CEN/CLC/JTC 13/WG 5 N 19

CEN/CLC/JTC 13/WG 5Data Protection, Privacy and Identity Management

Email of secretary: sirocchi@uninfo.it Secretariat:

Draft TR Data protection and privacy by design and by default— TechnicalRequirements applicable to the video-surveillance industry — Dedicatedimplementation ( Preliminary draft prepared by JF Sulzer)

Document type: Other meeting document

Date of document: 2019-07-01

Expected action: MEET

Action due date: 2019-07-09

Background: for consideration at the upcoming JTC 13/WG5 Paris meeting tobe held on 2019-07-09

Committee URL: https://cen.iso.org/livelink/livelink/open/cenclcjtc13wg5

CEN/CLC/JTC 13 XXX

Date: 2019 -06

prEN XXXXX: XXXX

Secretariat: XXX

Preliminary draft (prepared by JF Sulzer)

Data protection and privacy by design and by default— Technical Requirements applicable to the video-surveillance industry — Dedicated

implementation

Einführendes Element — Haupt-Element — Ergänzendes Element

Élément introductif — Élément central — Élément complémentaire

ICS:

CCMC will prepare and attach the official title page.

prEN XXXX:XXXX (E)

2

Contents Page

Table des matières

European foreword ............................................................................................................................................ 4

Introduction .......................................................................................................................................................... 5

1 Scope .......................................................................................................................................................... 6

2 Normative references .......................................................................................................................... 6

3 Terms and definitions ......................................................................................................................... 6

4 High level objectives ............................................................................................................................ 7

5 Verification of the ability to comply with the GDPR provisions (for each item, refence is made to the relevant section of the main body of the standard) .................................... 8

5.1 Access (6.1) ............................................................................................................................................. 8 5.1.1 Access to data ......................................................................................................................................... 8 5.1.2 Copy of data ............................................................................................................................................. 8 5.2 Accountability (6.2) ............................................................................................................................. 8 5.2.1 Control objective: .................................................................................................................................. 8 5.2.2 Accurate, transparent and easy to understand documentation .......................................... 9 5.3 Accuracy (6.3) ........................................................................................................................................ 9 5.3.1 Control objective: .................................................................................................................................. 9 5.3.2 Corrections in the recorded videos (not applicable) ............................................................... 9 5.3.3 Dynamic masking (related consideration) .................................................................................. 9 5.4 Consent (6.4) .......................................................................................................................................... 9 5.4.1 Control objective: .................................................................................................................................. 9 5.4.2 Consent of data subject replaced by information for video-surveillance ........................ 9 5.5 Data de-identification (6.5) ............................................................................................................... 9 5.5.1 Control objective: .................................................................................................................................. 9 5.5.2 Video-surveillance systems do not identify individuals ......................................................... 9 5.5.3 Reversibility.......................................................................................................................................... 10 5.6 Data minimization (6.6) ................................................................................................................... 10 5.6.1 Control objective: ................................................................................................................................ 10 5.6.2 Provisions to allow collection adjustment to minimum ....................................................... 10 5.7 Data portability (6.7) ......................................................................................................................... 10 5.7.1 Control objective: ................................................................................................................................ 10 5.7.2 Notion of portability does not apply to video-surveillance ................................................. 10 5.8 Data protection and privacy by default (6.8) ............................................................................ 10 5.8.1 Control objective: ................................................................................................................................ 10 5.8.2 Access restricted to a single account ........................................................................................... 10 5.8.3 Dedicated procedure to allow additional accounts ................................................................ 10 5.9 Erasure (6.9) ......................................................................................................................................... 11 5.9.1 Control objective: ................................................................................................................................ 11 5.9.2 Erasing capability ............................................................................................................................... 11 5.10 Fairness (6.10) ..................................................................................................................................... 11 5.10.1 Determination of user (data subject) age .................................................................................. 11 5.10.2 Configurable children age threshold (not applicable) .......................................................... 11 5.11 Information security (6.11) ............................................................................................................ 11 5.11.1 Unauthorized or unlawful processing ......................................................................................... 11

prEN XXXX:XXXX (E)

