Protecting Identity in the Age of Privacy

With great advances in video and access control technology – including mobile capabilities, cloud efficiencies, analytics and biometrics – security providers are aiming to create the most secure and seamless credentials, all in a time when privacy concerns are influencing public opinion and impacting security. The increase in use of these technologies brings with it growing volumes of data.

In this data-driven world, privacy issues are raised in the context of government collection or distribution of personal information, as well as corporate use of Personally Identifiable Information (PII). PII is any data that could potentially be used to identify a particular person. Examples include a full name, Social Security or driver’s license number, bank account information, passport details and email address. Photo or video data also come into play, as well as biometric data.

Legalities of Privacy

Milestone Systems is a global video management software company based out of Copenhagen, Denmark, that’s been working with the General Data Protection Regulations (GDPR) that went into force in Europe in May 2018. They define the individual’s critical privacy matters to be protected as ‘sensitive personal data’ such as your racial/ethnic origin, genetic and biometric info, health and financial data, religious, political, and sexual preferences.

GDPR has a focus on these key principles:

  • Lawfulness
  • Fairness and Transparency
  • ‘Legitimate Purpose’ limitations on the gathering, use, sharing and storage of sensitive personal data, and its minimization

Milestone has investigated every facet of our business from products to business practices, to ensure compliance and provide guidance to our employees, partners and customers.

How to Work Within Privacy Parameters

The best way for security dealers, integrators and consultants to learn each state’s biometric laws is to keep informed. To stay abreast of the changing state privacy landscape, the IAPP Westin Research Center compiled a list of proposed privacy bills from across the U.S. Check for the updated versions, including a new state law tracker map on the IAPP Resource Center.

It is advised to take a multi-path approach to be informed from the many points of view:

  • Join local chapters of SIA and ASIS to network with other professionals specific to your region.
  • Partner with the manufacturers and developers of the technologies you are interested in, to learn how their solutions fit state and local legislation.
  • Get involved with local law enforcement groups; attend relevant presentations on new local and state ordinances.
  • Follow organizations like the IAPP, the world’s largest and most comprehensive global information privacy community.

In the U.S. three states led the way in 2019 enacting biometric privacy laws: Illinois, Texas and Washington. The California Consumer Privacy Act (“CCPA”) took effect in January 2020. Then multiple states proposed similar legislation to protect consumers. Arizona, Florida, and Massachusetts introduced legislation addressing biometric privacy, on the heels of a decision for the Illinois Biometric Information Privacy Act.

Be Vigilant for Compliance

Ensuring compliance with GDPR and similar data privacy laws requires high organizational maturity, with careful planning and preparation of video surveillance and other security systems, including the policies and procedures regulating how the technology is used.

To help system integrators and end users design, implement and operate video surveillance systems that are compliant with such privacy regulations, Milestone provides a holistic set of tools, including privacy guides, best practices and training resources to build privacy awareness.

If you go to the Milestone website and search for GDPR, you’ll find 1,450 references. There’s a lot of useful information available!

Education on Privacy and Cybersecurity

The entire market needs to be educated on what’s being done with people’s sensitive information. Milestone carries out GDPR webinars that are mandatory for staff – also with cybersecurity training (both internally and externally for our partners) which is related when trying to preserve data privacy, access or sharing.

Regarding cybersecurity hackers and our partners’ work with IT systems, current knowledge and best practices help to keep people’s sensitive information safe.

  • Double authentication is becoming standard for managing access to company systems and websites.
  • Data encryption is also key to the lockdown of information and its history of creation, access, user logs, etc.
  • Regular software updates with the newest version releases are also best practice to ensure against cyber trouble.

Milestone has a comprehensive system Hardening Guide online that details the top five most effective cybersecurity strategies to focus on when combating cyberattacks.

Balancing Security and Convenience

Is it possible to have the best of both worlds: security and convenience?

There is a line to be straddled, for sure. People like to have their privacy but need safety and security. After 9/11, citizens were clamoring for more security technology to be put in place to safeguard their well-being. However, the privacy fears of security tools stem from misconceptions due to lack of knowledge as to how the technology works, its regulations and policies.

In our personal lives we can decide whether we consent to our data being saved and shared, but in business use, tech companies have the responsibility to educate and to create guard rails to keep us on the right road.

As systems grow smarter, more “aware”, Machine Learning and AI-type technologies can take over many of the mundane tasks that make our lives and work inefficient or unsafe.

Incorporating security, convenience and privacy in security does not have to mean that these three are mutually exclusive. You can have a secure system that leverages the best practices of IT system design, and that system can be built and operated within regulation guidelines and privacy ordinance.

With a video security system, there’s a huge range of possibilities: everything from simply configuring a camera so it cannot view sensitive areas or infringe upon the privacy of neighboring buildings, to setting PTZ motion limits or masking zones within wide views, or setting up systems to “watch the watcher” where managers have records of exactly what an operator viewed throughout their shift, to assure privacy compliance of all involved.

Privacy Safeguards

Regulations like GDPR as well as legislation help to advance our industry. These regulations define expectations and set a framework for innovation. With clear regulations in place, the public feels better knowing that there are safeguards and real penalties for abuse and non-compliance — which can be identified and acted upon.

The Security Industry Association (SIA) has an Ethics Committee with representative members of the physical security industry, who are drafting guidelines and planning education efforts. SIA is also working with government committees, participating in hearings to present the facts that can help minimize public and media fears that are based on misinformation. These will help move the needle from some fearful knee-jerk reactions to deliberate considerations that hold the safety of people and assets as the priority.

Technology developers and manufacturers want the trust of public opinion. We aim to solve problems, not create more.

This article was adapted from Milestone preparations for a panel at the SecurityNext event held in February 2020, sponsored by Security Systems News.

Read the full Milestone Paper, including valuable information on the ethical use of facial recognition: Protecting Identity in the Age of Privacy.