EDPS issues Guidelines on Video-surveillance

Today, the European Data Protection Supervisor (EDPS) issued a practical set of Guidelines to European institutions and bodies on how to use video-surveillance responsibly with effective safeguards in place. The Guidelines set out the principles for evaluating the need for resorting to video-surveillance and give guidance on how to conduct it in a way which minimises impact on privacy and other fundamental rights.

The Guidelines apply to existing as well as future systems: each institution has until 1 January 2011 to bring its existing practices into compliance. A consultation draft was published on 7 July 2009. The consultation process elicited feedback to improve the draft Guidelines and increased cooperation with stakeholders.

Giovanni Buttarelli, Assistant EDPS emphasised: "There are fundamental rights at stake, such as the right to privacy in the workplace. Therefore, decisions on whether to install cameras and how to use them should not be based solely on security needs. Rather, security needs must be balanced against the fundamental rights of an individual. With that said, fundamental rights and security do not have to be mutually exclusive. Using a pragmatic approach based on the principles of selectivity and proportionality, video-surveillance systems can meet security needs whilst also respecting our privacy."

Within the limits provided by data protection law, each institution and body has a margin of discretion on how to design its own system. The Guidelines are designed to allow customization. This flexibility should prevent rigid or bureaucratic interpretation of data protection concerns from hampering justified security needs or other legitimate objectives.

At the same time, each institution must also demonstrate that procedures are in place to ensure compliance with data protection requirements. Recommended organisational practices include adopting a set of data protection safeguards that are to be outlined in the institution’s video-surveillance policy and periodic audits to verify compliance. Impact assessments carried out by the institutions are encouraged, while prior checking by the EDPS will still be required for video-surveillance involving large inherent risks (such as covert surveillance or complex, dynamic-preventive surveillance systems).

Data protection should not be viewed as a regulatory burden, a "compliance box" to be "ticked off". Rather, it should be part of organisational culture and sound governance where decisions are made by the management of each institution based on the advice of their data protection officers and consultations with all stakeholders.