3

5.11.2 Data loss ................................................................................................................................................. 12 5.11.3 Information protection targets ..................................................................................................... 12 5.11.4 Restore ................................................................................................................................................... 12 5.12 Lawfulness (6.12) ............................................................................................................................... 12 5.12.1 Purpose of processing ....................................................................................................................... 12 5.12.2 Data provisioning ............................................................................................................................... 13 5.13 Objection to processing (6.13) ....................................................................................................... 13 5.13.1 Control objective:................................................................................................................................ 13 5.13.2 Information of the data subjects, but impossibility for the data subjects to hide

themselves ............................................................................................................................................ 13 5.14 Automated decision making (6.14) .............................................................................................. 13 5.14.1 Control objective:................................................................................................................................ 13 5.14.2 Support to operators, but no direct decision............................................................................ 13 5.15 Processing (6.15) ................................................................................................................................ 13 5.15.1 Control objective:................................................................................................................................ 13 5.15.2 The manufacturer has no processor role ................................................................................... 14 5.16 Purpose limitation (6.16) ................................................................................................................ 14 5.16.1 Purpose specification ........................................................................................................................ 14 5.16.2 Purpose incompatibility................................................................................................................... 14 5.17 Restriction of processing (6.17) .................................................................................................... 14 5.17.1 Control objective:................................................................................................................................ 14 5.17.2 Tools for the data controller........................................................................................................... 14 5.17.3 Record kept of such actions ............................................................................................................ 14 5.18 Storage limitation (6.18) .................................................................................................................. 14 5.18.1 Control objective:................................................................................................................................ 14 5.18.2 Retention time limited by default ................................................................................................. 14 5.19 Transparency (6.19) .......................................................................................................................... 15 5.19.1 Information ........................................................................................................................................... 15 5.19.2 Record of processing activities ...................................................................................................... 15

prEN XXXX:XXXX (E)

4

European foreword

This document (prEN XXXX:XXXX) has been prepared by Technical Committee CEN/TC XXX “Title”, the secretariat of which is held by XXX.

This document is currently submitted to the CEN Enquiry.

This document will supersede EN XXXX:XXXX.

In comparison with the previous edition, the following technical modifications have been made:

This document has been prepared under a mandate given to CEN by the European Commission and the European Free Trade Association, and supports essential requirements of EU Directive(s).

For relationship with EU Directive(s), see informative Annex ZA, which is an integral part of this document.

[NOTE to the drafter: Add information about related documents or other parts in a series as necessary. A list of all parts in a series can be found on the CEN website.]

prEN XXXX:XXXX (E)

5

Introduction

This Technical Requirement explains how the Data Protection and Privacy by Design and by Default CEN-CENELEC standard applies to the video-surveillance industry, a security industry which is permanently serving the objectives of its various customers, themselves subject to a balance between privacy and security rules, eventually changing with the political, local and conjunctural situations.

Implementing this standard will allow them providing their customers (and especially their data controllers) with solutions designed with the necessary options and flexibility to comply with their privacy protection obligations over the lifetime of the delivered solutions.

Identification of patent holders, if any.

prEN XXXX:XXXX (E)

6

1 Scope

The Data Protection and Privacy by Design and by Default CEN-CENELEC standard defines the process through which the developers and/or manufacturers of all types of products and services make sure that the end-users thereof will encouraged and be able to use them in compliance with the GDPR, directly or after an appropriate set-up.

The present Technical Report (TR) provides a concrete implementation example applied to the domain of the video-surveillance industries, a security industrial domain which is serving the objectives of its various customers, themselves subject to a delicate balance between privacy and security objectives eventually changing with the political, local and conjunctural situations.

Implementing this standard will allow them to provide their customers with solutions designed with the necessary options and flexibility to comply with their privacy protection obligations over the lifetime of the delivered solution.

