Data privacy law compliance is in large measure about showing your work. Five years into the swell of new comprehensive data privacy laws, privacy teams are getting used to ensuring their organization’s personal data activities are well documented. This means creating records—often lots of them. And for records managers, this means sorting out retention practices for all these new records.

This article identifies some key privacy law compliance records that records managers will likely encounter, and discusses how to apply classic retention principles to determine appropriate retention periods.

Types of Privacy Law Compliance Records

Article 30 of the GDPR requires organizations to maintain detailed records of their processing activities. This necessitates creating written documentation of processing activities and making them available to data protection authorities. Under CCPA, as well as a growing number of U.S. state privacy laws, organizations must analyze the risks associated with their processing activities through privacy impact assessments. Other records frequently generated through privacy law compliance include data transfer impact assessments before transferring personal data across borders, responses to data subject rights requests, breach assessments and notifications, personal data audits, and privacy-by-design assessments, to name a few.

Privacy law compliance records tell your organization’s story with respect to its personal data processing activities, such as its commitment to the letter of the law, thinking through privacy risks, respecting data subject rights, and curing defects.

Applying Basic Records Retention Principles to Privacy Compliance Records

By now we’re well acquainted with the storage limitation principle in data privacy—keep no longer than necessary. This has sent records managers scrambling to reduce retention periods for personal data. However, applying such aggressive deletion practices to data privacy compliance records can land your organization in regulatory trouble. For these, the tried-and-true general rules of identifying applicable legal requirements, and balancing risk with business need, are still largely your best practice.

Express Legal Retention Requirements

While less common than for other record types, there are still a number of express legal retention requirements that apply to data privacy compliance records. Breach investigation and notice records is a good example of where some of these can be found. Under Canada’s Breach of Security Safeguards Regulation, organizations must keep breach records for at least two years after the breach.[1] In Iowa, state law mandates a five-year retention period for records documenting an organization’s determination that consumer notice of a breach is not legally mandated.[2]

Another area for express legal retention requirements is under laws governing requests by data subjects to exercise data privacy rights. Under CCPA regulations, for example, an organization must maintain records of consumer requests for at least 24 months.[3] Colorado’s Privacy Act regulations obligate controllers to retain records documenting responses to their consumer data rights requests for the same period.[4]

While the GDPR does not specify retention periods for records of processing activities under Article 30, the subject is not without legal guidance. In 2017, the Belgian Data Processing Authority recommended keeping Article 30 records of processing activities for five years after termination of the processing activity.

But don’t let your search for legal retention requirements stop at data privacy-specific laws and recommendations. Retention periods in broader regulatory requirements can encompass records in your privacy compliance program, and where those are longer, they should be followed.

Where No Legal Retention Requirement Applies

When a record isn’t subject to an express retention requirement, records managers must balance business needs and legal risks to determine an appropriate retention period. To do this, records managers must ask how long their organization may need to justify its practices. This can mean turning to applicable statutes of limitation for guidance.

While statutes of limitations are not legal retention requirements, they’re a good measure of the time you may be called on by data privacy regulators or consumers to show compliance. Under the CPPA, administrative actions must generally be commenced within five years. The Illinois Supreme Court also in February clarified the general statute of limitations for civil claims under the state’s Biometric Information and Privacy Act (BIPA) is five years. But oftentimes, business need necessitates retention for longer than any regulatory or legal need, so whether to use an applicable statute of limitations as your retention benchmark must be evaluated on a case-by-case basis.

Conclusion

When setting retention periods, it’s crucial to understand the types of records your organization generates and which laws apply to these records. But knowing an organization’s specific regulatory and jurisdictional retention requirements, as well as balancing business needs and risk to determine retention periods, is something records and information management professionals have plenty of experience doing. For data privacy records compliance, it’s a matter of applying some trusted and familiar tools to a new set of records.

As privacy regulation expands, expect a lack of comprehensive privacy compliance recordkeeping to be a big part of regulatory actions. As a RIM professional, you can play a crucial role in ensuring your organization isn’t among those involved in these actions.

