Sunday, September 15, 2024

Authentication Vs. Authorization

Authentication Vs. Authorization

Authentication and authorization are two fundamental components of information security that are used to safeguard systems (like Access Control) and data (Access Management Software). Authentication is the method by which a user or service’s identity is confirmed. At the same time, authorization determines what actions or resources a user or service is permitted to access after they have been authenticated.

Authentication involves verifying a user’s identity through a username and password, biometric authentication, or other security measures. It ensures that solely permitted individuals or systems can enter a system. Conversely, authorization entails assigning access permissions to particular resources or actions contingent upon the authenticated identity of a user or service.

The two processes work together to ensure the security of a system. If authentication is compromised, an attacker can get unauthorized system access. If authorization is not correctly configured, even authorized users may be granted excessive access privileges that can lead to data breaches. Thus, it is necessary to comprehend the difference between authentication and authorization and to verify that both are effectively configured to ensure system security.

 

What is Authentication (AuthN)?

Authentication, commonly shortened as “AuthN,” refers to verifying a user’s or entity’s identity when they seek entry into a network or system. Essentially, it validates that the user is indeed the individual they assert to be. In other words, it is the process of confirming that the user is who they claim to be. Authentication may entail something a user knows, like a password or PIN; something they have, like a security token; or something they are, like biometric authentication (e.g., fingerprint or facial recognition).

 

Purpose of Authentication

Authentication primarily identifies the user’s identity as an individual or entity attempting to access a system or resource. Authentication ensures that only authorized individuals or entities are granted access to sensitive data, systems, or resources while unauthorized access is prevented. Authentication is crucial in maintaining data and systems’ confidentiality, integrity, and availability. It prevents malicious actors from accessing sensitive information, performing unauthorized actions, or compromising the system’s security.

Authentication helps to establish accountability by ensuring that users are responsible for their actions and cannot hide behind the identities of others. Additionally, it aids in maintaining adherence to regulations and standards mandating secure access to systems and data.


Types of Authentication

Several types of authentication methods are used in information security, including:

·        Password-based Authentication: This is the most common authentication method, where users must enter a username and password to access a system or resource.

·        Multi-factor Authentication (MFA): This method combines two or more authentication factors to verify the user’s identity, for example, a password and a security token, a fingerprint and a PIN, or a smart card and a biometric scan.

·        Biometric Authentication: This method authenticates the user’s identity by leveraging distinctive physical characteristics like fingerprints, facial recognition, or iris scans.

·        Certificate-based Authentication: This method uses digital certificates to verify the user’s identity. The user’s private key is stored on a smart card or other devices, and public key infrastructure (PKI) is used to verify the certificate’s authenticity.

·        Single Sign-on (SSO): This approach permits users to authenticate once and gain access to various systems or resources without the need to re-enter their credentials.

·        Token-based Authentication: This method uses a security token or a one-time password (OTP) to authenticate the user.

 

What is Authorization (AuthZ)?

Authorization, frequently abbreviated as “AuthZ,” involves permitting or denying access to resources or actions depending on the authenticated identity of a user. In other words, authorization determines what actions or resources a user or system can access or perform after completing authentication.

Authorization typically involves assigning permissions or access levels to users or systems based on their roles, responsibilities, or request context. For example, a user with administrative privileges may be granted access to perform tasks that an ordinary user cannot perform.

 

Types of Authorization

Several common types of authorization methods are used in information security, including:

·        Role-Based Access Control (RBAC): This is one of the most commonly used authorization methods, which assigns users or systems access rights based on their roles, responsibilities, or job functions. For example, a manager might possess permission to view sensitive financial reports that regular employees are restricted from accessing.

·        Attribute-Based Access Control (ABAC): This authorization method assigns access rights based on a user’s attributes, such as their location, time of day, device used, or other contextual information. ABAC is a flexible method that allows fine-grained control over access based on specific criteria.

·        Discretionary Access Control (DAC): This authorization method empowers the resource owner to manage its access control. The owner can assign permissions to specific users or groups, and those users or groups can further delegate permissions to others.