The present TR applies at this stage to core video-surveillance solutions consisting in up to:

A number of cameras (fixed or PTZ)

A Video Management System (VMS) including its storage capability

A display and replay capability

Basic video analytics allowing automatic detection in the video of each camera of simple geometric detections (movement detection, line crossing, etc.), but excluding any tools allowing some sort of identification or processing personal data, addressed in another TS and generally provided by specialized manufacturers.

IP interfacing with external terminals (not included).

This basic set-up may be expanded in future versions.

The system and sub-system manufacturers are the core targets of this document; companies doing systems installation may be indirectly addressed, but service providers eventually running the systems are not covered.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

EN XXXX-1:XXXX, General title of series — Part X: Title of part

EN XXXXX (all parts), General title of the series

[NOTE to the drafter: The Normative references clause is compulsory. If there are no normative references, add the following text below the clause title: "There are no normative references in this document."]

3 Terms and definitions

For the purposes of this document, the following terms and definitions apply / the terms and definitions given in… and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

IEC Electropedia: available at http://www.electropedia.org/

prEN XXXX:XXXX (E)

7

ISO Online browsing platform: available at http://www.iso.org/obp

[NOTE to the drafter: The Terms and definitions clause is compulsory. If there are no terms and definitions, add the following text: "No terms and definitions are listed in this document."]

3.1

GDPR

The EU General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).

3.2

PTZ

Pan-Tilt and Zoom applies to a remotely controllable camera

3.3

TR

Abbreviation for Technical Requirement

Note 1 to entry:

[SOURCE: EN XXX:XXXX, definition XX]

4 High level objectives

Following the main body of the standard, the present TR details the different features that a manufacturer of a video-surveillance system must take into consideration as part of the quality process followed by its product line, to be sure that its different potential end-users can easily and are encouraged to comply with their privacy obligations.

To do so, the different GDPR prescriptions recalled and/or reformulated in Section 6 of the main body of the standard, will be translated into features and set-up of a video-surveillance system, while as per the core principle of the standard, it is mandated that the manufacturer has a formal process through which all such prescriptions are considered (in existence, performance, set-up, etc.) with regard to the privacy requirements, for each system delivered.

It must be noted:

That, nevertheless, the product will be delivered, maintained and disposed in compliance with the written configuration request established by the customer, even if this may not correspond to an optimum privacy set-up or configuration; this is especially true as video-surveillance systems are often used in governmental security missions covered by dedicated regulations,

That if most of the systems produced today are digital, eventually implementing the functional layers quoted in the main body of the standard, the current TS applies as well to systems partly or totally based on analogue technologies, not structured with such layers,

That in many countries, video-surveillance has been subject to local privacy regulations for many years and that accordingly at least some of the following prescriptions are covered by legacy implementations.

prEN XXXX:XXXX (E)

8

5 Verification of the ability to comply with the GDPR provisions (for each item, refence is made to the relevant section of the main body of the standard)

5.1 Access (6.1)

5.1.1 Access to data

5.1.1.1 Control objective:

A video-surveillance system being by essence designed to monitor a field of view without any discrimination, its designer can only provide indirect tools to the controllers, for helping them in providing capabilities for the data subject to access his/her data.

5.1.1.2 Implementation in support to access to data by the data subjects

To support the data controllers of their future customers, which will implement its systems in informing the potential data subjects of the existence of the system and of their rights, the manufacturer shall provide on its website models of posters to be installed in the area covered by the video-surveillance system, indicating that the area is monitored by video-surveillance and leaving a position to indicate how to contact the relevant data controller, who may give access to relevant footage.

Also, to support the future data controllers in retrieving information requested by the data subjects, each video-surveillance system shall be designed to allow search in the collected videos by time and camera location.

5.1.1.3 Account for each data subject involved (not applicable)

Each camera being able to monitor passively a large number of individuals, which are not discriminated in the scenes, any attempt to create files per data subject would generate an unnecessary and illegitimate processing of personal data.

5.1.2 Copy of data

5.1.2.1 Control objective:

The objective is to ensure that the video-surveillance system will be designed to allow export in a non-proprietary format, by the data controllers of clips in response to the requests of the data subjects.

