This article will try to shed some light and provide a solution to the problem of using “indiscriminate” monitors for video surveillance which, in almost twelve years since the first general measure of the Guarantor Privacy on the subject, still pose many problems for many data controllers, since they divided between the heavily sanctioned obligation to comply with the rules regarding the protection of personal data and the increasingly important need for security.
Background – For several years is spreading widely in different parts of Italy a singular custom regarding the use of the monitor in charge of video surveillance . In fact, in various commercial activities we are witnessing the systematic installation of one or more monitors depicting the images transmitted from the box at business premises accessible to both for clients to workers. This latest abuse of monitors for video surveillance, which has unique tools for employees responsible in a non-accessible to third parties increased to massive tool accessible to everyone without any authorization, it has seemingly different reasons. In this writer’s opinion there are two basic reasons that drive companies to adopt a monitor visible to all: the first is to warn potential criminals – most of the time shoplifters or kleptomaniac – that there is a detection system image fully functional; the second is to reassure and, at the same time, empower the clientele that, in case of wrongful, must in some sense “activated” to alert the police about the unlawful act. But let’s start with order.
1 – The legislation is based on Legislative Decree no. 196/2003 SO-CALLED Privacy Code and Measure General regarding Video surveillance of 2010 officers of the protection of personal data. Article. 4 letter. to the Privacy Code defines the processing of data as any operation or set of operations, carried out without the aid of electronic instruments, concerning the collection, recording, organization, storage, consulting, development , modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure and destruction of data, even if not registered in a database. From the article under examination can be seen as the detection of images by means of monitors, even in the absence of registration, encloses in if different types of treatment, namely the collection, consultation, use, and, in the case in which the monitor are within the reach of anyone viewing, dissemination of images. Article. 4 letter. b defines personal data any information relating to an individual, identified or identifiable, even indirectly, by reference to any other information including a personal identification number. You notice then an examination of these two letters art. 4 that the detection is a processing of personal data, and that the images displayed by the monitor are personal data for all purposes. The paragraph 2 letter. b of that Measure General of 2010 states that each information system and its computer program [to be] conformed from the outset so as not to use data relating to identifiable individuals when the purpose of the processing can be made by using only anonymous data (eg., by configuring the computer program so that [...] only resumed general to exclude the possibility to enlarge the images and made identifiable persons). It imposes the necessity principle , which implies an obligation of careful configuration of information systems and computer programs to minimize the use of personal data ( art. 3 of the Code ). The paragraph 2 letter. c states that the video surveillance activities to be carried out in compliance with the cd proportionality principle in the choice of shooting modes and dislocation (eg. through fixed and PTZ cameras, with or without a zoom), and at various stages of treatment that should result, however, the processing of data relevant and not excessive for the purpose pursued ( art. 11, paragraph 1, lett. d) of the Code ). The Committee therefore a breach of the principles of necessity, proportionality and relevance the use of monitors for video surveillance accessible to anyone. Section 3.3 of the General Provision of 2010 regards security measures to be applied to personal data processed by means of video surveillance systems . Point 3.3.1, calling art. 31 of the Privacy Code states that data collected by video surveillance systems should be protected with suitable preventative security measures to minimize the risk of destruction, loss, even accidental, of access unauthorized treatment not allowed or inconsistent with the purposes of the collection, also in relation to the transmission of images . And it is unauthorized access the focal point of the whole question of this article. As you can allow access to the display of images taken by the cameras to anyone, if the point 3.3.1 and Art. 31 of the Privacy Code decreed the dutifulness of image protection from unauthorized access? But the 3.3.1 continues: must therefore be adopted specific technical and organizational measures which enable the holder to verify the activities carried out by those who access the images or controls systems recovery [...]. Here too we see the total illegality of the monitor is open to all, which should be visible only to designated personnel. Continuing with 3.3.1: It is inevitable that -in view of the broad spectrum of use of video surveillance systems, including in relation to the subjects and aims as well as the variety of technological systems utilizzati- the minimum security measures may also vary significantly. However, it is necessary that they be at least respect the following principles:
a) in the presence of different skills specifically attributed to individual operators must be set different levels of visibility and treatment image (v. 3.3.2). Where technically possible, according to the characteristics of the systems used, the above entities, designated officers or possibly controllers, must be in possession of
authentication credentials that enable to perform, depending on the tasks entrusted to each, only acts of its competence;
b) where systems are configured for the recording and subsequent storage of captured images, should also be carefully limited the possibility for authorized persons, to view not only in sync with the recovery, but also in deferred time, the recorded images and to perform the same operations cancellation or duplication; [...]
In reading 3.3.1 it was found the total non-compliance monitors for video surveillance installed so they are visible to anyone, regardless of the purpose, since the detection of the images can only be performed by personnel who have the authorization to view the same. And this deals with the point 3.3.2, which states that the owner or manager must designate in writing any individual, responsible for treatment, is authorized to enter the premises where are located on the control place, is to use the facilities and, in cases where it is essential for the purposes of, a view the images ( Art. 30 of the Code ). This should be a defined number of subjects, especially when the owner uses of external collaborators. It should also identify different access levels at the specific tasks assigned to each operator, distinguishing those who are only authorized to view the images from the subjects who can, under certain conditions, further measures (eg. recording, to copy, delete, move the viewing angle, adjust zoom, etc.) [...] . With 3.3.2 you can have a unified framework of the issue in question, which can be summarized in this way:
- Only a person appointed and designated in writing may be granted access to the local where there are checkpoints and – therefore – monitors;
- must be provided adequate explanation about the indispensability to review images;
- This should be a defined number of parties;
- There must be different levels of access to the images, so that there are Operators can only view the images, and operators that can make other treatments. It is impossible, for example, an operator can view images and record them at the same time with the same letter of appointment.
