Here’s the third and final part of a detailing of data privacy and use of drones, by the cyber, security and ata protection advisers 6SGlobal. Here they cover the data subject’s right of access and other rights.
Due to the character of data processing when using video surveillance some data subject’s rights under GDPR serves further clarification. This chapter is however not exhaustive, all rights under the GDPR applies to processing of personal data through Drone video surveillance.
Right to access
A data subject has the right to obtain confirmation from the controller as to whether or not their personal data are being processed. For Drone video surveillance this means that if no data is stored or transferred in any way then once the real-time monitoring moment has passed the controller could only give the information that no personal data is any longer being processed (besides the general information obligations under Article 13.
This is an important right under the GDPR and the ‘Drone’ Data Controller must design processes and technologies to ensure:
•the Data Subject can readily access all personal data held on them or derived or inferred from that data
•the Data Subject can receive a copy of that personal data
•the Data Subject can obtain confirmation of and information about the processing activities.
A ‘Drone’ Data Controller must be prepared to respond to an individual Subject Access Request (SAR) in a timely manner and from a technical perspective customer database will need to be searchable by Data Subject.
Protecting the Data Subject’s Right to Rectification
A ‘Drone’ Data Controller must have the technology and processes to ensure a Data Subject can have inaccurate personal data rectified or completed without undue delay. The way to make such a request needs to be spelt out in the Data Privacy Notice.
Protecting the Data Subject’s Right to Erasure
The erasure of personal data without undue delay and the notification to other ‘Drone’ Data Controllers that process this personal data only applies where certain conditions have been met. There needs to be technical measures available to be able to do this, although it should be remembered that deleted personal data can be re-constructed even if it doesn’t appear in a file directory. It will be important to verify with the IT Department and other info-sec professionals that the personal data has been erased and is not recoverable by having a certificate to that affect. The Right to Erasure exercised by the Data Subject will terminate the relationship with the ‘Drone’ Data Controller often when there has been a complete failure to fulfil its obligations or deliver the rights and freedoms of the Data Subject. In each of these infringements of the GDPR, there is an increased risk of harm or damage to the Data Subject. In addition, the Data Subject has the right to withdraw consent or object to a processing activity that is based on a ‘Drone’ Data Controller’s legitimate interest.
Restriction of Processing
This is a new right of the Data Subject compared with the previous Data Protection Directive 95/46/EC. The ‘Drone’ Data Controller must ensure it is possible to isolate a Data Subject’s personal data temporarily or permanently to prevent it from being processed alongside other personal data across the value chain.
Data Portability
The Right to Data Portability enables a Data Subject to obtain and reuse her/his personal data across a range of services and other ‘Drone’ Data Controllers. For example, it can assist the Data Subject to shop around for the lowest electricity tariff or move from one insurance provider to another. The personal data must be in a structured, commonly used and machine-readable format so it can be easily used by another ‘Drone’ Data Controller to provide those services.
Right to Object to Processing
The first time a ‘Drone’ Data Controller communicates with a Data Subject it must inform the individual about the right to object to processing of their personal data. Where a DPO is appointed, s(he) should ensure this right to object to personal data processing is built into workflows and communication strategies. Standard language or templates used by the ‘Drone’ Data Controller may well assist in this regard. A ‘Drone’ Data Controller should also establish a decision-making process for handling objections to the processing of personal data. The ‘Drone’ Data Controller should as a matter of urgency confirm whether there are technical and organizational measures in place to comply with the right to object to personal data processing. This will require a high degree of co-ordination across the value chain and data tags as well as the identification of different personal data types processed within the organisation will be helpful.
Automated processing including profiling
The right not to be subject to a decision based solely on automated processing including profiling needs to be read in light of Right to Object to Processing and the Right to Withdraw Consent. A ‘Drone’ Data Controller seeking to process personal data for profiling and automated decision-making purposes must ensure it can cease profiling a Data Subject that exercises this right. Under Art.12(3), GDPR the ‘Drone’ Data Controller must respond without undue delay and in any event within one month of receipt of the request.