5.1.2.2 Implementation of the export to the benefit of data subjects

The video-surveillance systems shall be designed to allow the export of a clip representing without quality degradation one of the video streams for a limited duration in the form of a file with a format accepted by most commercial player (typically H264), this export shall be possible electronically or through the transfer of a commercial memory (like a USB key).

A single frame of a single camera being potentially able to show in detail many data subjects, export to one of them is acceptable only if all the other individuals visible in the scenes are anonymized. The video-surveillance systems shall accordingly be designed to be fitted with dynamic masking and one or more such masking solutions shall be proposed with each system.

5.2 Accountability (6.2)

5.2.1 Control objective:

Nothing in the design of the video-surveillance system may mislead the data controller to the point he or she could be unable to demonstrate compliance to the rules detailed in this section.

prEN XXXX:XXXX (E)

9

5.2.2 Accurate, transparent and easy to understand documentation

Each video-surveillance system shall be provided with a documentation describing without ambiguity all its functionalities, which may impact privacy aspects; the manufacturer shall be in a position to propose the relevant training to the end-users (including the data controller) and shall update duly the documentation, whenever a change to the system is introduced.

5.3 Accuracy (6.3)

5.3.1 Control objective:

The principle of enabling the data controller to update or append recordings is contrary to the video-surveillance key role, i.e. providing evidence of a presence or of a fact.

5.3.2 Corrections in the recorded videos (not applicable)

In fact, a video-surveillance system collects images of what happens at a given place and time. It is the interpretation of such images, eventually linked to the identity of an individual which may require updates or corrections, but it is not part of what a manufacturer of video-surveillance can influence.

5.3.3 Dynamic masking (related consideration)

In some special circumstances, and as already discussed in section 5.1.2.2, a dynamic masking shall be made available to the data controller to hide persons, groups of persons or privacy sensitive material. Legislation may apply to ensure that such masking is reversible for judiciary use of the recordings by the authorities.

5.4 Consent (6.4)

5.4.1 Control objective:

GDPR mandates the recording of data subject consent and withdrawal of consent.

5.4.2 Consent of data subject replaced by information for video-surveillance

See section 5.1.1.2 regarding the implication of the video-surveillance manufacturers in the design of posters to be used in the areas covered.

5.5 Data de-identification (6.5)

5.5.1 Control objective:

GDPR calls for capabilities for the de-identification of data.

5.5.2 Video-surveillance systems do not identify individuals

Accordingly, they cannot irreversibly transform data entries into pseudonyms. As already indicated in sections 5.1.1.2 and 5.3.3, a possible option available to the data controller is a dynamic masking.

prEN XXXX:XXXX (E)

10

5.5.3 Reversibility

As already indicated in section 5.3.3, legislation may apply to ensure that the above dynamic masking is reversible for judiciary use of the recordings by the authorities.

5.6 Data minimization (6.6)

5.6.1 Control objective:

The data controller implementing the solution must be able to set up its video-surveillance system to perform its anticipated mission, bur minimizing any unnecessary or non-relevant collection.

5.6.2 Provisions to allow collection adjustment to minimum

The manufacturer shall fit each camera with some form of zoom (mechanical or remotely controllable) to allow the data controller to adjust the field of view to the zone to be monitored only.

Furthermore, as the rectangular format of the video standards may not match such zones to be monitored, a non-reversible masking capability of any portion of the field of view shall be made available; in case of PTZ cameras, such masking shall be dynamic to mask the designated zones, wherever the camera is pointing to.

5.7 Data portability (6.7)

5.7.1 Control objective:

The need to separate the record of a data subject and export it.

5.7.2 Notion of portability does not apply to video-surveillance

Need for portability does not exist in video-surveillance, where data collected cannot be directly linked to a given individual and where information storage is anyway limited to few weeks.

5.8 Data protection and privacy by default (6.8)

5.8.1 Control objective:

Except when explicitly stipulated by the customer, to ensure by default, data minimization and confidentiality of collected data.

5.8.2 Access restricted to a single account

At delivery, the video-surveillance system shall be set-up for an access through a unique code-word (or equivalent access security method), which will need to be created before first usage.