[1] Breach of Security Safeguards Regulations (SOR/2018-64) (amended Nov. 1, 2018): https://laws-lois.justice.gc.ca/eng/regulations/SOR-2018-64/page-1.html#h-858504

[2] Iowa Code 2023, Section 715C.2(6): (https://www.legis.iowa.gov/docs/code/715C.2.pdf)

[3] Cal. Code Regs. tit. 11 § 7101(a).

[4] 4 CCR 904-3-6.11.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Navigating Retention of Data Privacy Compliance Records appeared first on Zasio.

Author: Frank Fazzio, IGP, CRM

Analyst / Licensed Attorney

The post Staying One Step Ahead of Cyber Criminals: NYDFS Updating Cybersecurity Regulation for 2023 appeared first on Zasio.

In another email, you learn an engineer realized they accidentally sent two large customer files early last week…to the wrong customer. Follow-ups to the recipient and their team have gone unanswered. A third email mentions someone from recruiting managed to check out several hard copy HR files the day before being terminated for cause. The files were not returned. Emails to the former employee’s personal address are bouncing, and they are believed to have started some travel abroad.

It’s looking to be a fun week, and some questions start to race into your mind:

• Are any of these incidents a data breach?
• Was customer confidential information exposed? What about sensitive personal information or company trade secrets?
• Does your organization have any notification obligations, and to whom?
• What policies were in place relevant to these incidents and how were they violated?
• What mitigation measures must the organization immediately take?
• What should the organization do now to help prevent these types of things from happening again?
• Managing records and information means keeping them secure. And these are a few of the questions that you—a records and information management professional and member of your organization’s information governance team—would need to help confront should any of these hypotheticals occur.

For RIM professionals, information security is an undeniable part of the job. But for the non-security professional, learning information security can be intimidating. Fortunately, knowing a handful of basic principles will help you get a good start.

What is Information Security?

It helps to understand exactly what information security means. At its core, information security is about protecting your organization’s records and information from loss. Technologically complex, external threats like malware attacks tend to occupy headlines; however, RIM professionals should not discount the risks posed by internal actors, including by mere carelessness. By many estimates, insider threats—including carelessness—are the primary cause of data breaches. Even temporary and seemingly inconsequential unauthorized access or use of information can easily constitute a data breach under most definitions, which may trigger legal and contractual notice obligations. The errant hypothetical email in this article is one way information security can be compromised by accident.

Where does information security start?

It is helpful to think of information security as bundles of threes. The first bundle consists of the three types of security safeguards—physical, technical, and administrative, which are also commonly called controls.

1. Physical, technical, and administrative safeguards (PTA).

Physical safeguards are things such as closed-circuit surveillance, alarms, locks, as well as physical walls and fences. While the digital age puts IT security at the front of most peoples’ minds, it’s important to not overlook your physical security controls—particularly when it comes to physical records, as strong physical safeguards are among the best protections against loss.

Then there are technical safeguards, such as encryption, firewalls, security information and event management tools (SIEM), anti-virus software, and firewalls. Technical safeguards tend to be the domain of your IT security experts; however, it’s necessary for RIM professionals to have a healthy understanding of technical safeguards, how they work, and how they interact with the records and information you manage. Information governance is the mother of all collaborative efforts, so knowing your technical safeguards will only improve your ability to partner with the IT security members on your information governance team.

Lastly, administrative safeguards are things such as your company’s security policies and procedures, as well as employee training and education. Policies are often considered the bedrock of an information security program, and an area where you, as a RIM professional, can have significant influence when it comes to how these policies will intersect with the records and information you manage.

2. Confidentiality, integrity, and availability (CIA).

The purpose of information security is to preserve information confidentiality, integrity, and availability. Preserving confidentiality means protecting information from unauthorized access or disclosure. Information integrity means safeguarding its authenticity, accuracy, and completeness. And information availability means knowing it will remain accessible when needed to those who have been authorized to use it. Information CIA should be your goal when developing any records and information security measure, so think thoroughly through how each measure will maintain information CIA.