·        Mandatory Access Control (MAC): This authorization method assigns access rights based on a security policy enforced by the system rather than the resource owner. MAC is commonly used in high-security environments such as government or military systems.

·        Rule-Based Access Control (RBAC): This authorization method employs a predetermined set of rules to ascertain access privileges. The rules may be based on specific conditions, such as the user’s department, job title, or other criteria.

 

Difference Between Authentication and Authorization

Here are the key differences between authentication and authorization:

Parameters

Authentication

Authorization

Definition

Authentication is a method of validating a user’s or system’s identity.

The process of providing or refusing access to resources or actions based on that identity is known as authorization.

Purpose

Authentication ensures that exclusively authorized users or systems can access a specific resource or execute a particular action.

Authorization specifies the access rights or permissions granted to users or systems for accessing resources or performing actions following authentication.

Objective

The objective of authentication is to confirm a user’s or system’s identity.

Authorization ensures that only authorized users or systems can access sensitive data or perform actions based on their privilege or access rights.

Aim

Authentication focuses on the user or system’s identity.

Authorization focuses on the user or system’s access rights.

Process

Authentication typically involves providing credentials such as a username and password or a security token.

Authorization, assigning permissions or access levels to users or systems based on their roles, responsibilities, or request context.

Risk

The risk of authentication is that an unauthorized user may gain access to a system.

The risk of authorization is that an authorized user may misuse their access privileges.

 

Final Thoughts

Authentication occurs before authorization, as the user or system must first be verified as legitimate before being granted access to resources or actions.

In short, authentication and authorization are two distinct but interrelated processes in information security that serve different purposes and objectives. If you want to gain more knowledge about authentication and authorization, write us ssaintegrate@gmail.com


Sunday, September 1, 2024

Touchless Visitor Management System

A Guide for Touchless Visitor Management System 

Touchless Visitor Management System makes managing visitors secure, convenient, productive and supremely efficient. As businesses evolve in the face of global health concerns, adopting a touchless visitor management system becomes crucial.

This innovative solution enhances security and streamlines the entire visitor registration process, ensuring a safer and more efficient visitor experience without any physical contact. Read on to learn more.

What’s A Touchless Visitor Management System?

A touchless visitor management system is an advanced setup that manages visitor entry and registration without requiring physical interaction. This type of system typically utilizes contactless technologies such as QR codes, facial recognition, and touchless sign-in processes.

Touchless visitor management work by eliminating the need to touch shared objects like pens and touchscreen kiosks in the reception area. These systems significantly reduce the risk of transmitting pathogens, thereby enhancing the overall safety and efficiency of visitor management.

How Does It Work?

The touchless visitor management system streamlines the check-in process using a series of high-tech, contactless steps. When a visitor arrives, they can often use their own smartphones to scan a QR code displayed at the front entrance.

The QR code directs them to a secure portal where guest completes a form with the necessary information, sign legal documents, and even capture their photo—all from their personal device.

The system then processes this data in real time, potentially using facial recognition to verify the visitor’s identity and automatically grant access. Throughout this process, real-time notifications can be sent to the relevant staff members, ensuring a smooth and efficient visitor transition without direct human interaction.

Requirements of Touchless Visitor Management Systems

Management Console

A core component of touchless visitor management systems is the management console. This powerful dashboard allows security personnel and front desk staff to monitor and manage visitors efficiently.

It integrates all aspects of visitor management, from registration to visitor or guest access control, in one central location. The console displays real-time data, facilitates the whole process, and offers more control over who enters the building, ensuring that only authorized personnel gain access.

Guest Credentials

Touchless visitor management systems automatically generate guest credentials to facilitate a smooth and secure visit. These include digital visitor badges that can be accessed via a QR code or a link sent to the guest’s mobile device.

Touchless technology streamlines the check-in process and enhances security by incorporating features such as photo capture and visitor information verification without the need for physical contact.

How Much Does It Cost?

The cost of a touchless visitor management system can vary widely depending on several factors, including the scale of your operations, the specific features required, and the level of customization.

Prices range from a few hundred to several thousand dollars for initial setup, with additional monthly or annual software subscription costs. Investing in such innovative solutions typically pays off by significantly reducing time-consuming tasks, improving security measures, and enhancing the visitor experience.

