Surveillance webinar

Surveillance webinar


Hello I’m Robert Parker and I’d like to welcome you to today’s webinar which is about all things surveillance. You’ll be hearing from Anne Russell, Andrew Rose and Stacey Egerton who work in the policy Directorate here at the ICO. They’ll be taking you through the slides and we expect the session to run for around 45 minutes. The slides and the speaker notes will be available on our website later in the week and the easiest way to find them will be to go to the website www.ico.org.uk. and put webinars into the search. The ICO has a free helpline number 0303 123 1113 A recording of this webinar will be available by close of play tomorrow Regarding any questions you’ve got and please submit your questions as they occur to you through the presentation and then I’ll put the most frequently asked to Anne, Andrew and Staceyas we go. I’d like to now hand over to Stacey Stacey : thanks very much for that Rob and thank you very much to everyone for joining us today on the surveillance webinar. So surveillance is a big feature of the regulatory work that we do under the Data Protection Act the ICO’s role is to regulate the processing of personal data that is obtained by cameras and the ICO has powers to handle complaints and take enforcement action. We also work closely with the office of the Surveillance Camera Commissioner whose role was created under the protection of freedoms Act 2012. The role of the Surveillance Cameras Commissioner is to encourage compliance with the surveillance camera code of practice and review its operational impact. We’re going to talk a bit more about that and in more detail shortly The UK is recognized as a leading user of CCTV but surveillance has grown much wider than just the use of CCTV cameras on top of a pole. The technologies in use now are much more sophisticated operations using digital and increasingly portable technology, the use of automatic number plate recognition is now commonplace and body-worn cameras are being routinely used by organizations across the board such as the police. It’s also common for many technologies to enable audio to be captured as well. No matter how familiar we are with CCTV and how much we might expect to see cameras in operation, it is still an intrusion on people’s privacy and needs to be carefully thought through. The use of surveillance cameras has aroused public concern due to the wider use and capabilities of these technologies. There no one being used solely to keep people and they’re property safe but increasingly used to collect evidence to inform other decisions and while we recognize that surveillance technologies have many benefits to organizations it is also important that organizations are aware of these public concerns and recognize that surveillance technologies can be intrusive. It’s therefore essential that the benefits of using any form of surveillance are balanced against the privacy of the individuals. The ICO have concerns that privacy and information governance are often an after thought or in some cases not considered at all. However it’s important that privacy and information governance are properly considered right at the very beginning. This will help to ensure that the schemes you implement or intend to implement are appropriate for the purpose and compliant with the law. We are here today to hopefully explain what key information governance issues you should be considering and the tools and resources available to assist you in the process. Today’s webinar will focus on organizations use of surveillance technologies covering some of the key governance and compliance considerations to ensure that you’re ultimately following good practice. We’ve also included some case studies to help demonstrate both good and bad practice and we’ll also look at the new data protection reforms coming into force next May and what impact this could have on any surveillance you’re using or considering implementing. So moving on surveillance technology will often capture personal data subsequently processing personal data and will need to comply with the Data Protection Act principles highlighted here. If you’ve considering implementing any new surveillance technologies within your organization you will need to ensure that it’s appropriate to the purpose and justified. I’m now going to hand over to Andy who is going to go through some the key information governance issues you should be considering to ensure that any schemes you implement are justified and compliant with the law. Andrew: Thanks Stacey well to help you get it right, we recommend that you do a PIA, a Privacy Impact Assessment These aren’t illegal requirements at present but they are highly recommended and certainly if we’re asked to investigate a case including surveillance technology, we will ask you to justify your solution and a privacy impact assessment would be the easiest way of doing this. Some key points about PIA’s on the slide. Firstly a PIA isn’t just a checklist to tick off and forget about, it’s a really useful document which can help you ensure your systems are DP compliant. Secondly it’s important to start your PIA early in any development work. You won’t have all the answers early on but it does allow you to identify when you have privacy questions to answer. Thirdly it’s there to help you identify any privacy risks and mitigate for those risks. The PIA helps you think about how well your solution complies with the Data Protection Act but also encourages you to consider whether you need to use surveillance technology or if there is a better way of meeting your requirements. So some of the questions you need to consider for yourselves what is the problem you’re trying to resolve? and why using surveillance technology is necessary to achieve this? What’s the minimum intrusion necessary? What further safeguards do you need to put in place and how will you review the system to see if your objectives have been met so this is a good time to introduce the ICO’s CCTV code of practice This was updated in 2015 to take account of a number of things. Firstly surveillance capabilities have increased enormously since the previous code of practice was published in 2008 and the updated code introduces considerations for privacy by design and use of privacy impact assessments so thinking about not just what you’re doing but how. For example so where do you site the cameras and does the device