How long should you retain your recorded CCTV video?
July 2008, CCTV, Surveillance
The length of time that video data is retained on a CCTV system can be an important factor in a range of issues.
Follow up investigation, retrieval of evidence, auditing, and trend analysis are all based on an expectation that video will be available. However, for many users the cost of a system often determines the length of time a site will retain video information rather than operational needs. Data requires storage, and storage costs money to purchase and maintain.
Although the increasing size of storage facilities on DVRs and server systems have led to some reduction in storage costs in the last couple of years, video is storage intensive and requires both infrastructure and management. Further, old data simply needs to be deleted and replaced in order to make space for the new video continuously coming into the operation.
How, then, does one establish what is a suitable time that your video data should be retained? There are no simple answers and it will vary from operation to operation. Interestingly enough, it is not just the maximum time that something should be kept, but also a minimum time in some cases. The retention duration will be influenced by several main factors:
1. National legislation. Some counties have a clearer position established through legislation protecting privacy and what are seen as reasonable periods to retain data.
2. Industry legislation. The retail industry, for example, can be subject to being sued over issues relating to slipping on floors or faulty merchandise and the law may allow extended time of a few months for customers to initiate a case.
3. The duration in hours or days which it may take for somebody to respond or for something to be noticed. In some a transgression or imbalance may take days to notice and its cause to then be investigated. The example of a system installed to prevent fraud being carried out at an ATM is used in the UK data guidelines, where the user may need to retain images for several weeks, since a suspicious transaction may not come to light until the victim gets a bank statement.
4. Auditing and review arrangements. Some organisations routinely audit or review video footage for quality purposes or to do things such as alarm inspections. Where this practice is in place, video may need to be available for longer. This is particularly the case where other information for audit purposes may be on its own separate collection cycle and may only become available later.
5. Time cycles or production cycles that may require that a specific time period has lapsed before something emerges as an issue. If, for instance, something is detected near the end of the month and there is a concern that it may have occurred previously in the same context, you may well need more than 30 days retention in order to detect, identify, and withdraw the necessary information from the system before the next monthly cycle starts overwriting the information. Similarly, investigating patterns of behaviour or events may often require more extensive investigation going back weeks or even months.
6. The process or procedure for retrieving information may require confirmation and/or engagement with parties before release. Where release of data may infringe on peoples' rights, obtaining clearance to release the data may take some time. In these cases, obtaining clearance may take more time than is available before the video is overwritten with new information.
National legislation on privacy concerns largely affect operations who are engaged in public surveillance. Most town centres in the UK have a 30 or 31 day maximum retention period to avoid being seen as violating privacy concerns and to give a useful period to go back to if necessary. This period is typically reflected in the Codes of Practice.
Federal and provincial guidelines in Canada recommend a 'limited time' which has reportedly been interpreted by privacy commissioners as anywhere between 24 hours and 30 days in duration. Other organisations internationally may commit themselves to a 45-day retention period. Whether 72 hours, two weeks or 30 days will provide the correct maximum time for protection of privacy for a public surveillance enterprise is largely a subjective perspective.
In enforcing the national legislation relating to privacy and data, the UK Commissioner for Data Protection does not prescribe any specific minimum or maximum retention periods which apply to all systems or footage. Rather, 'retention should reflect the organisation's own purposes for recording images'. The documentation goes on to state, 'You should not keep images for longer than strictly necessary to meet your own purposes for recording them'. This does mean that an organisation needs to be clear about why such recordings are being retained.
Where an event or incident has occurred, however, there are very different requirements. In these cases, retaining video footage for a year or more is fairly common across countries. This can be the case for incidents as diverse as car crashes, where police have been dispatched for some reason, or a criminal incident is viewed. In any case where there is potential for a criminal or civil case, retention of that video is required.
Retention for training purposes is also provided for in some countries, or by police agencies themselves. If video data is retained for legal purposes, it needs to be secured as evidence so later access does not cause legal complications as to it validity.
There are certainly rough data retention guidelines for organisations doing public surveillance. Where your data is collected within premises owned by the organisation, the issue of privacy is less of a factor and the company needs would be the primary factor. The critical factors for such companies are highlighted in the points above. From these, one can judge the operational requirements for which video data may be needed. You may even need to customise a DVR or IP based system if possible, to retain some areas for longer periods of time than others. This would allow you to maximise your storage facility along with best availability of data for follow-up purposes.
Organisations need to ensure that CCTV customers are consulted on what is important to keep, and that people know why information is retained or deleted and why the duration is relevant. This reduces the chance that somebody will come to you for information that would have already been deleted.
Where there is suspicious action, companies should be able to keep the data for follow up purposes, together with a justification for this. Finally, if something is seen that does need to be retained, you need to ensure that you have some kind of facility for secure storage over a long term, and that this will be accessible.
Dr Craig Donald
Dr Craig Donald is a human factors specialist in security and CCTV. He is a director of Leaderware, which provides instruments for the selection of CCTV operators, X-ray screeners and other security personnel in major operations around the world. He also runs CCTV Surveillance Skills and Body Language, and Advanced Surveillance Body Language courses for CCTV operators, supervisors and managers internationally, and consults on CCTV management. He can be contacted on +27 (0)11 787 7811 or firstname.lastname@example.org