Evaluating the features and support offered by different systems is crucial to ensure they meet your specific needs and provide the best value for your investment.

Benefits of Touchless Visitor Management System

·        Enhanced Safety: Reduces physical contact, minimizing health risks.

·        Security: Controlled & secure access for visitors on the basis of pre-verified identity – phone number is OTP verified real-time, the photograph was taken, identity document scanned & stored, host employee has the option to accept or decline the visit

·        Real time tracking: Real-time visibility on a visitor’s entry & exit

·        Increased Efficiency: Speeds up check-in, cutting down long lines and wait times.

·        Improved Security: Provides better control over access with features like facial recognition and visitor photos.

·        Better User Experience: Offers a warm welcome without needing a person-to-person greeting at the front desk.

·        Scalability: Easily handles a high volume of guests, ideal for large organizations.

Key Features of Top Touchless Visitor Management Systems

Top touchless visitor management systems often include:

  • Touchless Access: Allows visitors to gain entry through automatic doors using contactless technology like QR codes.
  • Visitor Management Software: Streamlines visitor data management and improves security protocols.
  • Photo Capture: Enhances security by capturing a photo of the visitor at the point of entry to verify identity.
  • Real-Time Updates: Ensures that employees are promptly informed when visitors arrive.
  • Integration Capabilities: Seamlessly integrates with existing security systems and HR software.

Comparing the Best Touchless Visitor Management Systems

When comparing the top touchless visitor management systems, consider these aspects:

  • Features: Look for systems that offer comprehensive security measures, including touchless visitor management software, visitor photos, and the ability to manage visitors effectively.
  • Usability: Systems should be user-friendly, making them easy for both visitors and employees to navigate. The key is to make signing in and completing the check-in process simple without assistance.
  • Integration: The best systems integrate smoothly with other security technologies like access control systems and employee databases, enhancing overall security infrastructure without disrupting existing operations.
  • Support and Scalability: Top systems provide robust customer support and scale easily to accommodate growing visitor numbers and evolving security needs.

Evaluating these factors will help you identify the touchless visitor management system that best fits your organization’s specific needs, ensuring the efficient and secure management of site visitors.

Final Thoughts

Embracing a touchless visitor management system is stepping into the future of security and operational efficiency. These systems not only streamline the process of managing visitors but also enhance the safety of everyone in the building. 

If you want to modernize your visitor management and prioritize safety, consider exploring your options further.

Ready to take the next step towards secure and efficient visitor management?


Thursday, August 15, 2024

3 Cybersecurity Steps to Reduce Threats to your Electrical System

 3 Cybersecurity Steps to Reduce Threats to your Electrical System

When anyone mentions cybersecurity, you may automatically think they are referring to IT systems. That is because protecting IT networks – and their associated personal, financial, and other proprietary data – has been the responsibility of IT professionals for an exceptionally long time. But what about your operational technology (OT) infrastructures? Are they also at risk from cyberattacks? How can you protect them? In this post, we’ll discuss these questions, and three specific recommendations for protecting your electrical systems.

The electricity subsector cybersecurity Risk Management Process (RMP) guideline was developed by the Department of Energy (DOE), in collaboration with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC).

OT Cyberattacks: An Increasing Threat

The Ponemon Institute emphatically states that, “Cyberattacks are relentless and continuous against OT environments.” In a survey of over 700 organizations from six countries they found that 50 percent had experienced a cyberattack against their OT infrastructure within the last two years that resulted in downtime. For large and critical operations, this can be devastating.

All you need to do is follow the news to see frequent examples of such attacks. For example, in early 2021, the fast action of a technician narrowly avoided the risk of thousands of people being poisoned due to a hacker gaining access to a Florida city’s water treatment plant. Going back a few years, a breach that came through the HVAC system caused international retailer Target to have 40 million credit and debit card accounts compromised, costing them $290 million.

 

The latter example is just one of many that show why building systems are now widely recognized as OT attack targets. The evolution toward smarter buildings is causing an explosion in the numbers of connected devices – already an estimated 200+ million in commercial buildings alone. With more devices comes more data that needs to be protected, but for facility and business management teams to extract the maximum value, data must be aggregated and shared across OT and IT systems.