you’re using have the ability to turn off or mute independently. The code also gives advice back complying with the data protection principles and covers other considerations if you are using a data processor. It also refers throughout to the role of the Surveillance Camera Commissioner. So what are the issues that we recommend you focus on? Well firstly there’s thinking about whether you are using continuous report recording or not and this is one area that needs to be carefully considered and justified. You need to think about whether it’s appropriate to keep the cameras operated at all times or is are there any circumstances when the recording should be stopped? So for example if you have cameras operating in a public area but there are times when that area is closed to the public but you may still have staff present, you may decide to switch the cameras off at those points and it all comes back to the reasons for installing the cameras. Use of audio is another area you need to think carefully about, as this is likely to be much more invasive so again you need to think about what circumstances make it appropriate for you to start audio recording and to ensure your solution allows you to switch this on and off independently. Another very important question here is ‘is your processing fair?’ So this is very much about transparency and we’ve got another code of practice to help you here. In the context of traditional CCTV this would often mean making sure that you’ve got signs up alerting people to the fact that cameras are in operation and who’s responsible for them. It should be explicit in prominent signage and explain who owns and manages the cameras. We also need to that people know where they can find out more information which would typically be a website address. When you are using other technologies such as body worn video, it’s more difficult to provide this fair processing information but there are things you can do. So for example operators should have some sort of indicator to show that their camera is in use maybe a uniform or something and also need to consider how to provide more information. So you could put policy details on your website but also think about using some publicity when you introduce a new scheme. You could also include reference to the use of technology in press stories just to keep it present in people’s minds. To satisfy the first principle processing has to also has to be reasonable so just providing fair processing isn’t enough. As mentioned earlier a IPA will help you consider this, now the code of practice makes clear that you’ll be able to justify any processing that you’re planning and satisfy yourself that it is proportionate and necessary in addition public authorities must consider their obligations under the Human Rights Act. So solutions need to be a proportionate response to a pressing social need. Now organizations don’t always get this right and we have taken enforcement action in a number of cases against what we considered for disproportionate solutions. The next thing I want to cover is security because any personal data must be kept securely as you know. When you’re using surveillance technologies there’s two main aspects to this. Firstly there’s your routine surveillance activity which is used predominantly as a deterent but sometimes used for detection purposes. So this is often only reviewed when looking for evidence and much of the footage will never be accessed before being deleted in line with business retention periods. You must also have secure storage solutions and appropriate access controls to ensure that only specified individuals can access the data when it’s necessary. Where the footage is accessed to identify or investigate incidents you’ll need to have different arrangements to retain this information for as long as you need to. The n you also have data which is captured during an incident so this is more likely to be where the recording has been activated for a specific purpose in response to an event. This sort of data will most likely need to be reviewed to determine whether it is of any further use and you’ll need to think about how to do this and then think of all the other data protection considerations including retention periods access controls and disclosures. So a couple of other considerations and the next thing to mention is governance so I’ve mentioned the ICO’s CCTV code of practice earlier and there’s a whole section in there about governance and there’s lots of questions for you to consider. As we’ve said it’s very important to ensure that you clearly understand what the system is to be used for and when you will collect information. So is there a permanent feed or is it triggered by activity or noise or a panic button? Who has access to that information? Have you got adequate procedures in place to manage the data and how do you check that these are followed and kept up to date? Another thing to consider is whether you use a data processor to handle the data and if so are their responsibilities clearly set out in a contract? Governance is especially important when implementing a shared or partnership scheme when it would be sensible to develop a data sharing agreement to clearly identify the responsibilities of all parties in relation to the data collected. Now the last thing to mention in this section is disclosures, these are covered in the governance section in the code of practice but worthy of a separate mention because of some particular considerations. First of all you will need to consider requests from individuals for their own personal data. I mentioned fair processing earlier and you must provide people with the details of how they can get access to footage if they want to request it. You’ll probably also need to think about how you can redact or blur the images of other people where appropriate and make sure your system allows to do this. However, this needs consideration because in some cases it might be appropriate to provide that information about third parties. Some other things to think about are how do you locate the personal data that’s the subject of the request? What processes do you have in place to confirm the identity of the requester? and how do you stop data being deleted in line with the normal retention period if a subject access request is made? Finally you’ll need to think about how you deal with request for footage from third parties such as the police