5.8.3 Dedicated procedure to allow additional accounts

A dedicated routine, designed to be accessible only to the data controller, shall be in place in the delivered system to ensure that the account from 5.8.2 will get locked once an operational account is created and has accessed the product or service for the first time, and can only be unlocked by special authorization.

prEN XXXX:XXXX (E)

11

5.9 Erasure (6.9)

5.9.1 Control objective:

To provide the capability for erasing any specific time slot in the recorded material.

5.9.2 Erasing capability

The video-surveillance system shall provide the capability to delete any specific time slot in the recorded material without impacting the rest of the recordings.

Note: As erasing data in most of the data storage devices consists generally in just eliminating the access link to such data which remain present on the storage medium and accessible to dedicated processes, a data destruction capability shall be provided and clear notice provided to ensure that no storage device is disposed without such data destruction.

5.10 Fairness (6.10)

5.10.1 Determination of user (data subject) age

5.10.1.1 Control objective:

To provide capabilities for determination of data subjects age prior to collection.

5.10.1.2 Age determination of the data subjects not relevant

As a video-surveillance system is totally agnostic regarding the content of the observed scenes, age determination does not apply.

Note: The only option to address this children age discrimination would be to fit all the video-surveillance systems with a face recognition capability allowing the identification of all the passers-by, an approach which goes exactly against the privacy protection objectives of the TS.

5.10.2 Configurable children age threshold (not applicable)

5.11 Information security (6.11)

5.11.1 Unauthorized or unlawful processing

5.11.1.1 Control objective:

Protection against unauthorized or unlawful processing.

5.11.1.2 User authentication

The video-surveillance system shall be provided with a mechanism for a secure user authentication (consistently with the provisions of section 5.8).

5.11.1.3 Encryption

Although the communication means are normally not part of the video-surveillance “package”, the video-surveillance system shall be delivered ready for encrypted communications between subsystems.

5.11.1.4 Emergency access

Due to potential usage of the video-surveillance systems in missions where time is of essence for saving human lives, first responders strongly recommend that data are recorded not encrypted and/or

prEN XXXX:XXXX (E)

12

emergency access to the data is not encrypted. As the recorded material may become a legal evidence, the video-surveillance system shall be designed to mark the recorded material with a unique signature.

5.11.1.5 Communications with third parties

In preparation of interfacing with systems run by the authorities in crisis situations, the video-surveillance system shall natively support bilateral identification of transmission partner systems.

5.11.2 Data loss

5.11.2.1 Control objective:

To protect against accidental loss, destruction or damage of recorded material.

5.11.2.2 Redundancy

The video-surveillance storage function shall be built using a RAID (Redundant Arrays of Inexpensive Disks) architecture (or equivalent).

5.11.3 Information protection targets

5.11.3.1 Control objective:

Design to ensure confidentiality, integrity, availability and resilience of the processing.

5.11.3.2 State-of-the-art system security

In addition of provisions ser by sections 5.8 and 5.11, the video-surveillance solution shall provide adequate levels of access and configurable access rights, eventually based on data age.

5.11.3.3 Accesses journal

The video-surveillance system shall keep a journal of all the accesses to the data as well as to its set-up.

5.11.4 Restore

5.11.4.1 Control objective:

To provide the capabilities for a restore in case of accidental loss of the recorded data.

5.11.4.2 Dedicated restore capability (not applicable)

As explained in section 5.12 below, it is generally lawful to keep the video-surveillance data only for a limited period of time (typically less than one month); the redundancy described in section 5.11.2 is accordingly deemed sufficient to avoid the need of a back-up capability.

5.12 Lawfulness (6.12)

5.12.1 Purpose of processing

5.12.1.1 Control objective:

The objective would be to avoid by design acquisition by a video-surveillance system of categories of personal data that are not legitimate to process.