3. The three phases of information security.

Prevention, detection and response, and remediation is the last information security bundle of threes. Preventative security means taking steps to limit the risk of a breach. While it’s impossible to eliminate all risks, ensuring you have taken every reasonable step in light of the risks and the type of information you oversee is expected. Making sure your organization has proper CIA safeguards is key to ensuring your organization has adequate preventative measures. As a RIM professional, you’re most likely to be involved in the preventative side of security, but in this capacity, you may have many roles. Designing policies and procedures to protect records and information is one area where RIM professionals can contribute a lot. So is developing training and education to make sure record custodians know their security responsibilities.

Breaches will happen—that is a fact of life—so it is imperative you’re able to quickly detect security failures and mount an appropriate response. Essential to any detection and response strategy is having a well-vetted incident response plan. A good way to vet your incident response plan is to conduct tabletop exercises to work through scenarios like the ones in this article. Doing this will help expose flaws in your response plan, which allows you to improve it before it gets tested in real life. Your security team should be performing tabletop exercises at least annually. If you or a member of your RIM team does not participate in your company’s tabletop exercises, ask to be involved.

Finally, remediation means analyzing the cause of a breach and improving (again using CIA safeguards) security to make sure such a breach cannot happen again. Like prevention, remediation is an area where RIM professionals can play an important role, particularly when your organization is developing new policies and procedures, as well as educating employees on new security risks and prevention.

Understanding Your Information is Key to Knowing What Security is Appropriate

You’ve heard this before, but it’s worth repeating: to have any hope of securing records and information, you must know what information you have, where it’s located, and what it’s used for. A data inventory details what records and information an organization collects, stores, uses, and discloses—both internally and without outside parties. A proper data inventory will also cover both customer, proprietary, and employee data. And depending on the kind of information your organization handles, a data inventory may be legally required. Identifying data types and classifying information helps it get assigned the level of protection it needs, and in many cases, is legally required to have. Once assembled, make sure your data inventory gets regularly updated.

Conclusion

All of the hypotheticals at the beginning of this article could easily constitute a data breach. But with good information security, the likelihood they will result in harm, or even be able to happen in the first place, goes way down. As a RIM professional, your knowledge and skills can be a vital asset for developing and maintaining proper security for the records and information you manage.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Managing Means Securing: Information Security for RIM Professionals appeared first on Zasio.

Privacy, however, can be a puzzling topic to approach. Formal RIM texts frequently contain little privacy. And a RIM professional’s first experience many times involves jumping headlong into some involved issues, and without much exposure to the foundations. This can be like being handed a pair of scrubs and pulled into the operating room without completing a surgical residency, let alone medical school.

In the U.S., federal privacy laws are a potpourri of requirements that apply based on the market sector, type of entity, or type of data you’re involved with. Bringing in knowledgeable legal counsel is often essential to help navigate RIM-privacy issues. But it’s also helpful to step back and gain a greater understanding of privacy’s rich backdrop to bring your issues into sharper focus. More privacy fluency will lead to better conversations with your legal team and the departments whose records you oversee. Further, it will boost your ability to spot privacy issues in the first place.

With the right knowledge (and with a knowledgeable team), RIM-privacy issues can be one of the more rewarding parts of managing a records program. With this in mind, below we’ll explore some privacy fundamentals for RIM professionals.

So What is Privacy, Anyway?

Information privacy is the rules around the collection, use, and disposal of personal information. It’s the degree of control a person has over information about them, and thus, another’s obligations with that information.

There are a handful of types of privacy. These include special—often called territorial—privacy (think keeping the inside of your home free from prying eyes) or communications privacy (no eavesdropping on telephone conversations). But overwhelmingly, it is information privacy—also called data privacy—that concerns the RIM profession. Still, defining privacy only gets you part of the way there. The bigger challenge is recognizing what information must be treated as personal information.

So what is Personal Information?