and when it’s appropriate to provide this and public authorities might also get FOI requests so will need to know how to deal with these as well . okay so I’m going hand over to Rob: Rob: there’s a couple of questions and thanks very much. Where can people get a copy of the codes that you’ve referred to? They’re on our website and what is the most common use of surveillance the ICO gets to hear about? Anne The areas where we would get to well we field questions and where there are issues are probably used by public authorities, police force that sort of thing and we hear about that quite a lot and also of course in the private sector and where there may be more resources available then we we often hear about you know more sophisticated convergence of systems in the private sector we get involved in those areas. Andy : We’ve got local authorities, health organizations on housing associations as well so there is quite a lot of people using CCTV. ROB: okay thanks well back to you and just to say to people tuning in if they’ve got any questions do send them through and I’ll put them to the panel thank you ANNE: okay so moving on we’re now going to look at some examples of good and poor practice to bring life to the compliance points that we’ve made. The ICO recognizes the potential benefits of surveillance systems but the personal data obtained by these systems must be handled in a way that is compliant with the law, These examples are based on cases where the ICO is engaged with data controllers using the camera systems. In this first case study drivers working for a haulage company reported concerns to us that inward facing cameras were continuously recording audio and video of them as they worked. The company haven’t consulted with drivers or demonstrated a justification for installing the cameras and no privacy impact assessment had been carried out. These are all aggravating factors in the decision-making when we decided that we would take enforcement action against that data controller. The second case that I want to draw attention to is shows that the use of surveillance technology must be proportionate this reflects the 2013 tribunal ruling in the case of Southampton City Council versus the Information Commissioner regarding the policy to require all taxis to be fitted with a CCTV system that included continuous audio recording. The ICO had issued an enforcement notice in 2012 that was challenged by Southampton City Council, the subsequent judgement noted that in this semi private space it will be likely that individuals would be discussing sensitive topics for example related to health which is defined as sensitive personal data in the data protection act. The judgment didn’t see why anyone should be forced to modify their behavior because of continuous audio recording and ruled in favour of the Information Commissioner. It’s understood that a pressing social need can justify some surveillance in taxis but that this should be proportionate to that need for example using a system where recording can be activated by a panic button or similar when needed We’ll now move on to some examples of good practice. Okay the first example is about the use of body-worn video in classrooms. In one example we’re aware of consultation with affected parties was carried out mainly with pupils, teachers and parents. Consideration was also given to the reason for cameras being used. These reasons should reflect a specific need for example are cameras being used to target problems with aggressive behavior or to monitor performance? These are two entirely different purposes and individuals being recorded should be consulted and subsequent use should be clearly explained. Alternatives to cameras should also be considered in order to tackle problems. Additionally thought should be given to whether they’re being used as a deterrent or as an evidence gathering tool .Further effectiveness should be monitored throughout the lifecycle of the cameras to ensure that recording remains justifiable. Moving on this example illustrates the importance of planning, the shopping centre was planning to deploy a facial recognition technology for crime prevention detection purposes. They would maintain a database of known or suspected offenders and use them to build facial profiles within the facial recognition systems. After some engagement with the ICO and reflecting on this in more detail, more detailed consideration was needed in order to understand the retention of images and to determine whether this will be lawful. Additionally data minimization should be an active part of this process and this will become increasingly important when DP reforms take effect. Additionally the shopping center is working on effective ways to communicate the process to shopper and staff. In fact the shopping center is committed to undertaking a privacy impact assessment and has recognized that a DPIA would be most likely to be required under GDPR . More on this later they understand that the use of facial recognition could be viewed as disproportionate in some circumstances and that this could cause reputational damage. Remember that recording in homes or other sensitive places such as toilets, changing rooms hospitals or religious institutions, could be particularly intrusive this means that the justification for recording should be significant when balancing whether recording can be justified. Remember the scale slide at the start of the webinar. In A recent case the organisations staff were instructed to record on body worn video in every case when they visited the homes of clients. After more detailed consideration, the data controller was able to see that visits to certain clients were higher risk than others so the policy was modified this is another example that illustrates that blanket or continuous recording is seldom justifiable. I’m now going to hand over to Rob. Rob: just a couple of points really the Privacy Impact Assessment, do the ICO provide guidelines or a template? we do if you go to the website and put PIA in there you’ll get to it. Another one about can we share this PowerPoint with council colleagues? Absolutely you can the whole webinar will be on our website by the end of tomorrow so you can play recording back and look at the slides with the speaker notes Stacey: So just before we move on to the data protection reform we’re just going to do a brief recap of some other key points that we’ve made