What are video DSARs?
People have become more aware, informed, and empowered regarding their data privacy rights.
They want to take more control over their data. As a result, there has been a steady rise in DSARs received by companies and public bodies over recent years.
Video is a growing part of that.
We are currently collecting more video data than ever before. The number of CCTV cameras has increased to roughly 5.2 million in the UK, as have body-worn cameras by different public and private sector employees, e.g. police officers, healthcare workers, retail workers, and transportation workers.
But CCTV is no longer just under the Security team’s remit. Extracting valuable business data from a video is a growing asset - to find out about footfall, demographics, people flow, and the general behaviour of staff, customers, or visitors.
All of this data contains tonnes of personal information and can be requested by members of the public.
Video DSARs are more critical than ever before and will inevitably be something many more organisations will have to tackle on a regular basis.
“We are collecting more data, more is personalised and so there is always going to be ongoing friction between what societies and individuals expect of how data is handled.”
But what exactly are video DSARs?
DSARs give people the right to access information held about them.
Video DSARs give people the same right - to access personal information held about them in the video.
This is a result of GDPR. Under GDPR, individuals have a range of rights around how their personal data is processed by businesses, public bodies, and other data controllers. Among them is the right to access their personal data from data controllers.
“A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
This is the “right of access” - where individuals are entitled to ask organisations whether they are using or storing their personal information and the right to ask for copies of this information. This right is also a way to help data subjects feel empowered to ensure their data is being processed and shared lawfully, and is reinforced in the Data Protection Act 2018.
Legally, data controllers/processors who receive DSARs have 30 days from the day they receive a request to respond.
This means they have to inform the data subject of how their data is used and why and locate and share the data they hold (unless stated exceptions apply). These requests can be submitted orally, in writing, or through social media.
For video, this means individuals can request access to CCTV footage, body-worn camera footage, or other forms of video footage the data subject is in (provided no exemptions apply).
DSARs exist to give people increased data rights. But, they also need to be carried out in a way that is respectful of the data privacy rights of all parties involved.
When video captures more than the data subject, organisations have to consider how to protect the personal information and privacy of others. This is when redaction comes in.
The redaction process is vital, as before you release any data to the data subject, you need to remove all personal data not belonging to them. Of course, there are different exceptions depending on the use case - e.g. journalistic documents, court cases, criminal cases, etc. - but knowing how to properly redact data is fundamental.