Access Rights
Best practice for information society service providers is to allow a Data Subject to download their personal data that includes not only what they see when logged-in but also information on the ads they’ve clicked on and IP addresses they’ve used. Social media sites and online services may lend themselves more readily to this type of service but that does not prevent ‘Drone’ organisations adopting a similar process in their Data Protection by Design efforts. Business who consider the need to develop a surveillance camera system should give due consideration to the establishment of proper governance arrangements. There must be clear responsibility and accountability for such a system. As the Drone images may covers public space a company would be considered as an operator and must be aware of the statutory licensing requirements of the Private Security Industry Act 2001 (PSIA).
Balancing exercise
Where it has been established that there is a reasonable expectation of privacy in respect of information, such that a claimant’s Article 8 rights are engaged, the court must undertake the ‘ultimate balancing test’, weighing the claimants Article 8 rights, the rights of the defendant, and the rights of other individuals concerned, to ascertain which should yield.
General considerations when processing biometric data
The use of biometric data and in particular facial recognition entail heightened risks for data subjects’ rights. It is crucial that recourse to such technologies takes place with due respect to the principles of lawfulness, necessity, proportionality, and data minimisation within in the GDPR. Whereas the use of these technologies can be perceived as particularly effective, controllers should first assess the impact on fundamental rights and freedoms and consider less intrusive means to achieve their legitimate purpose of the processing. To qualify as biometric data as defined in the GDPR, processing of raw data, such as the physical, physiological, or behavioural characteristics of a natural person, must imply a measurement of this characteristics. Since biometric data is the result of such measurements, the GDPR states in its Article 4.14 that it is “resulting from specific technical processing relating to the physical, physiological or behavioural characteristics”. The video footage of an individual cannot however in itself be considered as biometric data under Article 9, if it has not been specifically technically processed to contribute to the identification of an individual.
The use of video surveillance including biometric recognition functionality installed by private entities for their own purposes (e.g. marketing, statistical, or even security) will, in most cases, require explicit consent of all data subjects (Article 9 (2) (a)). However, Article 9 applies if the controller stores biometric data (most commonly through templates that are created by the extraction of key features from the raw form of biometric data (e.g. facial measurements from an image)) in order to uniquely identify a person. If a controller wishes to detect a data subject re-entering the area or entering another area (for example in order to project continued customized advertisement), the purpose would then be to uniquely identify a natural person, meaning that the operation would from the start fall under Article 9. This could be the case if a controller stores generated templates to provide further tailored advertisement on several billboards throughout different locations inside the shop. Since the system is using physical characteristics to detect specific individuals coming back in the range of the camera (like the visitors of a shopping mall) and tracking them, it would constitute a biometric identification method because it is aimed at recognition through the use of specific technical processing.
When the consent is required by Article 9 GDPR, the data controller shall not condition the access to its services to the acceptance of the biometric processing. In other words, and notably when the biometric processing is used for authentication purpose, the data controller must offer an alternative solution that does not involve biometric processing –without restraints or additional cost for the data subject. This alternative solution is also needed for persons who do not meet the constraints of the biometric device (enrolment or reading of the biometric data impossible, disability situation making it difficult to use, etc.) and in anticipation of unavailability of the biometric device (such as a malfunction of the device), a “back-up solution” must be implemented to ensure continuity of the proposed service, limited however to exceptional use. Suggested measures to minimize the risks when processing biometric data 86. In compliance with the data minimization principle, data controllers must ensure that data extracted from a digital image to build a template will not be excessive and will only contain the information required for the specified purpose, thereby avoiding any possible further processing. Measures should be put in place to guarantee that templates cannot be transferred across biometric systems.