5.12.1.2 Acquisition of legitimate data only (not applicable)

As already indicated for age determination in section 5.10.1, a video-surveillance system is totally agnostic with regard to the data presented to it and as unless specific trade regulations (like export

prEN XXXX:XXXX (E)

13

controls) apply, a manufacturer of a video-surveillance system cannot refuse delivering it to a customer. It is furthermore not possible to limit by design acquisitions to legitimate situations.

5.12.1.3 Reminder of what is legitimate to process

Even if the video-surveillance system is to be used outside the European Community, its manual shall explicitly indicate that the GDPR applies when it is put in service.

5.12.2 Data provisioning

5.12.2.1 Control objective:

To provide only personal data which are collected for a specified and legitimate purpose and for which transfer is also legitimated.

5.12.2.2 Retention time limited by default

As stated in section 5.12.1.2 above, a video-surveillance system cannot control the nature of the data collected, but it can acknowledge the fact that it is generally legitimate to keep the collected data only for the duration necessary for ensuring the security of the persons and properties monitored, in support of the security staff in charge; the video-surveillance system shall accordingly designed to have a retention time adjustable by the data controller and, by default, this retention time at delivery of the system, shall be limited to one day maximum.

5.13 Objection to processing (6.13)

5.13.1 Control objective:

To provide capabilities for the data subjects to exercise her/his right to object by automated means.

5.13.2 Information of the data subjects, but impossibility for the data subjects to hide themselves

As indicated in section 5.1.1.2 , the manufacturer shall help the data controller in in its information duties with models of posters, but by essence, a video-surveillance system is designed to capture the best possible image of situations impacting security in general and one cannot imagine process through which the perpetrators of illegal or criminal actions would be given the right to be ignored in the records…

5.14 Automated decision making (6.14)

5.14.1 Control objective:

To ensure that no individual decision on a data subject can be made automatically.

5.14.2 Support to operators, but no direct decision

As per the definition given in section 1, a video-surveillance system cannot be designed to take decisions, but only to support operators.

5.15 Processing (6.15)

5.15.1 Control objective:

To govern included processing on behalf of the controller.

prEN XXXX:XXXX (E)

14

5.15.2 The manufacturer has no processor role

As already indicated for field of view or retention time, the key parameters having a potential impact on the capture domain and data quality shall be designed to be fully controllable by the data controller and, pending prescriptions of the order, set-up by default at delivery shall be such that risks of privacy violations are minimized.

5.16 Purpose limitation (6.16)

5.16.1 Purpose specification

5.16.1.1 Control objective:

To ensure personal data will be collected for specified, explicit and legitimate purposes only.

5.16.1.2 Purpose of the collection is not known from the manufacturer (not applicable)

A manufacturer selling a video-surveillance system to a distributor or an integrator cannot know the way the system will be used by the final customer and implementer.

5.16.2 Purpose incompatibility

5.16.2.1 Control objective:

To ensure that personal data will not further be processed in a manner that is incompatible with the purposes from collection.

5.16.2.2 Process inhibited if incompatibility detected (not applicable)

As noted above, such indication is not accessible to the manufacturer.

5.17 Restriction of processing (6.17)

5.17.1 Control objective:

To provide the capabilities for personal data been restricted from processing.

5.17.2 Tools for the data controller

As indicated above in sections 5.5.2 and 5.9.2, the data controller shall be given the means to erase selectively all the data in a time slot and to perform dynamic masking of zones or individuals, as required.

5.17.3 Record kept of such actions

Such actions shall be recorded in the journal already described in section 5.11.3.3

5.18 Storage limitation (6.18)

5.18.1 Control objective:

Identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed.

5.18.2 Retention time limited by default

See section 5.12.2.2

prEN XXXX:XXXX (E)

15

5.19 Transparency (6.19)

5.19.1 Information

5.19.1.1 Control objective:

To provide the capabilities to inform the data subject in all aspects related with her/his consent.

5.19.1.2 Information on the existence and purpose of the video-surveillance system

See section 5.1.1.2

5.19.2 Record of processing activities

5.19.2.1 Control objective:

To support the filling of the record of processing activities.

5.19.2.2 Documentation and automatic journals support the data controller

See sections 5.2.2 and 5.11.3.3