Data Privacy in Video Surveillance Code of Practice
Video
surveillance has been used for security applications since the 1940s and has
evolved from analog cameras to IP-based systems that can include analytics and
machine-learning capabilities.
The rapid growth of networked surveillance, along with the evolution of Internet, cloud and mobile applications, as well as improvements in image quality, have vastly expanded video’s ability to deter and detect criminal activity and to provide evidence used to solve crimes and find missing persons. An estimated one billion surveillance cameras are watching you around the world in 2023.
However,
we often lack understanding of the lawfulness
of video surveillance, the measures that can be taken to
protect our privacy, and wheater our video footage is even considered personal
data by the General Data Protection Regulation (GDPR).
Given the nature of video surveillance, concerns about potential misuse and invasions of privacy are understandable, and there have, unfortunately, been cases in which a lack of proper controls has led to privacy violations. The Security Industry Association (SIA) Data Privacy Advisory Board has produced this Code of Practice for Video Surveillance (“Code”) based on common privacy and security principles to provide manufacturers, integrators and end users with guidance that can be used to inform their development of sound policies and practices that mitigate privacy risks while leveraging the power of video technology.
Data protection and data privacy laws in India are at a nascent stage with the enactment of the Digital Personal Data Protection Act,2023 (“DPDPA”) only on 11th August,2023 and shall be notified for its stage wise implementation in India. It will take time to evolve with many upcoming developments to take shape in personal data and its usage, storage and transfer. Additionally, other Indian legislations further influence the legal conundrum surrounding data protection law of India.
For manufacturers / OEMs, primary responsibilities relate to device and platform
default configurations and upkeep, as well as building privacy into the design
of hardware and software. Device and platform design and maintenance should
include:
• Patching
•
Vulnerability communication
• Forced
changing of default login credentials
•
Role-based access control, multi-factor authentication, encryption, and other
data security best practices
• Device
security risk considerations and notifications (e.g., trusted platform details)
• Cloud
services security and management if apps are offered
o
Associated security considerations and notifications
• Publicly available and current guidance to secure infrastructure
Responsibility
for integrators (System Integrator) begins with the design and layout of
the system. Conducting a privacy impact assessment can identify areas of
concern before installation begins. For example, camera viewing areas and the
use of analytics software must be addressed in the planning stages. As you are
deal with customers / end users, educated them with applying appropriate data.
It is
critical to establish an appropriate set of default privacy settings, in
addition to “hardened” secure settings for cameras and the network, including
purpose-specific analytics and viewing/exclusion zones.
Other
important areas for integrators to consider include:
• Ongoing
privacy and cybersecurity education and training for employees
• Proper
authentication of employees on systems and devices
•
Requirements, roles and responsibilities, including third-party security
• Nature
of systems involved (cloud, on premises, hybrid) and designated privacy and security
measures
•
Applicable international, federal, state, and local laws and regulations, as
well as industry standards, frameworks and best practices
• A service contract that identifies the integrator’s privacy and security obligations and risk.
For End users are the surveillance system data controllers (in privacy terms). They establish the purpose and justification for the surveillance system as well as its operational scope. When hiring a third-party services provider, the end user should take reasonable steps to ensure that the provider follows all applicable data privacy laws, regulations and best practices and meets the same standards when handling data that the end user has in place for itself. The end user, as data controller, retains the ultimate responsibility to protect sensitive information and respect privacy and should not solely rely on third-party service providers for compliance.
Transparency is a priority, especially regarding the identification of the owner or processor of the data, as it enhances trust. End users must be aware of requirements in jurisdictions in which they operate, because, in many places, there are transparency and notice mandates concerning such information as who is conducting the surveillance, the level of surveillance being conducted, and the risk involved.
Privacy
risk factors vary depending on the end user’s system and its interactions with individuals.
A risk assessment is crucial to determine areas of concern. This assessment
should look at the use of video surveillance across the organization and
consider business, operational, legal, technical and social aspects. It should
begin by addressing the most basic questions, such as identifying the purpose
of the surveillance, who or what is being surveilled, and what the justification
is.
Legal position concerning surveillance culture in india
Presently in India, communication surveillance is primarily governed by two legislations. First being the Telegraph Act, 1885 which deals with interception of telephonic conversations and the second being the Information Technology Act, 2000 which concerns the surveillance of electronic communication.
However, there are no specific laws or regulations to address the gaps existing between the aforesaid two legislations for avoiding overreach.
The Supreme Court of India (hereinafter referred to as the “Supreme Court”) while considering that data privacy is a part of Right to Life enshrined in the Constitution of India and also a fundamental human right, observed the principles of informational privacy and data protection in the landmark judgment of K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1. This celebrated judgement of the Supreme Court resulted in the introduction of the Personal Data Protection Bill, 2019 (hereinafter referred to as the “PDP Bill”).
The PDP Bill lays forth the fundamentals of data protection and establishes mechanisms for dealing with any violations of its provisions. Further, it imposes sanctions on corporations and individuals that fail to comply with the provisions of the PDP Bill. Moreover, it establishes an adjudicatory procedure through which individuals can seek compensation for any ‘damage’ they have suffered as a result of a violation of the PDP Bill’s provisions.
However, though an umbrella legislation may be easier to draft and implement, it may overlook sector-specific details in order to achieve the declared State goal. For an instance, data collection in the health sector amid the Covid-19 pandemic would be different from data collection and use for the national security, which includes challenges such as terrorism and counterfeit money. It is pertinent to note that the surveillance needs in both the circumstances would be different.