Identification and authentication/verification are likely to require the storage of the template for use in a later comparison. The data controller must consider the most appropriate location for storage of the data. In an environment under control (delimited hallways or checkpoints), templates shall be stored on an individual device kept by the user and under his or her sole control (in a smartphone or the id card) or – when needed for specific purposes and in presence of objective needs – stored in a centralised database in an encrypted form with a key/secret solely in the hands of the person to prevent unauthorised access to the template or storage location.
If the data controller cannot avoid having access to the templates, he must take appropriate steps to ensure the security of the data stored. This may include encrypting the template using a cryptographic algorithm. In any case, the controller shall take all necessary precautions to preserve the availability, integrity and confidentiality of the data processed. To this end, the controller shall notably take the following measures: compartmentalise data during transmission and storage, store biometric templates and raw data or identity data on distinct databases, encrypt biometric data, notably biometric templates, and define a policy for encryption and key management, integrate an organisational and technical measure for fraud detection, associate an integrity code with the data (for example signature or hash) and prohibit any external access to the biometric data.
Data controllers shall proceed to the deletion of raw data (face images, speech signals, the gait, etc.) and ensure the effectiveness of this deletion. Indeed, insofar as biometric templates derives from such data, one can consider that the constitution of databases could represent an equal if not even bigger threat (because it may not always be easy to read a biometric template without the knowledge on how it was programmed, whereas raw data will be the building block of any template). In case the data controller would need to keep such data, noise-additive method (such as watermarking) must be explored, which would render the creation of the template ineffective. The controller must also delete biometric data and templates in the event of unauthorised access to the read-comparison terminal or storage server and delete any data not useful for further processing at the end of the biometric device’s life.
Technical and organisational measures
The GDPR requires ‘Drone’ Data Controllers and processors to implement “appropriate technical and organisational measures” to protect personal data. This entails an approach based on regular assessments to ensure that all risks are appropriately addressed.
Access to images must be limited to authorised personnel
This is especially important where systems are connected to the Internet or footage is stored in the cloud, and there is a greater risk of unauthorised access. Administrative controls must be implemented this must be identified in the POLP, fully documented and audited.
Audits
This sits outside the Risk Management and Data Governance Framework but supports it by testing the overall effectiveness and ‘fit-for-purpose’ of the processes and controls as described by the data governance framework. Any ‘Drone’ which access Data Subjects must be audit for compliance to the GDPR. The DPA 18, PECR and relevant codes of practice as well as guidance. If a ‘Drone’ Data Controller/Processor, sub-processor or installer fails to complete documented audits of their respective ‘Drone’ system(s) then they run the risk for the full wright of any enforcement authority. I any company is in doubt they should discuss their issue with a DPO, who will provide advice on Data Privacy Issues. The international standard for information security management, ISO 27001, is an excellent starting point for implementing the technical and organisational measures necessary under the GDPR. The audit must be independent of the other functions to avoid a conflict of interest and to be effective. The Data Controller and Data Processor must audit those parts of their value chain for which they are directly responsible to assure the effectiveness and ‘fit-for-purpose’ of the technical and organisational measures deployed by those parties (Art 28, GDPR).
‘Drones’ establish a Security Baseline
Your security policies are your foundation. Without established policies and standards, there is no guideline to determine the level of risk. But technology changes much more rapidly than business policies and must be reviewed more often. Software vulnerabilities are discovered daily. A yearly security assessment by an objective third party is necessary to ensure that security guidelines are followed. Security audits are not a one-off event. Do not wait until a successful attack forces your company to hire an auditor. Annual audits establish a security baseline against which you can measure progress and evaluate the auditor’s professional advice. An established security posture will also help measure the effectiveness of the audit team.
Anonymous Collection of Data
Drones are a useful tool in terms of being implemented in situations where a human’s life would be at risk. But as people are identifiable by their own set of unique characteristics such as height, weight, ethnic origin, hair colour etc. Drones on the other hand are not as easy to identify. Without company markings and patented designs drones are notoriously hard to identify the user/operator of the drone. Regardless of who or what these drones are being used for they appear to be collecting data for some purpose without permission, a drone being used in this capacity in would infringe upon the DPA18.