This OT/IT interconnection means that a cyberattack on an OT system can:

·        Compromise operational safety or the health of building occupants

·        Impact productivity by taking down production lines or other equipment and processes; more about the relationship between Cybersecurity and Productivity.

·        Ultimately cause an IT threat by passing malware or a virus from the OT to IT infrastructure

The Attack Surface is Now Larger

Essentially, connected OT infrastructures have increased the ‘attack surface’ for hackers and, in many cases, have acted as an organization’s Achilles heel. Clearly, it is not enough anymore to focus attention only on protecting IT and data systems integrity. All organizations must ensure strong OT cybersecurity is in place.

But what OT systems are we talking about? Depending on your type of operation, these can include industrial automation systems (e.g. SCADA) and smart building systems like a building management system (BMS), building security, lighting systems, and the energy and power management system (EPMS) overseeing your facility’s electrical distribution. Navigant Research notes, “Cybersecurity issues are expected to grow in tandem with the digital transformation of real estate through intelligent building technologies.”

In this post, we will consider cybersecurity specifically for your EPMS and electrical distribution system. However, these recommendations and practices equally apply to other OT systems.

Connected Power Means Greater Vulnerability

Energy and power management systems are helping organizations boost efficiency and sustainability, optimize operating costs, maximize uptime, and get better performance and longevity from electrical assets. When combined with BMS, an EPMS can also help make the work environment healthier and more productive for occupants.

Enabling these EPMS benefits is a connected network of smart metering, analysis, control, and protection devices that share data continuously with onsite and/or cloud-based EPMS applications. The application provides extensive monitoring and analytics while providing mobile access to data and alerts to all facility stakeholders. Connection to the cloud also opens the door to expert power and asset advisory support that can augment a facility’s onsite team with 24/7 monitoring, predictive maintenance, energy management, and other services.

All these onsite, cloud, and mobile connections offer a potential target and entry for hackers so you can read our facility managers guide to building systems and cybersecurity.

 

Securing Your Electrical System: A Holistic Approach

A hacker only needs to find one ‘hole’ in one system, at one point of time, to be successful. What you need is a holistic approach to ensure that all potential vulnerabilities are secured. For new buildings, cybersecurity best practices should be a part of the design of all OT systems. For existing buildings, cybersecurity should be addressed when OT systems are starting to be digitized. For both scenarios, the following are three key considerations:

1. Seek Specialized, Expert Assistance

The priorities for IT systems are confidentiality, integrity, and availability. For OT, the top priorities are safety, resilience, and confidentiality. This means that OT security upgrades or problems need to be addressed in a different way from IT, with careful planning and procedures. For these reasons, you need to choose a cybersecurity partner who has proper OT experience, to help you comply with all relevant cybersecurity standards and best practices.

OT systems also use different communication protocols compared to IT systems, such as BACNet, Modbus, etc. If you had your IT team attempt to perform OT security system scans, those scanning tools might cause serious conflicts, risking an OT system shutdown.

Cyberthreats are also constantly evolving, so you should seek a partner who offers ongoing OT monitoring services, updates, system maintenance, and incident response. All of these should be available remotely.

2. Put the Right Controls in Place

An OT cybersecurity specialist will help audit your EPMS and electrical systems to assess the current vulnerabilities and risks, including the gaps in any procedures and protocols.

You and the specialist must determine how secure your electrical system needs to be. The IEC 62443 standard helps protect IoT-enabled OT systems by defining seven foundational requirements (e.g. access control, use control, availability, response, etc.), each of which are designated a security level. Increased security levels offer greater protection against more sophisticated attacks. Your cybersecurity partner will help you determine the level of security you need for each requirement.

An example of one technique for securing networked systems is to break up systems into ‘zones,’ with each secured individually. OT will be separated from IT, and within OT there may be further segregation. A special ‘demilitarized’ zone is typically included, which is a perimeter subnetwork that sits between the public and private networks for an added layer of security. This makes it harder for hackers to find a way in from one system or zone to another. Where required, connections between networks are provided by specially secured data ‘conduits.’