What’s considered personal information is very broad. Generally, it’s any information that can be used to identify a specific person. There are the most apparent pieces of personal information, such as an individual’s name, telephone number, or physical or email address. Audio, photos, and video of a person also often constitute their personal information. These are examples of a single data piece that directly identifies a person (a direct identifier). Personal information, however, also includes multiple data pieces that individually don’t identify a person, but taken together, can reveal much about a person. This is referred to as an indirect identifier.

Many indirect identifiers will fall into another category of personal information known as sensitive personal information. Examples include religious or racial information, political beliefs, health information, genetic information, or sexual orientation. Privacy laws guard sensitive personal information much more closely. Public expectations on how sensitive personal information is collected, handled, and shared are equally strict.

Information’s status as personal information doesn’t have to be static. Personal information ceases to be such if it has been sanitized to no longer be able to identify an individual. There are a variety of techniques to achieve this. Information is anonymized if the process is irreversible—i.e., an individual can never again be identified using it. In contrast, deidentified data has only had the known direct and indirect identifiers removed. And pseudonymized data has had only the direct identifiers removed. For deidentified and pseudonymized data, the process isn’t permanent, so it should be treated accordingly. True anonymization is difficult to achieve, and information should never be presumed to be anonymized.

Information Privacy Has Been Around For a Long Time

Information privacy is a hot topic right now, which can make it seem like a relatively new concept. A privacy expert of 20 years might seem like an elder statesman in many circles.

In reality, information privacy has been around for a long time. Notions of information privacy show up in Aristotle’s writings in the 4th century BC.[1] The Bill of Rights completed all the way back in 1791, enshrines certain information privacy rights guaranteed by the government.

And it was in 1890 that a young lawyer named Louis Brandeis—still decades away from becoming one of the nation’s most influential Supreme Court justices—prophetically helped write that “Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”[2]

To put information privacy’s age in further perspective, the Privacy Act of 1974, which broadly regulates the federal government’s use of personal information, is nearing its 50th birthday. It’s the technological advances of the last few decades, though, that have made privacy a top concern. Recent technological change has drastically increased the sophistication with which personal information is collected in our digital world and the degree to which information is used to influence human behavior.

Where Did Modern Privacy Laws Come From?—FIPs

Fair Information Practices (FIPs)—Also called Fair Information Principles, or Fair Information Privacy Principles (FIPPs)—are sets of principles on the collection and use of personal information. FIPs are not laws, but often form the backbone of information privacy laws. Many government agencies and intergovernmental organizations developed their own FIPs during the last half-century. FIPs attempt to capture consensus on the rights and obligations surrounding personal information.

One consistency in all FIPs is that a person retains a level of ownership of the information about them, even though they may have chosen to expose their information to another. When managing your records program, the best way to think about personal information is that you are merely a custodian—and have a limited right to use it, along with certain obligations that go along with that use.

FIPs’ incorporation into information privacy laws has given these laws many common elements; nonetheless, not all data privacy laws operate the same way. There are two basic but competing approaches to information privacy laws—the comprehensive approach and the sectoral approach; both of these are described in more detail below.

The Comprehensive Approach

The European Union’s Global Data Protection Regulation (GDPR) (2018) is the most well-known example of comprehensive privacy law; it declares information privacy a fundamental human right. Under the GDPR’s comprehensive approach, the same privacy rules apply across commerce. It doesn’t matter what industry or market you’re in, or what type of personal data you’re handling (whether it’s personal health data or financial information) a comprehensive privacy law imposes a baseline set of rules.

The GDPR applies to organizations in the EU; but it also operates as an ‘extra-territorial’ law—in other words, you don’t have to be in the EU for the law to govern your collection and use of EU personal information. If a commercial organization targets individuals in the EU—such as marketing to them through a website in the U.S. or monitoring their behavior through cookies—the organization is subject to the GDPR with respect to that personal information. The GDPR also regulates the transfer of personal information outside of the EU, meaning certain conditions must be met if your U.S. organization receives the personal information of people in the EU.

