Use of digital photography and video recording can provide a permanent record of an event for a range of different purposes. Consumer devices rarely contain the ability to encrypt images stored on the device. As a result there is a risk of unauthorised access if the device, or a removable memory card, is lost or stolen.

When encryption is not a reasonable option, it is important to consider the measures a data controller can take to ensure that the risk is reduced to a tolerable level. For example, transferring images from the camera to a secure location and securely deleting them from the memory card as soon as is practical.

It may also be possible to consider using an alternative device such as a smart-phone or tablet which does offer an encrypted file system and encryption of their memory cards. However, care should be taken that the device does not automatically upload images to a remote cloud service or social network and that the method used to transfer the images from the device does not present a further security risk (eg transfer as an email attachment).

Example

The Royal Veterinary College signed an undertaking to comply with the seventh data protection principle following the loss of a memory card containing personal data.

The ICO investigation revealed that a personal digital camera was lost which included a memory card containing the passport images of six job applicants.

Given that the camera in question did not support encryption additional technical and organisational measures could have been put in place to militate against the loss or theft of the camera or memory card. This could include a process for the transfer of images to a secure location and deletion from the memory card as soon as practicable.

A further option would include use of a photocopier or a scanner to take copies of the documents where necessary.