GDPR places greater responsibility on us to make sure that we keep all personal data secure, and ensure we are processing data in a controlled and fair manner. Specifically, we need to be aware of what personal data we hold, why we hold it, and be able to supply and/or delete it (if appropriate) on the request of the data subject. So, we need to understand:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
We make films on behalf of our clients and ourselves. These films are bespoke commissions from legal entities and cover a wide range of topics linked to the business activities of companies and organisations globally. Our filming activity means that we regularly capture images and interview content of members of the public and employees of client organisations.
When we are filming on behalf of ourselves, we are the data controller and need to set out how and why we are collecting and storing the data. When we are carrying out filming activity on behalf of a client, or handling data/rushes/b-roll supplied by them, we are the data processor and will need to comply with their data processing agreements/policy.
The detail below sets out our process to comply with the GDPR regulations. Alongside this, we have set out data security checklist which must be completed at the outset of all projects to identify and manage our obligations.
Images of people
The majority of our footage that contains images of people count as personal data.
Sensitive personal data is defined as data relating to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health, sex life or sexual orientation; genetic data; and biometric data (where it uniquely identifies a person). Under current data protection case law, even though it might be possible to identify or infer come of the above, the majority of our filmed data/shoot rushes are not considered to contain “sensitive personal data”. As a result, we can process the majority of our data as we have a legitimate business interest in doing so (see below) and as a result do not need to get consent from our data subjects.
Occasionally, our filmed content could contain sensitive personal data, for example, interview material captured that asks specifically about issues covered by sensitive personal data. In this instance, we would need to capture specific, informed consent from our interview subjects over and above our legitimate business interest for capturing the data.
In all instances where personal data is being held, for example, freelancer contact details, call sheets, contact sheets, or any other document containing personal data (e.g. script amendments and the like), the information will be stored in a password-protected document.
Legitimate Business Interest
Our filming activity is lawful and based on the communications needs of our business or those of our clients. We believe that we have a legitimate business interest for our filming activity, and when the content captured does not contain reference to sensitive personal data (detailed below), we will capture content on that basis. We have conducted a legitimate interest assessment that outlines the basis on which we process the data.
The GDPR places special weight on the processing of children’s data, we recognise the importance of protecting children’s data. Where we are using legitimate interest, our policies will be clear and easy to understand.
Models and Actors
We will ensure that professional contracts are agreed for the use of an actor or model’s image. In this instance, we will need to process the data as part of delivering a contract meaning that consent cannot be withdrawn.
Our filming notices must provide the details of the data we are capturing, why we are processing it, and how it will be used. They must also outline how to object to is processing the data.
Where we believe we need consent to process the data (or where our clients request it), we will ensure that we provide data subjects the information required to make informed consent. We will also ensure we keep a thorough shoot and edit log to ensure we can comply with the consent being withdrawn.
Data security provisions
We keep our film data secure by default. Whenever film data is transported outside of our office, it is stored on password-protected drives. Once in the office, drives are logged and stored in a locked cupboard. Once projects are archived, they are stored on LTA in a secure location.
Data storage and deletion
We archive shoot rushes for a minimum of 2 years (by default) to allow for changes to films based on client requests. After 2 years we review the project; if there have been ongoing client requests for assets, or there is likely to be, we will continue to store the shoot rushes (with bi-annual review). If not, we contact the client and offer to return the shoot rushes to them, if they are not required then we will delete them.
We store completed program masters indefinitely as our business archive/body of work as outlined in our general terms and conditions.
We use streaming servers for work in progress and final program masters that – although are not necessarily hosted within the EU – will be fully compliant with the requirements of the regulations.
Third-party supplier agreements
We must ensure that all third party suppliers who process data on our behalf – such as Camera Operators/DIT, Editors & post-production facilities, Directors, Animators and freelance suppliers understand the basis on which we are processing the data and we must have data processing agreements in place with them.
It is important that all of our third-party suppliers who process data on our behalf know and understand the importance of data security, and in particular the rights afforded to the data subjects under the GDPR regulations, namely subject access requests and the right to be forgotten.
All third parties who process data on our behalf will be supplied with the data on passcode protected drives (if outside of our office location). When their contracted services to us are complete, they are required to return all data to us on passcode protected drives and to delete any back-up data stored on their systems (unless otherwise agreed in writing).
Subject access requests
By default, we need to log our filming activities and store our rushes in a way that makes it easy to identify the data we hold on named subjects. We will do this by logging our shoot rushes with the filming date, location, time and names of contributors (where we have them). We need to be able to supply data subjects will a copy of all the data we hold on them within 30 days of receiving the request.
When rushes are archived they will be stored with this information, which will also be added to an easily searchable database. We will, therefore, be able to identify data subjects based on name (if that was supplied at the time of filming) or date and time if people may have been caught in the background of the shot.
If a subject access request is made by someone whose name was not taken as featuring in our filmed material and/or is unable to supply this information to us we will request further information (under recital 63) to enable us to fulfill the request.
The right to be forgotten/the right to object
GDPR gives an individual the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing. In order to exercise this right, the individual must set out their objection on grounds relating to his or her personal situation.
On receipt of such a request, we will either refer the request to the data controller or assess the right to object to the data processing and our legitimate interest against the rights and freedoms of the data subject. We will take account of why we are processing the data and for how long, whether it is necessary to continue processing the data weight against the likely impact on the data subject of the continued processing of the data. We will set out our decision in writing.