so far so firstly purpose and justification you really need to be clear on the purpose crime prevention or deterrent is different purpose to gathering evidence so you need to ensure that the proposed surveillance technology is a justified proportionate and necessary solution to the purpose and also be able to evidence is the most appropriate solution. Secondly we also talked about retention so information should only be held for as long as it is necessary so will the footage that you’re capturing be covered under the usual business retention periods within your organization or will you need separate retention schedule to cover surveillance footage that you are collecting and then we also mentioned access control and security, so ensuring that you have secure storage solutions and appropriate access controls and ensuring that only those specified individuals can access the data were appropriate necessary and also ensuring that there are procedures in place for individuals to access their data under subject access should they request it. Finally we also mentioned fair processing so transparency is key to public trust. Make sure that you’ve provided clear signage to tell people that footage is being recorded and also that individuals know where they can obtain further information should they wish. The main point that we’ve tried to get across is that the key starting point in considering and addressing any governance and compliance issues is undertaking a privacy impact assessment so as Andy mentioned the privacy impact assessment process should not be seen as a tick box exercise. A proper thought-out PIA will encourage you to consider whether you need the proposed surveillance technology and will ensure that it’s justified and complies with the law so at the ICO we have a privacy impact assessment code of practice that explains that the PIA process and the kind questions that you can be answering to produce a detailed and considered assessment and as Rob mentioned this is available on our website. so I mentioned at the beginning that we have concerns that privacy and information governance are often an afterthought or in some cases not considered at all when organizations are implementing surveillance technologies. The last thing an organization wants is for there surveillance project to be placed on hold because they failed to undertake a privacy impact assessment or adequately considered the privacy implications and we’re aware of this actually happening subsequently this is an approach that we have been working to change. It shouldn’t be have we done a privacy impact assessment but instead you should have taken a proactive approach of let’s do one right at very beginning and let’s get this right so I’m just going to hand back over to Anne who’s going to explain a little bit more about the Surveillance Camera Commissioner’s role. could I just jump in there Stacy with a question we have a client wants to use drone technology fitted with a recording equipment this could be something which comes more commonplace in the future are there specific requirements this needs to comply with and yeah I mean it goes without saying that obviously a privacy impact assessment will be relevant here to unpack what the compliance issues would be in the work that we’ve done with with those controllers who were using or considering using drones the particular challenges that we need to draw attention to here are the transparency around the use so compliance with principle one of the data protection act in other words letting people know that you’re recording that you’re using cameras on the drones and recording them potentially. There’s clear challenges in this area and because it’s not you know when you can swing clear drone flying in the air it’s not always apparent who’s using its impact is rarely apparent whose using it so you need to find innovative ways of informing people that you’re using drones to record information about them to record images of them rather and another issue with with drones is that they potentially have the ability to fly into areas where expectations of privacy would be would be quite high and so there’s a certain control issue there and thinking about what people’s expectations are depending on whether the drones are flying and just an another one to flag as well in connection with drones is security considerations and because obviously the for any number of reasons it’s important that you you keep the equipment secure but it’s important clearly and to ensure that you keep the data secure that’s being recorded by the drone whether it’s physically on the drone or remotely and there is more information about drones more guidance in the CCTV code that we’ve already mentioned in this webinar and and there’s also some advice in our encryption guidance on drones as well okay so now it’s an opportune time to move on to talk about the work of the Surveillance Camera Commissioner and it would be wrong to have a presentation on surveillance without mentioning the surviellance camera commissioner as we’ve already said the IcO and the surveillance camera commissioner’s office work in cooperation with each other the surveillance camera Commissioner promotes efficient and effective use of surveillance camera systems this includes technical standards the the Information Commissioner’s role is to regulate the processing of personal data that’s obtained by cameras as we’ve seen earlier on in this presentation. So the surveillance camera commissioners developed tools ranging from self-certification to full third party certification to help organizations demonstrate that their surveillance camera systems comply with a surveillance camera code of practice and of course what the surveillance camera produces is going to be bespoke to surveillance whereas of course the the guidance that we produce this is often more more general if you comply with the surveillance camera commissioners code although not a guarantee it will help you to comply with the requirements of with requirements of data protection legislation when using surveillance cameras the surveillance camera commissioners self-assessment tool is available online from their website and it helps organisations the users of ends cameras to identify if they’re complying with the code organizations can assess what they are doing whether what they’re doing well and develop an action plan to improve any areas that fall short