Back in 1890, Samuel Warren and Louis Brandeis published a ground-breaking article in the Harvard Law review called ‘The Right to Privacy’. To this day, it is regarded as one of the most influential essays in the history of American law and is widely regarded as the first publication in the United States of America to advocate a right to privacy, articulating that right primarily as a ‘right to be let alone’.
In this essay, the authors questioned whether the arrival of photo cameras would put citizens at risk from constant surveillance. They argued that since new technology has the ability to unsettle societal foundations, new legislation is sometimes needed to redress the balance.
Concerns regarding privacy on the rise
In our increasingly connected world, it’s not surprising that concerns around privacy, particularly in relation to personal data, are on the rise. Questions about who has access to what information and for what purposes are important.
Today, governments and other regulatory bodies have developed regulations that are aimed at restricting the collection, processing, and access to personal data, including video footage, to help maintain privacy and mitigate the risks of criminal cyber activities.
Digital information, vital component to protect people
Acquiring digital information is a vital component for protecting people and assets
At the same time, acquiring digital information is a vital component for protecting people and assets. Governments and private businesses frequently collect data from individuals, who are using the spaces in and around their facilities.
This can include personal identifiable information (PII), such as surveillance footage, photos, and licence plate information. This doesn’t mean we have to sacrifice privacy for the sake of physical security. Organisations can develop their security strategies with privacy protection, as part of the overall plan.
What is personally identifiable information (PII)?
One tricky question security professionals wrestle with is where to draw the line, in regards to personally identifiable information. For example, when is surveillance footage of public spaces considered personally identifiable information (PII)?
The answer isn’t always a straightforward one, because legislation around PII varies from place to place. In general, however, it isn’t the video itself that is problematic. It’s the image of a specific person. If the video is so low resolution that a person who knows the individual on camera could not recognise them, it would not be considered PII.
With camera resolution becoming much higher quality, it is becoming more important now than ever before that security professionals ensure they are fully aware of local regulations around PII.
Regulations around PII and data privacy
New regulations and restrictions around PII and data privacy are introduced regularly. It can be challenging for private citizens and small businesses to keep up with all these changes, especially when legislation is not communicated in ways that are easy to understand and accessible.
Vendors and integrators can help educate end users on these guidelines and promote awareness of best practices. It’s a good practice for everyone who captures or accesses video containing PII to be mindful of who has access to the data, as well as privacy regulations and restrictions.
No need to compromise on privacy to ensure security
In fact, many organisations today are going beyond regulatory requirements around privacy
Balancing security and privacy isn’t a zero-sum game. In fact, many organisations today are going beyond regulatory requirements around privacy, in order to ensure that they are not only protecting personal data, but also making sure those who access the data are accountable for their actions.
Privacy regulations establish a minimum standard for how personal data should be stored and managed, but companies can do more than the minimum. Modern video management software (VMS) allows them to ensure that only authorised people access the data and how they are able to access it.
VMS platforms with privacy protection capabilities
VMS platforms with privacy protection capabilities can pixelate people in videos, to blur identity and provide audit trails to ensure there is a record of who accessed data and when. Likewise, they have enhanced cyber security and accountability.
Regulations usually focus on how end users operate the system. Is your data stored securely? Do you have a clear process to access sensitive data? Yet, protecting personal information is a shared responsibility. The end user can research vendors and their privacy protection capabilities. The software vendor can provide the right tools to enable the end user to protect the data, including encryption, authentication, security, and facial blurring.
The systems integrator can configure the systems correctly and train the end user on how to operate them in a way that respects privacy. The end user’s operators can then be trained on internal processes to ensure data is protected and can’t be accessed without proper authorisation.
Mindful data collection leads to better decisions
Video surveillance systems are more prevalent and powerful now than ever before
Video surveillance systems are more prevalent and powerful now than ever before. The price of cameras has declined, the quality of video footage has increased, and video analytics have become much more sophisticated. Now that it’s cheaper and easier to capture and interpret video footage, more organisations and individuals are adding or upgrading cameras.
Yet, more data doesn’t always result in better decisions. Access to more data can lead to information overload. By using tools to filter all the input, you can make sure you’re paying attention to what matters most, while maintaining the security of the other data.
Minimising the amount of data stored
One way to do this is to minimise the amount of data that is stored, keeping only what is necessary to achieve your goals. Another way is to ensure only those who need the information, and can provide the correct authorisation, have access to sensitive data.
Another way is to implement the ‘four eyes principle’. To ensure personal data is only seen by people who really need to see it, some companies require two people to provide credentials, in order to access certain kinds of data. For example, faces on video recordings can be pixelated by default. If an operator sees an event happening, they can ask a supervisor to unlock the video. For very sensitive data, some companies require two supervisors to agree to authorise a request to access data.
Automation can be used as well. For example, if a sensitive area is under surveillance, pixilation may be used to protect privacy. Yet, if someone breaches the perimeter, you may want to show the original video stream to quickly react. It’s important in this case to clarify who is able to see the original video stream and under what circumstances others may gain access.
Trust is essential
Data privacy means having the right to control how personal information is being collected
Privacy is connected to trust. All stakeholders must be able to trust that data is stored securely and that the technology and systems that you are using are working as advertised. Critically evaluate what kind of data your system is collecting, the quality of that data, and the effectiveness of the checks and balances in place.
While the concept of privacy can be understood in different ways, from a security perspective, it is essentially about being able to keep personal matters to yourself. For individuals, data privacy means having the right to control how personal information is being collected and used, as well as avoiding unauthorised access to information.
Transparency is fundamental
Transparency is fundamental. Data and privacy protection is all about context. For example, people may agree to share their location, while using certain applications on their phone, but do not want those apps to continue tracking and sharing their location, all the time.
In the same way, access to personally identifiable information captured by surveillance cameras must be warranted. In certain situations, it is necessary to authorise access to sensitive data and this does not violate privacy ethics, as long as the people affected are informed about what data is accessed, when, and why.
Ethical privacy standards without compromising security
There are several ways organisations can develop ethical privacy standards without compromising security:
- Be selective about the data you collect. As an organisation, critically evaluate what information is necessary to accomplish your purpose. For example, when collecting data on visitors, do you need their full home address or is it enough just to verify their ID?
- Develop an internal privacy policy. Appoint a data protection officer, or another responsible person, to create and maintain policies on what data is collected, how it is stored, who can access this data, and under what circumstances.
- Look for security software vendors that are certified for privacy protection. Certification involves a thorough check of the source code, in order to ensure data cannot be accessed without authorisation. This is not just about the product itself, but also the infrastructure around it, including any related websites that store user data.
Privacy protection by design
Organisations can work with vendors who develop tools that include privacy protection by design. They can select and deploy solutions that are hardened against cyber threats, by manufacturers out of the box, so as to alleviate worries around system vulnerabilities.
These solutions can also give them complete control over their data, so that they can adjust protection methods and processes, to meet evolving regulations and help them configure the system, to define who has access to sensitive data and footage, without slowing down response times or investigations. When these measures are in place, it is a team effort to ensure security with strong PII protection.