2 – The rigidity of the Privacy Code and the General Measure of 2010 was followed by a strong system of sanctions. The 3.3.2 closes this: Non-compliance with the provisions in letters a) to f) of section 3.3.1 implies the application of administrative sanctions provided for by Article. 162, paragraph 2 – b , the Code. The failure to adopt the minimum security measures result in the application of administrative sanctions provided for by Article. 162, paragraph 2 – a , and integrates the offense under Art. 169 of the Code.
Article. 162-ter, paragraph 2 states that No breach of the provisions prescribing necessary measures or prohibition in, respectively, Article 154, paragraph 1, c) and d) , is also applied in the administrative, in any case, the penalty of paying a fine ranging from thirty to one hundred eighty thousand euro euro. While Article. 162-bis, paragraph 2 states that if processing of personal data in violation of the measures set out in Article 33 or the provisions mentioned in the article 167 is also applied to the administrative court, in any case, the penalty payment of a sum of ten thousand to twenty thousand Euros Euros. In the cases referred to in Article 33 it is excluded the reduced payment. is unnecessary to add further considerations, except that the data controller has divorced the custom monitors open to the public should change their habits, to avoid unpleasant surprises in terms of sanctions. [1]
3 – As regards the court rulings, recently the Supreme Court judgment no. 17440/2015 has clarified the obligation of the data controller to inform those concerned about the presence of a video surveillance system, even if the images are not intended for registration and then to conservation. Focal point of the process is the application submitted directly by the Guarantor for the protection of personal data against the decision of the Court of Palmi. The latter had ruled out the existence of the offense in the hands of the holder of a roaster who had installed a camera inside their exercise, without warning some. In particular, the Court argued, incorrectly, that the case does not apply to the Privacy Code because the images can not be considered “personal data” and also because the same are not recorded and their use is limited in time, and the only objective to security needs. Such claims can not be rightly rejected these because, as repeatedly stressed by the Privacy Guarantor, even the simple image of a person must be considered personal in accordance with art. 4, co. 1, letter. b of the Privacy Code as it allows it to identify or identifiable natural person (also well Cassation no. 14346/2012). Moreover, the Court states that does not detect the “no record” of images, because even the mere display of them, involves the collection and therefore processing of personal data. [2]
4 – A strengthening of this speech is a fundamental question that Federfarma report, the National Federation of the Italian pharmacies, placed in December 2013 to the Authority for the Protection of Personal Data. The question at issue concerned the proper placement of the monitors for video surveillance in commercial establishments, particularly with regard to pharmacies. Federfarma has formally asked the Ombudsman the opportunity to place monitors for video surveillance in a way that is visible to anyone who came into the business, so as to counter the very high risk of robbery which are daily exposed the Italian pharmacies. The Guarantor, signed by dr. Joseph Staglianò , Director of the Department for Economic and Productive Reality Authority to the protection of personal data , responded in April 2014 stating that [...] also the only outlet viewing of images acquired by means of video surveillance systems integrates a processing of personal data. Therefore, the data collected – namely, the images transmitted on a monitor – must be the subject of protection, so that their views should be given only to those who, previously appointed by the owner of the data “in charge”, according to Article . 30 of the Code, have the task of controlling the same to prevent the consummation of possible offenses. It follows that it can not be considered compliant readers a picture “generalized”, which not only is not limited to those actually qualified to view it, but also extends to “any person found on the premises of the commercial or pharmacy” [...]
5 – In conclusion, there is a solution to this problem that affects several Italian companies? Beyond the sanctions, what might discourage the unlawful use of monitors for video surveillance by the holders of the treatment, but without giving up a valid system of deterrence? The answer is in this Ruling General of 2010, and is emphasized more in the final opinion of the Guarantor to Federfarma, which concludes this way: [...] It also notes that “the effect of deterrence against malicious” , which would face the use of monitors out by this Federation, is quite obviously in excess, could be the same goal achieved, in a less invasive, even by simply affixing placards containing the information simplified, which are well suited to inform any individual who is in the premises of the presence of a video surveillance system, possibly also provided with the recording system. [...]. So, ultimately, the solution to this problem is as follows: first, the monitors must be purged of their (dubious) effectiveness of deterrence and therefore located in areas not open to the public under control by officers or data processing specially appointed ; the other the only instruments of deterrence, and crime prevention will be the minimum of information in art. 13 of the Privacy Code, placed in a visible place in several places of the premises. Only then can it be guaranteed a fair balance between the need for security and the need for confidentiality and personal data protection.
The editors note:
- Check out the promotion to professionals Wolters Kluwer! The encounter between the specialized content of Wolters Kluwer and technological innovation Vodafone born Vodafone e.box Wolters Kluwer Edition : The best 4G connection and fiber and 3 months free of news and comments on law, taxation, labor and safety with the Daily Ipsoa, the Legal Daily and Environment System and Security.
(American Lawyer, January 21, 2016. Article by Louis Mischitelli )
________________
No comments:
Post a Comment