access to groups tasked with investigations for cameras that are specifically positioned to capture identity (e.g. faces of people entering a store).

Consider restricting access to recorded video for operators, either completely, to only the video recorded since they last logged on, or only with dual authorization.

Ensure the administrator account password is known only by specified people and that this account is used only for administrative tasks.

SDT is useful in planning a system before installation and helping to ensure that coverage, resolution, and retention are properly considered.

ACC™ offers control over user permissions, ensuring security personnel can only access the video data that they need to do their job.

ACC will control the resolution of the video displayed based on user permissions.

ACC requires explicit user permissions to access search functionality that uses personally identifiable information such as personal appearance, access control identity cards, license plates, or point-of-sale-information.

Upon request, organizations need to deliver to a data subject all the personal data collected about them, including video collected by a video surveillance system.

When delivering video to a data subject, other people appearing in the video must be masked or otherwise anonymized.

ACC enables the bookmarking and export of video.

Avigilon Appearance Search™ technology is also featured in ACC, which enables users to locate, bookmark, and export recorded video of a specific individual.

Appearance Search results can be exported by ACC while anonymizing images of all other subjects in the video.

Take all appropriate organization and technical measures to protect against compromising personal data.

Strictly adhere to GDPR guidelines on reporting breaches should they occur.

Review security policies around password control and account use.

Consider setting minimum password strength requirements for all groups. Consider setting stronger requirements for administrative accounts.

Have processes in place to audit protection status and detect breaches.

Ensure users do not share accounts, whether by sharing passwords or by not logging off/on at the end/start of their shift.

Maintain a documented policy and procedure governing appropriate actions in the event of data breach.

ACC employs security measures including strong password enforcement, connection authentication, and data encryption.

ACC provides activity logs for all user actions to enable auditors to see who accessed what resources when.