Your electrical system should also be physically secured, with no access by unauthorized personnel. This same strategy applies to EPMS communications network security by means of controlled, multi-tiered permission-based access.

3. Train your Staff

Many cyberattacks are successful because employees have caused unintended errors. It is important that your people become aware of, and vigilant against, cyberthreats. This includes giving your operations team specialized OT cybersecurity training.

This training will typically include multiple steps, including training all individuals to spot social engineering cues, such as phishing attempts or attempts to access protected areas using pretexting (i.e. someone pretending to be a vendor to gain access). This will also include establishing protocols around the use of passwords, multi-factor authorization, policies around WiFi access (e.g., guest network that remains isolated from OT networks), regular auditing of user accounts and permissions, etc.

While the horizontal cybersecurity framework provides a solid basis, specific characteristics of the energy sector such as the need for fast reaction, risks of cascading effects and the need to combine new digital technology with older technologies necessitate specific legislation.

Thanks to Felix Ramos & Khaled Fakhuri to write this article.


Thursday, August 1, 2024

Data Privacy in Video Surveillance Code of Practice

Data Privacy in Video Surveillance Code of Practice 

Video surveillance has been used for security applications since the 1940s and has evolved from analog cameras to IP-based systems that can include analytics and machine-learning capabilities.

The rapid growth of networked surveillance, along with the evolution of Internet, cloud and mobile applications, as well as improvements in image quality, have vastly expanded video’s ability to deter and detect criminal activity and to provide evidence used to solve crimes and find missing persons. An estimated one billion surveillance cameras are watching you around the world in 2023.

However, we often lack understanding of the lawfulness of video surveillance, the measures that can be taken to protect our privacy, and wheater our video footage is even considered personal data by the General Data Protection Regulation (GDPR).

Given the nature of video surveillance, concerns about potential misuse and invasions of privacy are understandable, and there have, unfortunately, been cases in which a lack of proper controls has led to privacy violations. The Security Industry Association (SIA) Data Privacy Advisory Board has produced this Code of Practice for Video Surveillance (“Code”) based on common privacy and security principles to provide manufacturers, integrators and end users with guidance that can be used to inform their development of sound policies and practices that mitigate privacy risks while leveraging the power of video technology.

Data protection and data privacy laws in India are at a nascent stage with the enactment of the Digital Personal Data Protection Act,2023 (“DPDPA”) only on 11th August,2023 and shall be notified for its stage wise implementation in India. It will take time to evolve with many upcoming developments to take shape in personal data and its usage, storage and transfer. Additionally, other Indian legislations further influence the legal conundrum surrounding data protection law of India.

For manufacturers / OEMs, primary responsibilities relate to device and platform default configurations and upkeep, as well as building privacy into the design of hardware and software. Device and platform design and maintenance should include:

• Patching

• Vulnerability communication

• Forced changing of default login credentials

• Role-based access control, multi-factor authentication, encryption, and other data security best practices

• Device security risk considerations and notifications (e.g., trusted platform details)

• Cloud services security and management if apps are offered

o Associated security considerations and notifications

• Publicly available and current guidance to secure infrastructure

Responsibility for integrators (System Integrator) begins with the design and layout of the system. Conducting a privacy impact assessment can identify areas of concern before installation begins. For example, camera viewing areas and the use of analytics software must be addressed in the planning stages. As you are deal with customers / end users, educated them with applying appropriate data.

It is critical to establish an appropriate set of default privacy settings, in addition to “hardened” secure settings for cameras and the network, including purpose-specific analytics and viewing/exclusion zones.

Other important areas for integrators to consider include:

• Ongoing privacy and cybersecurity education and training for employees

• Proper authentication of employees on systems and devices

• Requirements, roles and responsibilities, including third-party security

• Nature of systems involved (cloud, on premises, hybrid) and designated privacy and security measures

• Applicable international, federal, state, and local laws and regulations, as well as industry standards, frameworks and best practices

• A service contract that identifies the integrator’s privacy and security obligations and risk.

