GDPR and Live Streaming

As our parent company Seccom Group continues to develop and expend their Live Streaming Services we thought we would give them the benefit of our expertise to make sure that their clients had the right information with regards to GDPR.

The majority of the advice available seems to be from other streaming providers, and NOT from Privacy and Compliance Specialists, we thought we might bridge that gap.

Live Streaming in any Location

This blog focusses on Live Streaming from churches and other houses of worship, however, the principles apply to any venue live streaming where members of the public could be caught on camera.

Streaming and Video Conferencing Grows Exponentially During Lockdowns

The COVID 19 pandemic in the UK and worldwide has brought about a huge rise in all kinds of audio / visual services.

Zoom almost unheard of 18 months ago is now a worldwide phenomenon. Video conferencing was the preserve of large multinationals. Now everyone does it, adults, old people, children right down to juniors and infants.

Critically events that used to rely on personal attendance were no longer possible. Houses of worship were left wondering how they were going to reach their congregation. Challenging when they were not even supposed to be leaving their homes.

The solution, enable worshippers to attend their own church from the comfort and safety of their own home.

The Evolution of Live Streaming

Some houses of worship were lucky, they had been providing online services before the pandemic started. 

For the majority there was a scramble for solutions. Initially this was the priest or equivalent broadcasting over zoom or similar on a one-to-one or one-to-many scenario.

This situation poses little or no issue with personal data under the UK GDPR 

The Move Back into Church

Over time streaming services moved back into the houses of worship, a more natural setting and a more realistic environment. This was great until the public were allowed back.

Now we have many houses of worship live streaming and in most cases the streams capture the general public.

Images of People are Considered Personal Data and therefore Subject to UK GDPR

Interestingly not much is written about Live Streaming and personal data. Much of the focus has been on CCTV or surveillance systems. The ICO’s own guidance has not been updated for several years.

However, the European Data Protection Board (EDPB) adopted the Guidelines 3/2019 on processing of personal data through video devices on the 10th July 2019 and therefore this guidance remains applicable to the UK GDPR whilst the Adequacy Ruling remains in place (current as of date of publication)

Avoiding Capturing Images of People

Whilst this blog looks at the personal data implication of capturing images of worshipers, it must be noted that the simplest way to achieve compliance is to position cameras in such a way as to avoid capturing the images in the first place.

This is easier said than done. Whilst possible in some houses of worship it may be impossible in others due to architecture, layout etc. Some view of the congregation may be desirable so that the viewer feels a part of the service.

If you cannot avoid or are choosing to capture images then read on. If you are not or are unlikely to capture images then you simply must monitor the output from your cameras. Monitoring ensures that you continue to avoid processing images and therefore personal data.

Capturing Images of Worshippers

Whether by choice or default you are capturing images of the public you will need to comply with all the relevant areas of UK GDPR. You must:

  • have a lawful basis for processing the personal data
  • provide information about the processing to the data subjects
  • inform data subjects how they can exercise their rights on the UK GDPR
  • inform data subjects what the rights are

Additionally:

  • you should explain to data subjects how they can avoid having their image captured if this is possible

The GDPR is not the only regulation you need to be aware of. There are a number of pieces of legislation that come under the generic name of Safeguarding*

* Safeguarding Vulnerable Groups Act 2006 and the Protection of Freedoms Bill. Along with The Children Act 1989 (as amended). The Children and Social Work Act 2017. … Working Together to Safeguard Children 2018.

Lawful Basis

Any organisation processing personal data must do so using a lawful basis. Which lawful basis you can use depends on many factors. 

Typically houses of worship are relying on Legitimate Interest (LI) for their lawful basis. With the Legitimate Interest being “To Promote and Share the <religious denomination> faith”

This is further reinforced if you follow the logic below.

For most houses of worship the attendance at the location enables the outsider to infer a particular religious persuasion. Under the GDPR religious beliefs are classified as Special Category Data under Article 9.

The processing of special category data is prohibited unless special conditions are met. Houses of worship have therefore relied on section (D) of paragraph 2 of Article 9 which says:

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects; 

What has not been taken account of, either deliberately or mistakenly is this section of the exclusion.

and that the personal data are not disclosed outside that body without the consent of the data subjects;

Live streaming by its very nature is designed to be disclosed outside the body (i.e. it is not only the congregation of the house of worship that is able to view the images that are personal data).

You can read our previous blogs on Legitimate Interest https://www.gdprauditing.com/the-articles-no-6-lawfulness-of-processing-legitimate-interest/  and Consent https://www.gdprauditing.com/articles-no-7-conditions-for-consent/  by following the links.

Watch out for our next post where we set out some best practices to keep you honest whilst live streaming.

Contact Us

If you would like to know more about how GDPR Auditing can help your organisation with PCI DSS or GDPR then please contact us at info@gdprauditing.com or visit our contacts page.