Limitations
In terms of limitations to the research into how drone technology could potentially infringe on the UK Data Protection Act there are many, globally drones are being implemented daily by companies and governments but outside of those organisations the exposure to what is being collected or generated by drone technology is very limited. If companies or governments are using drones in an unlawful or unconstitutional manner then these companies are not going to make the applications of these machines public knowledge to protect the interests, reputation and standing of an organisation.
These drones have the capabilities to collecting data from car speeds to human biometric data, but without the actual drone or control centre people have no way of knowing what is being collected. Another limitation is that once the data has been collected that the user has no idea what is being there data is being used for ranging from the data being used to prevent crime to selling the data to companies to target people with advertising campaigns. The possibilities of what people’s personal information and data is almost endless, but with the use of drone technology this data which can be so valuable can also be so accessed with such ease and anonymously. As companies can be audited and are by law supposed to adhere to UK DPA laws they are bound and restricted to what they can do, collect, use and keep because there drone usage must be documented but with civilians having the access to the same technology and not being monitored under the same scope as companies it exposes a frightening fact that someone could spy on another person without their knowledge. People are subject to the DPA the same as companies and governments, but individuals are a lot more difficult to police.
Conclusion
Drones have many strong points and improve many fields of profession, whether that be archaeology, agriculture, retail etc. the possibilities are endless for the progression of drones in society. Drones uses involving the processing of personal data constitute in most cases an interference with the right to the respect for private and family life guaranteed by Article 8 of the Council of Europe Convention on Human Rights and Article 7 of the Charter of Fundamental Rights of the European Union (hereinafter “the Charter”) as they challenge the right to intimacy and privacy guaranteed to all individuals in the EU and can therefore be allowed only under specific conditions and safeguards. In any event, whenever personal data are processed by Drones operated in the EU, which is common, the right to the protection of personal data enshrined in Article 8 of the Charter applies and the EU legal framework for data protection should be complied with.
In practice, therefore, Drones used by individuals, for private activities will normally be subject to the GDPR requirements and will rarely benefit from the household exception. In any event, as a pre-condition for the data protection rules, the processing of personal data must be lawful in all respects. This means also complying with other relevant rules in areas such as civil or criminal law, intellectual property, aviation, or environmental law. But the advancements of drones also have its negative effects with drones potentially doing the work that humans have been previously used to perform these tasks, then you also have the moral dilemmas of drones being used by the military for the assassination of terrorists.
Additionally, with drones possibly taking peoples jobs for cost and reliability reasons, drones may potentially be portrayed in a negative light but drones will work alongside people taking people out of harm’s way whether that be in a military sense or a rescue sense. Drones doing the jobs we should not have to do, can only help society and lower job risks. As drones evolve and become an everyday part of our lives, drones will eventually greatly benefit the way we live and enhance our quality of life. Technology never stands still, if you buy a laptop today in five years’ time the odds are that the laptop’s hardware and software would be outdated in comparison to the present standards. Like technology the drone industry is and will continue to advance as it has done. The drone industry has advanced in the past from military machine to commercial aid demonstrates the range of uses drones have and this expected to continue with drones now even being used to aid in the selling of homes and property within the UK. Therefore, compliance to legislation is essential, companies need to verify their activities as well as their legal basis for gathering the information.
Regardless if the company is a law enforcement, central government, public or private sectors the GDPR must be followed and implemented. Such organisations must implement a Privacy Information Management System (PIMS) to ensure it is compliant, as compliance will ensure no actions taken against the company by the Information Commissioner’s Office (ICO). Ask 6sglobal for their PIMs auditing system to commence the verification of your compliance journey, as a 3rd party review will benefit you.
Return to part two on this link.
To return to part one of this article, click here.