For End users are the surveillance system data controllers (in privacy terms). They establish the purpose and justification for the surveillance system as well as its operational scope. When hiring a third-party services provider, the end user should take reasonable steps to ensure that the provider follows all applicable data privacy laws, regulations and best practices and meets the same standards when handling data that the end user has in place for itself. The end user, as data controller, retains the ultimate responsibility to protect sensitive information and respect privacy and should not solely rely on third-party service providers for compliance.

Transparency is a priority, especially regarding the identification of the owner or processor of the data, as it enhances trust. End users must be aware of requirements in jurisdictions in which they operate, because, in many places, there are transparency and notice mandates concerning such information as who is conducting the surveillance, the level of surveillance being conducted, and the risk involved.

Privacy risk factors vary depending on the end user’s system and its interactions with individuals. A risk assessment is crucial to determine areas of concern. This assessment should look at the use of video surveillance across the organization and consider business, operational, legal, technical and social aspects. It should begin by addressing the most basic questions, such as identifying the purpose of the surveillance, who or what is being surveilled, and what the justification is.

Legal position concerning surveillance culture in india

Presently in India, communication surveillance is primarily governed by two legislations. First being the Telegraph Act, 1885 which deals with interception of telephonic conversations and the second being the Information Technology Act, 2000 which concerns the surveillance of electronic communication.

However, there are no specific laws or regulations to address the gaps existing between the aforesaid two legislations for avoiding overreach.

The Supreme Court of India (hereinafter referred to as the “Supreme Court”) while considering that data privacy is a part of Right to Life enshrined in the Constitution of India and also a fundamental human right, observed the principles of informational privacy and data protection in the landmark judgment of K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1This celebrated judgement of the Supreme Court resulted in the introduction of the Personal Data Protection Bill, 2019 (hereinafter referred to as the “PDP Bill”).

The PDP Bill lays forth the fundamentals of data protection and establishes mechanisms for dealing with any violations of its provisions. Further, it imposes sanctions on corporations and individuals that fail to comply with the provisions of the PDP Bill. Moreover, it establishes an adjudicatory procedure through which individuals can seek compensation for any ‘damage’ they have suffered as a result of a violation of the PDP Bill’s provisions.

However, though an umbrella legislation may be easier to draft and implement, it may overlook sector-specific details in order to achieve the declared State goal. For an instance, data collection in the health sector amid the Covid-19 pandemic would be different from data collection and use for the national security, which includes challenges such as terrorism and counterfeit money. It is pertinent to note that the surveillance needs in both the circumstances would be different.

The PDP Bill was referred to a Joint Parliamentary Committee (hereinafter referred to as the “Committee”) for further consideration, and thereafter the Committee published its Report and finalized the Data Protection Bill, 2021 (hereinafter referred to as the “Bill”). The Bill which is expected to be enacted anytime soon, shall govern all the aspects of data processing in the country and any surveillance mechanism shall be affected by the same.

The following is a non-exhaustive set of questions that operators in several sectors can use to begin to determine potential privacy risks. Security system operators are the systems administrators for the data controllers who authorized the surveillance.

Corporate security

v  How is video being used?

v  Can data subjects be identified?

v  Are analytics being used?

v  Is there notice of surveillance before it takes place?

v  Is there an opt-in option? Or opt-out? Or right to be forgotten?

v  What are the retention times? How do these compare to legal requirements, if

v  there are any?

v  Security & Privacy are same team ?

Healthcare facilities

ü  Are there HIPAA compliance requirements?

ü  Are there protected health information (PHI) implications?

Education

Ø  Are there Family Educational Rights and Privacy Act (FERPA) considerations?

Ø  Is facial recognition being used for attendance?

Ø  Have parental concerns been considered and addressed?

Marketing

v  What levels of transparency and notice are in place?

v  Are there PII concerns with how the video is collected, used and stored?

v  Are data subjects being identified? If so, is this necessary/appropriate?

Public/Government/Law Enforcement

§  Who/what area is being surveilled and why?

§  Is artificial intelligence (AI) or another automated technology being used?

§  Is appropriate notice/signage in place in place?

Code Principal

This Code of Practice is based on core privacy and security principles as they apply to the manufacture, deployment and use of video surveillance systems. As with any technology-based security system and the products developed for such systems, conducting a privacy impact assessment (PIA) can establish a baseline for appropriate privacy practices. This begins with the design phase and continues through to deployment and use.