of compliance once completed organizations are encouraged to publish the action plan following on from the self-assessment tools the commissioner has developed a two-step certification process which is a deliverable by bodies and accredited by the UK accreditation service the certification process is available to any organization that operates surveillance camera systems in their public space this could be small or large organizations that want to show compliance with the code and to demonstrate good practice. Certification should also reassure the public this a surveillance camera scheme is there to support them and not to spy on them you can find out more information about self assessments and certification on the commissioners website also of interest areas surveillance camera Commissioner launched a national surveillance camera strategy for England and Wales in March it’s a comprehensive strategy that touches on many areas of surveillance of surveillance camera use police and local authority installers and manufacturers training providers and regulators and how the use of surveillance cameras impact members of the public the strategy will provide the surveillance camera commissioner with robust and transparent framework fulfil his statutory functions as set out in the protection of freedoms act and will inform his annual report to the Home Secretary and i will now move back to Andy. Andy: ok thanks Anne so in this last section of the webinar we’re just going to look forward to the data protection reforms that will take place from May next year 2018 so first of all we’ve got the general data protection regulation which hopefully most people have heard about but there’s also new legislation for law enforcement for the purposes of law enforcement please be aware that there will be separate legislation established for cross-border and domestic policing so we need to keep our eyes open for that and we will be informing people as and when that’s ready so focusing now on the GDPR as most of you will know most of the DP principles and fundamentals don’t change significantly so things that we’ve already talked about still apply but the gdpr does introduce some important changes that would cover on the next few slides that are relevant to surveillance technology so the first of these is a new requirement to implement data protection by design and default and this is all about embedding privacy by design into your organization because article 25 of the gdpr makes an explicit requirement rather than the good practice that is now so example measures that the text talks about a pseudonymisation and transparency which are things that you can implement and you should consider implementing but one thing where there is an explicit requirement is around data minimization so you should only be processing data that’s necessary for each specific purpose. When considering data protection by design you should take into account the available technology, the cost of it ,as well as the nature and scope of your processing and then from that the resulting privacy risks to individuals so a key measure of your approach to data protection by design is the data protection impact assessment so this is very similar to the PIA that we’ve talked about but changes here is that DPIA’s will be mandatory in certain circumstances so a particular relevance today as you can see here on the slide but particular relevance today are the use of new technologies large-scale use of surveillance and processing personal data relating to crime now when you’re doing a DPIA you must cover the purpose of your processing you must have an assessment that why that processing is necessary you must also identify the risks and the risks to the rights and freedoms of individuals and any mitigations to those risks that you identify now in some cases you’ll have to seek prior approval from the ICO before processing starts so that we can assess whether measures identified are sufficient so at this point although we haven’t got full guidance available at this point that suggests you review your project and change management processes just to ensure that PIA and DPIA’s are built in and then you can reinforce this within your organization’s through training about the privacy by design principles so moving on to security and the gdpr has clear security obligations for both controllers and processors so again this is a change. Article 32 mentions that you must take into account appropriate technical and organizational measures which are appropriate provided an appropriate level of security based on risk again taking account of state of the art and the cost of implementation now some of the key measures that you you’re obliged to include are shown on the slides there and when you’re thinking about what measures are appropriate you must take into account the risk presented by the processing and again back to the PIA the risk assessment should be covered when you’re doing that ok looking a bit deeper the responsibilities of controllers and processers when you are using a process at any processing they do must because it must be done on the basis of the contract in turn processors must provide sufficient guarantees to implement appropriate technical and organizational measures and they cannot use sub processes without specific prior agreement of the controllers that’s a new change and again there’s some extra points on the slide of the contracts must cover so again it’s not very different to the DPA but it is more specific and it is clearer what you have to do one extra consideration here is the processors can now be held liable for data breaches if they’re acting outside to the lawful instructions of the controller and this will allow the ICO to take action against the processor where appropriate it’s also at this point it’s well with both controllers and processors checking details of existing contracts to show that they are sufficiently detailed and cover all this. Another important security requirement is the duty to report data breaches so under article 33 breach reporting becomes a duty for everybody the first notification of a breach generally be made within 72 hours also if a processor discovers a breach then they are obliged to notify the controller and the wording here is without delay so basically as soon as you discover a breach you need to make sure your controller is aware of it and controllers also need to consider whether