Guidelines 03/2019 on processing of personal data through video devices

Paragraph 9.3.2  Technical measures

132. System security means physical security of all system components, and system integrity i.e. protection against and resilience under intentional and unintentional interference with its normal operations and access control. Data security means confidentiality (data is accessible only to those who are granted access), integrity (prevention against data loss or manipulation) and availability (data can be accessed when it is required). 

133. Physical security is a vital part of data protection and the first line of defence, because it protect VSS equipment from theft, vandalism, naturaldisaster, manmade catastrophes and accidental damage (e.g. from electrical surges, extreme temperatures and spilled coffee). In case of an analogue based systems, physical security plays the main role in their protection.

134. System and data security, i.e. protection against intentional and unintentional interference with its normal operations may include:

• Protection of the entire VSS infrastructure (including remote cameras, cabling and power supply) against physical tampering and theft.

• Protection of footage transmission with communication channels secure against interception.

• Data encryption.

• Use of hardware and software based solutionssuch as firewalls, antivirus or intrusion detection systems against cyber attacks.

• Detection of failures of components, software and interconnections.

• Means to restore availability and access to the system in the event of a physical or technical incident.

135. Access control ensures that only authorized people can access the system and data, while others are prevented from doing it. Measures that support physical and logical access control include:

• Ensuring that all premises where monitoring by video surveillance is done and where video footage is stored are secured against unsupervised access by third parties.

• Positioning monitors in such a way (especially when they are in open areas, like a reception) so that only authorized operators can view them.

• Procedures for granting, changing and revoking physical and logical access are defined and enforced.

• Methods and means of user authentication and authorization including e.g. passwords length and change frequency are implemented.

• User performed actions (both to the system and data) are recorded and regularly reviewed.

• Monitoring and detection of access failures is done continuously and identified weaknessesare addressed as soon as possible.