The Sectoral Approach and U.S. Privacy Laws

Unlike comprehensive laws, federal privacy laws in the U.S. are specific to different market sectors, entities, or data types. The following are five frequently encountered sectoral U.S. privacy laws:

HIPAA: Rules under the Health Insurance Portability and Accountability Act require that ‘covered entities (health insurance companies, most healthcare providers, and healthcare clearinghouses), must comply with a baseline set of privacy and security rules concerning personal health information. These rules also mandate that ‘business associates’ (e.g., a contractor handling personal health information for a ‘covered entity’) agree to certain privacy and security requirements.

Contrary to some popular perceptions, HIPAA regulates health information based on who possesses it (like your doctor’s office), and not across the board. As a result, while HIPAA requires your doctor’s office to safeguard your personal health information, it does not prevent a restaurant from requiring proof of your COVID vaccine and does not regulate your health data stored in a favorite health tracking app, like Fitbit.

FCRA: The Fair Credit Reporting Act regulates consumer reports like the credit report created when you applied for a loan, or the background check your employer ordered when you were hired. Under FCRA, your data in a consumer report must be accurate and relevant, and you have certain rights to access and correct this information.

GLBA: The Gramm-Leach-Bliley Act requires financial institutions to safeguard your financial information. It also requires financial institutions to notify you of their privacy policies, including what information is collected about you, with whom it is shared, and how an institution uses and disposes of it.

CAN-SPAM: This law with a stemwinder of a title (the Control the Assault of Non-Solicited Pornography and Marketing Act of 2003) regulates commercial email. The law requires senders of commercial emails to clearly and conspicuously inform you of how to opt-out of future messages and prohibits the sender from charging a fee for exercising this right. The law also regulates to a lesser degree commercial text messaging.

A blunt critique of the U.S.’s sectoral approach is it’s a “cluttered mess of different rules.”[1] Efforts have been underway for some time to enact a comprehensive U.S. information privacy law. The political challenges have been steep. While Congress this year has come closer than ever to passing a comprehensive privacy law, passage is still viewed by most as a long way off. Until a comprehensive privacy law happens, the nearest thing in the U.S. is the Federal Trade Commission Act (FTCA).

FTCA:  This law broadly prohibits unfair and deceptive commercial practices, including practices related to information privacy and security. The FTCA applies to a range of entities, from retailers to technology companies to pharmaceuticals, and even social media companies. The Act can be applied to any kind of personal information if the business entity collecting or using it is doing so in an unfair or deceptive way. The Federal Trade Commission (FTC) is the main enforcer under the FTCA, as well as a handful of other sectoral privacy laws, such as COPPA. The FTC maintains a website of its legal filings about conduct it considers unfair and deceptive. Regularly reviewing the FTC’s complaints and orders concerning other companies’ information privacy and security practices can be a good way to stay informed about what not to do with personal information in your organization.

State Comprehensive Privacy Laws

Absent a comprehensive U.S. information privacy law, an increasing number of states—which currently include California, Colorado, Connecticut, Virginia, and Utah—have since 2018 enacted their own comprehensive laws. The most notable is the California Consumer Privacy Rights Act  (CCPA). In 2020, California voters passed a referendum amending the CCPA known as the California Privacy Rights Act (CPRA), which will become enforceable in 2023.

Like the GDPR, the CCPA/CCPRA has an ‘extraterritorial’ effect, meaning non-California businesses with sufficient ties to California consumers are subject to it. The CPRA also requires businesses subject to the law to require their contractors and service providers handling personal information—even those not otherwise subject to the law—to follow a number of information privacy and security practices.

The CPRA brings California’s privacy framework closer to the GDPR’s; however, there are still numerous differences between them—as well as among all data privacy laws. Accordingly, compliance with one should never be presumed to be compliance with another, and each deserves detailed scrutiny before deciding on a compliance strategy.

