Biometrics and video surveillance
Biometrics, law and cameras
A pressing issue of facility security is the need to obtain consent to the processing of personal data when organizing video surveillance. In this article, we will examine the main legal rules that govern the collection and processing of personal data when organizing video surveillance, including the need to obtain consent from data subjects.
We will look at exactly what rules and requirements are established by legislation in the field of personal data protection, how to properly organize the video surveillance process from a legal point of view, as well as possible consequences for violating these norms.
Particular attention will be paid to biometric data, their status and processing features, as well as practical recommendations for organizations performing video surveillance.
What is covered by biometrics and what is it stored with?
On the issue of classifying photo and video images of a citizen as biometric personal data, let us turn to the explanations of the RKN, based on the interpretation of Article 11 of Federal Law No. 152 “On Personal Data”.
Federal Law No. 152 Article 11. Biometric personal data 1. Information that characterizes the physiological and biological characteristics of a person, on the basis of which his identity can be established (biometric personal data) and which is used by the operator to establish the identity of the subject of personal data, can only be processed with the written consent of the subject of personal data, with the exception of cases provided for in part 2 of this article. |
This article of the federal law defines three characteristics of biometrics:
Physical and physiological characteristics of persons
Possibility of identifying them
The operator’s use of personal data to establish identity
Let's move on. Article 152.1 of the Civil Code of the Russian Federation states that a facial image (biometrics) can be used without a person’s consent in state, public or public interests. And also if this image was taken while shooting in public places.
Civil Code of the Russian Federation Article 152.1. Protection of a citizen's image 1. Disclosure and further use of a citizen’s image (including his photograph, as well as video recordings or works of fine art in which he is depicted) are permitted only with the consent of this citizen… Such consent is not required in cases where: 1) the use of the image is carried out in state, public or other public interests; 2) the image of a citizen was obtained during filming, which is carried out in places open to the public or at public events (meetings, conventions, conferences, concerts, performances, sporting competitions and similar events), except for cases where such an image is the main object use; 3) the citizen posed for a fee. |
Let's translate it into simple language. Let's say you are a person with a camera in your hands. You are standing in the central square of the city, access to which is not limited in any way. You cannot be prohibited from filming. You will not be asked to consent to the processing of biometrics of passersby. The situation is exactly the same with the CCTV cameras in the square.
Let's imagine a different situation. Now we are in an office building, and access to it is limited by access control. Obviously, you won’t be allowed to stand with a camera in someone else’s office all the time. Hence, rules appear. Let's return to Article 152.1 of the Civil Code of the Russian Federation, which provides for consent to the processing of a citizen's image.
Here is the key point for us: this article does not require obtaining written consent. Consequently, a sign “Video surveillance is in progress” in the premises will be sufficient to justify consent in the form of so-called implied actions (Part 2 of Article 158 of the Civil Code of the Russian Federation).
Civil Code of the Russian Federation Article 158. Form of transactions 2. A transaction that can be concluded orally is considered completed even if the person’s behavior makes clear his will to complete the transaction. |
Implicit acts are actions of a person that indicate his intention to perform a certain legally significant action or agree to certain conditions, even if these intentions are not expressly expressed in words or writing.
Do I have the right to conduct video surveillance?
Now about the foundations of a video surveillance company. Article 22 of the Labor Code of the Russian Federation defines one of the employer’s responsibilities as ensuring safety and working conditions. And this is exactly what suits us to justify the need to work with video data.
Thus, in order to comply with the rules for conducting video surveillance in a commercial premises, we need to take into account the legality of the purposes of conducting video surveillance, notifying employees (against signature, taking into account the requirements of Part 4 of Article 9 of Federal Law No. 152) and visitors about its conduct (in the form of the same implied actions – then there is a warning sign).
4. In cases provided for by federal law, the processing of personal data is carried out only with the written consent of the subject of personal data. Consent in the form of an electronic document signed in accordance with federal law with an electronic signature is recognized as equivalent to consent containing the personal data subject’s handwritten signature in writing on paper. |
Now about the main thing. All of the above does not provide for the purpose of identifying visitors. This task can be assigned to security officers. But if you are going to use one or another system to identify individuals by their image, this is where the question of processing biometric personal data arises.
This is an important point because a person's image is considered biometric personal data if it is used to identify a specific person. And according to Article 86 of the Labor Code of the Russian Federation, this presupposes compliance with general requirements, as well as the legitimacy of the purposes of their processing. For example, legal purposes for processing biometric data include ensuring the personal safety of employees, monitoring the quality of work performed, and ensuring the safety of property.
In order to ensure the rights and freedoms of man and citizen, the employer and his representatives, when processing the employee’s personal data, are obliged to comply with the following general requirements: 1) the processing of an employee’s personal data can be carried out solely for the purpose of ensuring compliance with laws and other regulations, assisting employees in employment, education and career advancement, ensuring the personal safety of employees, monitoring the quantity and quality of work performed and ensuring the safety of property; |
And since we are already processing personal data, the requirements of Article 9 of Federal Law No. 152 on obtaining the consent of a person to process his personal data, as well as Article 19 of Federal Law No. 152 on measures to ensure their security, also apply to us. For an organization, these requirements mean that it is necessary to strictly comply with the rules for processing personal data, including images of employees, that is, obtain consent for such processing, clearly define and justify its purposes, and ensure data security.
1. When processing personal data, the operator is obliged to take the necessary legal, organizational and technical measures or ensure their adoption to protect personal data from unauthorized or accidental access to it, destruction, modification, blocking, copying, provision, distribution of personal data, as well as from other unlawful actions in relation to personal data. |
Finally, from December 29, 2022, the field of biometrics processing began to be regulated by another law. This Federal Law No. 572 “On the implementation of identification and (or) authentication of individuals using biometric personal data.” According to it, all automated processing of biometrics should be carried out centrally through the UBS (Unified Biometric System). Moreover, the processing of biometrics is almost completely prohibited – all operations with biometric data must be carried out through the EBS.
In practice, this means that organizations cannot collect or process biometric information themselves, which may require a review of business processes. It will also be important to audit current processes and ensure they comply with new requirements.
An exception is the activities of certified companies that transfer biometric data to the EBS. But on their side, they – like any other organizations – cannot process them. What happens next? In the EBS, biometric data is digitized, as a result of which a vector is formed – a coded description of the biometric identifier. And all subsequent identification of a person will consist of a request from the most certified organization for data from the EBS.
That is, in essence, the EBS completely takes over the functionality of automatic identification of persons, since it is the only legal repository of biometrics. It is important to note here that Federal Law No. 572 does not apply to the processing of biometric data within the framework of operational search activities, intelligence and counterintelligence, defense, security and sanitary and epidemiological well-being, migration, registration and other types of accounting. Which in turn also needs to be taken into account when organizing business processes.
What do we have in the bottom line?
1. There are no restrictions on video recording in public places.
2. When conducting video recording in office premises, you must openly place cameras and also post a notice about video surveillance. Video surveillance in locker rooms, showers, fitting rooms, hotel rooms and medical offices is, of course, unacceptable.
3. Company employees must be notified by a local act on video surveillance for the purposes of their safety, compliance with working conditions and safety of property.
4. Identification of persons in video surveillance systems in automatic mode is allowed only through EBS. Organizations are prohibited from registering biometric personal data in their own systems.