A PIA analyzes how information is collected, used, shared, maintained and retained and identifies the operational requirements. (These requirements extend beyond compliance as they also drive governance and resulting policy.) Further, a PIA can identify areas in which privacy violations would occur if surveillance were used, with some obvious cases being surveillance in a restroom and inadvertent capture of identity and payment cards. One should also be aware of the integration of video surveillance with identity management and physical access control systems.

In addition to conducting a PIA, implementing the following principles can further improve the privacy practices of manufacturers, integrators and end users.

Privacy by Design

Privacy by design approaches privacy from a proactive rather than reactive perspective. In practice, this means anticipating and preventing breaches before they occur and recognizing privacy rights and enabling their exercise. For manufacturers, this means approaching product design from a privacy standpoint. For integrators, it means designing and installing video surveillance systems that incorporate privacy principles in their use and maintenance. Organizations adopting privacy by design will have to make privacy a priority in determining default settings and must keep all stakeholders informed of their privacy practices and any changes that are made to them.

Regular Review

Establishing consistent and regular review and audit processes will help to ensure compliance with legal and regulatory requirements and industry standards and best practices. These will need to be updated from time to time as circumstances or technological advancements dictate. The review should include all stakeholders, including individuals and third parties that may be affected.

Transparency and Notification

o Inform consumers and employees that cameras are in use

o Provide information regarding the data captured and how it will be used and limit uses to those for which there is legal justification

o Share data retention information (e.g., how long information will be stored, how it will be deleted)

o Include a point of contact for complaints or further information

Data Access

Restrict access to data and retained images. Clearly define rules stating who has access and when and for what purpose access may be granted.

Purpose Limitation

Use video surveillance systems for a specified purpose that meets an identified and pressing legitimate need.

Data Minimization

Collect only that video that is necessary for the intended purpose.

Data Accuracy

Data controllers are responsible for the accuracy of the data. Make sure that the metadata concerning location, date, time and other factors are accurate. In some cases, the data accuracy needs to meet evidentiary requirements. If analyzing data and comparing it to a reference database, ensure that the database is accurate and kept current. For video surveillance purposes, manipulating video images requires notation and should be avoided unless absolutely necessary.

Data Storage Limits

Only store video footage for as long as is reasonably necessary or required by law or regulation.

Integrity, Confidentiality and Security

Implement appropriate processes, policies, and procedures to process and store data in a secure manner. This could include the use of digital signatures and watermarking to prevent modification as well as other cryptographic techniques, such as encryption during transmission and storage. Regularly review processes, policies and procedures to protect against unauthorized access or use.

Privacy and surveillance in india: judicial precedents

The Right to Privacy has not been explicitly mentioned in the Constitution of India. However, the Courts in India have created a framework for protection of privacy of the citizens by interpreting it within the meaning of Right to Life and Personal Liberty under Article 21 of the Constitution.

The Supreme Court developed the law on Right to Privacy via some landmark judgments involving surveillance. The first being the case of Kharak Singh v. State of U.P., (1964) 1 SCR 33, wherein the constitutional validity of Regulation 236 of the Uttar Pradesh Police Regulations, 1861 was challenged which permitted surveillance. The Supreme Court held that “surveillance by domiciliary visits and other acts under regulation 236 was ultra vires articles 19 (1)(d) and 21”.

In another case of People’s Union for Civil Liberties v. Union of India, 1995 (3) 365, the Supreme Court held that “right to privacy included the right to hold a telephone conversation in the privacy of one’s home or office and that telephone tapping, a form of technological eavesdropping’ infringed the right to privacy”.

However, in Govind v. State of Madhya Pradesh (1975) 2 SCC 148, a case of surveillance under the Madhya Pradesh Police Regulations, though the Supreme Court acknowledged a limited right to privacy, it upheld the impugned regulation which authorised domiciliary visits in its entirety.

Reference:

1.    Article from securityindustry.org

2.    https://www.infosecurity-magazine.com/opinions/privacy-video-surveillance-paris/