The Bottom Line for RIM Professionals

If you’ve read this far you know there’s a lot to just scratch the surface on information privacy. Yet, despite an ever-changing privacy landscape, a few faithful takeaways exist to help you better incorporate privacy into your RIM practices:

• Neither the GDPR, the CCPA/CPRA, nor any other major privacy law set a retention period for personal information. Instead, these laws require your organization keep personal information only as long as necessary to accomplish the purpose for which it was collected it. This principle creates conflict with records retention laws that can set lengthy minimum retention periods. It also conflicts with many organizations’ habits of wanting to hold on to a lot of information, sometimes indefinitely. Ultimately, you must balance the need to preserve records with the need to delete personal information within the record.
• Define personal information in your organization broadly. When defining what personal information your organization possesses, remember that there are often numerous ways to combine data that would cause it to be able to identify someone. The safer approach—and often the legally required approach—is to generally define personal information broadly.
• Privacy requires a mindset change about what constitutes a record. With privacy as part of a records program, you must avoid thinking about records narrowly. It can be helpful to think of any information with more than a transient value as a record. Focus on managing all information rather than just documents.
• Privacy involves taking some educated risks. Many privacy laws have been on the books for decades; others, like the GDPR and the CCPA/CPRA, have sprung like a geyser in the past five years—and what they require remains uncertain in a number of contexts. For records programs, setting retention periods and handling requirements to records series can sometimes be done with a cut-and-dried approach. Accounting for privacy requirements, though, involves being comfortable with more legal ambiguities—a prime example of this often includes determining how long is no longer than necessary to retain personal information. This means setting a risk tolerance and being more comfortable with operating in gray areas.
• Inventory (‘Map’) your personal information. To have any hope of having a privacy-compliant RIM program, it’s essential to know what kinds of personal information you have and where it resides in your different electronic databases, paper files, records series, and elsewhere. It also means being able to access that personal information should a data owner exercise a right—such as the right to correction or deletion—under an applicable data privacy law.
• Isolate personal information as best you can. Keeping personal information in known, centralized databases wherever practicable is a good practice. Avoid creating unnecessary duplicates of this information. Restrict access to personal information to those whose job requires it. And where possible, keep personal information from being included in your records in the first place.
• Security. Security is fundamental to privacy, and you must keep security in the front of your mind when making any RIM-privacy decision. Data privacy laws generally require security appropriate to the records and the risks. However, there is no base security program spelled out in privacy laws, nor is there one appropriate to all situations. You must determine what appropriate security means in each situation.
• Keep Learning About Privacy. Data privacy laws will continue to grow and impact records and information management. How your organization gathers and uses personal information will also change. Accordingly, RIM managers will need to grow their privacy fluency in step to make sure legal requirements, not to mention public expectations, are properly reflected. But privacy can be enjoyable, and again, with the right knowledge and an informed team, will be one of the most rewarding aspects of RIM.

[1] See Swanson, Judith A. The Public and Private in Aristotle’s Political Philosophy (1992 Cornell University Press).

[2] The Right to Privacy, Samuel D. Warren; Louis D. Brandeis, Harvard Law Review, Vol. 4, No. 5 (Dec. 15, 1890).

[3] The State of Consumer Data Privacy Laws in the US (And Why It Matters), Thorin Klosowski, NY Times (published Sept. 6, 2021).

Zasio is an information governance software, SaaS, and consulting company based in Boise, Idaho. Zasio is not a law firm and does not provide legal advice or services. This material is for informational purposes only and not for the purpose of providing legal or other professional advice.

The post What is Privacy Anyway? A Brief Introduction for RIM Professionals appeared first on Zasio.

The post What the Heck is Privacy, Anyway? Some Foundations on Privacy Law in the U.S. appeared first on Zasio.

Author: Heather Rice

Senior Research Analyst / Certified Paralegal

The post Utah Becomes Newest State to Adopt Consumer Privacy Law appeared first on Zasio.

Author: Jared Walker, JD

Senior Research Analyst, Team Lead / Licensed Attorney

The post Power to the PIPL? A Rundown of China’s New Personal Information Protection Law appeared first on Zasio.

Most international video surveillance requirements are not found in regulations, directives, or statutes. Rather, these requirements are frequently governed by data protection authorities through guidelines, decisions, or standards. But don’t let these titles fool you about their enforceability. Data protection authorities view these guidelines at the very least as best practices, and EU member states reference them when sanctioning and fining an entity for non-compliance.