to inform individuals affected particularly where the risk is deemed is high. The last point I want to make today is about the designation of data protection officers because data protection officers are mandatory for some organizations as explained on the slide important to note that this is this condition does apply to processors as well as controllers so again I would advise the controllers who contract and surveillance activity to a processor make sure that they check that the processors are sufficiently experienced dpo in place now we have lots more information available about the GDPR on our DP reform website this page will be kept up to date with any changes that we make so keep an eye on it. Rob : A couple of questions just to sweep up some of the points that you’ve covered and so on privacy impact assessments how do you plan to make them proactive rather than reactive ? I suppose what the question is asking is whether you should think about them in advance and that’s a really important point and that’s something that we try and reinforce when were out about speaking to people that before you start to plan to purchase cameras and again and eventually install them you should really think about conducting a privacy impact assessment first of all and arguably they can also be reactive in fact it’s probably quite important point to make that they should be considered as an active document that you return is as you learn lessons in the life cycle of the project so in a way they might be reactive responding to lessons you do learn and all if external circumstances change and you know it should be treated in that way as a living document really I think something just to add in there as well but in terms of that proactive point I think it’s going to require a bit of a culture change and a lot of organizations and it’s about looking at how you can embed privacy and information governance within your organization and so basically you want in those at the top level and at board level level to appreciate how important that privacy is so it then filters out in the organization and that way organizations and then trying to think about those privacy concerns right at the beginning of projects rather than more sort of in the middle or at the end and we are aware of quite a few organizations that have made this standard practice now and they do PIAs for every single project so people are getting the message it’s just carry on and keep pushing the message out really. Rob: Drilling down a bit that we talked about privacy impact assessments for large-scale surveillance what do we mean by large-scale. Andy:this is something that’s being covered in guidance that it’s being published shortly or it’s just come out I’m not entirely sure to be honest but it does need a little bit of definition there are a couple of things to think about though is if you’ve got even if you’re a smallish organization but everybody that you process it sorry but everybody that you’re dealing with is impacted by that surveillance activity then that’s large-scale within your organization I think a good example would perhaps be a mpre and we’ve got behind that yeah that perhaps set a good example and I think it’s turning on it’s head a bit its about the impact on the individual as part of the mix when you consider it what’s large-scale not necessarily you’ ve got thousands of cameras but what the impact is on covering on individuals both in terms of severity of impact and scale of impact I think it’s important ROB: okay thank you jumping around a bit but regarding the shopping center example and there use of facial recognition were there any specific guidelines that applied to the recording of biometric data? Anne: I mean it in terms of biometric data and in this this more specifically around facial recognition example and what we’ve said to other organizations that have been processing and using facial recognition and it’s really important to pick up on accuracy and what safeguards you ve got in place in case systems aren’t accurate. Facial recognition is becoming more sophisticated and but it was a few years ago so you know I suppose there is a decline in issues around accuracy but that but that’s something that really seriously needs to be considered when when you’re considering and using facial recognition also think about the whole workflow in our facial recognition is just one part of the whole data flow that so mean one one key question here is and what the facial recognition system is matching individuals again so what’s the integrity of the collection of images that you’re matching again so it’s just unpicking the whole data flow is really important also to reiterate the point about what’s the purpose for doing this are you actually going to be identifying individuals as part probably but you need to think about why you’re identifying those those individuals we are seeing facial recognition being beiing used in a variety of different ways also think about how long you need to retain that image is it momentarily , indefinitely , 30 days, five years? So you need to think about that and link that up with the purpose for processing and also worth mentioning as we’re looking at the data protection reforms is that biometric data will be considered a special category under and general data protection regulation which means that you need to have an additional justification for processing it okay well that’s all we have time so thanks to Anne, Stacey and Andy and thank you to everyone for joining us we haven’t managed to get to all the questions but please be assured they’ll be fed into the policy directorate and a recording of the webinar will be available on the website from tomorrow and feel free to use it as you wish couple of questions asking about that news about any future webinars will go into our monthly e-newsletter which you can sign up to from the website and also on Twitter @ICOnews and a final reminder again about our free helpline there the phone number 0303 123 1113 so thank you again and goodbye

Related Posts

CAREERS IN FASHION DESIGNING – Fashion Designer,B.Sc,Certificate Courses,Trend Research

CAREERS IN FASHION DESIGNING – Fashion Designer,B.Sc,Certificate Courses,Trend Research

Hello All..This is Manju from Freshersworld.com Welcome to our video channel on jobs and careers Today I will be talking

Leave a Reply

Your email address will not be published. Required fields are marked *