Video Surveillance Coverage: Areas and Businesses

Generally, businesses using video surveillance are required to inform the public they are under video surveillance, in line with many data protection laws which mandate data subjects be informed their data is being processed. The EU Data Protection Supervisor states these notices “are mandatory because individuals affected by video surveillance must be informed upon its installation about the monitoring, its purpose, and the length of time for which the footage is to be kept and by whom.”[1]

Video surveillance requirements also force businesses to limit surveillance to areas like parking lots, building entrances, or streets. This does not mean surveillance cameras can cover wide swaths of these areas. Businesses are further limited to recording those areas of parking lots or building access or emergency exits that justify the protection of individuals and property.

Certain businesses are required to use video surveillance, such as banks, casinos, ATMs, and other financially-related businesses. Legal requirements also note that certain areas never justify video surveillance, like bathrooms, changing rooms, and pools. These areas are considered inherently private, and legal requirements recognize that data subjects deserve a heightened level of legal protection from video surveillance.

Incident Versus Non-Incident

In the legal realm, there are two main types of surveillance that regulators are looking at: incident and non-incident camera footage. Whether footage captures evidence of an incident will determine the retention period for that section. Most recordkeeping requirements set a minimum amount of time records must be retained. Recordkeeping requirements for video surveillance, however, typically set a maximum amount of time these images can be kept. Incident-capturing footage requirements follow this same method but may allow for slightly longer retention periods. For example, Greece doubles the amount of time businesses may keep video surveillance images following an incident. Generally, where surveillance footage does not contain images of an incident, the maximum amount of time this footage can be retained may be a few months, weeks, days, or hours.[2]

EU member states have some of the strictest requirements when it comes to video surveillance. For example, under Austrian law, images may be retained no longer than 72 hours.[3] In Germany, this period is 48 hours.[4] And in Italy, video surveillance must not be retained longer than 24 hours.[5] Complying with these limitations can prove difficult when an entity does not frequently check its surveillance footage, such as over a weekend or a holiday. Accordingly, regulators acknowledge that these retention periods may require some flexibility. Some regulators also permit for a longer retention period when parties consent through written agreements.[6]

Most legal requirements allow for longer retention when images are necessary for court proceedings or criminal investigations. However, investigating a crime or incident does not give an entity carte blanche to retain images indefinitely.[7] Typically, legal requirements require destruction within a few months, weeks, or days of the conclusion of an investigation or related proceedings.

Legal Requirements Versus System Capabilities

Video surveillance is one area where the law and technology play leapfrog. Sometimes the legal requirements are ahead of their time; sometimes technology is cutting edge. As noted, some European jurisdictions allow video surveillance retention for only hours or days. Not all video surveillance systems are created equal, and some systems do not have the capability to automatically erase footage every 24 hours. When this is the case, entities must be careful to note their surveillance footage retention periods in their notices and policies.

Conclusion

Whether you are a privacy-minded individual concerned about your image being captured through video surveillance or a business concerned about legal repercussions from your video surveillance practices, data protection authorities and regulators have provided guidelines on what your rights are. To learn more about how video surveillance may affect your business, contact Zasio today.

[1] European Data Protection Supervisor, Video Surveillance, “What are the main data protection issues?”

[2] EDPB Guidelines 3/2019 on processing of personal data through video devices (8)(119).

[3] Ordinance of the data protection authority on the exemptions from the data protection impact assessment.

[4] Short Paper on Video surveillance according to the General Data Protection Regulation.

[5] Video Surveillance Decision 2010.

[6] Ordinance of the data protection authority on the exemptions from the data protection impact assessment.

[7] EDPS Guidelines on video-surveillance (7.1.1).

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Do You Ever Feel Like, Somebody’s Watching You? That’s Because They Are appeared first on Zasio.

Author: Jennifer Chadband, IGP, CRM, ECMp

Senior Analyst / Licensed Attorney

The post Bringing the Cloud Down to Earth appeared first on Zasio.