The PDP Bill was referred to a Joint Parliamentary Committee (hereinafter referred to as the “Committee”) for further consideration, and thereafter the Committee published its Report and finalized the Data Protection Bill, 2021 (hereinafter referred to as the “Bill”). The Bill which is expected to be enacted anytime soon, shall govern all the aspects of data processing in the country and any surveillance mechanism shall be affected by the same.
The
following is a non-exhaustive set of questions that operators in several
sectors can use to begin to determine potential privacy risks. Security system
operators are the systems administrators for the data controllers who
authorized the surveillance.
Corporate security
v How is video being used?
v Can data subjects be identified?
v Are analytics being used?
v Is there notice of surveillance before
it takes place?
v Is there an opt-in option? Or opt-out?
Or right to be forgotten?
v What are the retention times? How do
these compare to legal requirements, if
v there are any?
v Security & Privacy are same team ?
Healthcare facilities
ü Are there HIPAA compliance
requirements?
ü Are there protected health information (PHI) implications?
Education
Ø Are there Family Educational Rights
and Privacy Act (FERPA) considerations?
Ø Is facial recognition being used for
attendance?
Ø Have parental concerns been considered and addressed?
Marketing
v What levels of transparency and notice
are in place?
v Are there PII concerns with how the
video is collected, used and stored?
v Are data subjects being identified? If so, is this necessary/appropriate?
Public/Government/Law Enforcement
§ Who/what area is being surveilled and
why?
§ Is artificial intelligence (AI) or
another automated technology being used?
§ Is appropriate notice/signage in place in place?
Code Principal
This Code
of Practice is based on core privacy and security principles as they apply to
the manufacture, deployment and use of video surveillance systems. As with any
technology-based security system and the products developed for such systems,
conducting a privacy impact assessment (PIA) can establish a baseline for
appropriate privacy practices. This begins with the design phase and continues
through to deployment and use.
A PIA
analyzes how information is collected, used, shared, maintained and retained
and identifies the operational requirements. (These requirements extend beyond
compliance as they also drive governance and resulting policy.) Further, a PIA
can identify areas in which privacy violations would occur if surveillance were
used, with some obvious cases being surveillance in a restroom and inadvertent
capture of identity and payment cards. One should also be aware of the
integration of video surveillance with identity management and physical access
control systems.
In addition to conducting a PIA, implementing the following principles can further improve the privacy practices of manufacturers, integrators and end users.
Privacy by Design
Privacy by design approaches privacy from a proactive rather than reactive perspective. In practice, this means anticipating and preventing breaches before they occur and recognizing privacy rights and enabling their exercise. For manufacturers, this means approaching product design from a privacy standpoint. For integrators, it means designing and installing video surveillance systems that incorporate privacy principles in their use and maintenance. Organizations adopting privacy by design will have to make privacy a priority in determining default settings and must keep all stakeholders informed of their privacy practices and any changes that are made to them.
Regular Review
Establishing consistent and regular review and audit processes will help to ensure compliance with legal and regulatory requirements and industry standards and best practices. These will need to be updated from time to time as circumstances or technological advancements dictate. The review should include all stakeholders, including individuals and third parties that may be affected.
Transparency and Notification
o
Inform consumers and employees that cameras are in use
o
Provide information regarding the data captured and how it will be used and
limit uses to those for which there is legal justification
o
Share data retention information (e.g., how long information will be stored,
how it will be deleted)
o Include a point of contact for complaints or further information
Data Access
Restrict access to data and retained images. Clearly define rules stating who has access and when and for what purpose access may be granted.
Purpose Limitation
Use video surveillance systems for a specified purpose that meets an identified and pressing legitimate need.
Data Minimization
Collect only that video that is necessary for the intended purpose.
Data Accuracy
Data controllers are responsible for the accuracy of the data. Make sure that the metadata concerning location, date, time and other factors are accurate. In some cases, the data accuracy needs to meet evidentiary requirements. If analyzing data and comparing it to a reference database, ensure that the database is accurate and kept current. For video surveillance purposes, manipulating video images requires notation and should be avoided unless absolutely necessary.
Data Storage Limits
Only store video footage for as long as is reasonably necessary or required by law or regulation.
Integrity, Confidentiality and Security
Implement appropriate processes, policies, and procedures to process and store data in a secure manner. This could include the use of digital signatures and watermarking to prevent modification as well as other cryptographic techniques, such as encryption during transmission and storage. Regularly review processes, policies and procedures to protect against unauthorized access or use.
Privacy and surveillance in india: judicial precedents
The Right to Privacy has not been explicitly mentioned in the Constitution of India. However, the Courts in India have created a framework for protection of privacy of the citizens by interpreting it within the meaning of Right to Life and Personal Liberty under Article 21 of the Constitution.
The
Supreme Court developed the law on Right to Privacy via some landmark
judgments involving surveillance. The first being the case of Kharak
Singh v. State of U.P., (1964) 1 SCR 33, wherein the
constitutional validity of Regulation 236 of the Uttar Pradesh Police
Regulations, 1861 was challenged which permitted surveillance. The Supreme
Court held that “surveillance
by domiciliary visits and other acts under regulation 236 was ultra vires
articles 19 (1)(d) and 21”.
In
another case of People’s Union for Civil Liberties v. Union
of India, 1995 (3) 365, the Supreme Court held that “right to privacy included the right
to hold a telephone conversation in the privacy of one’s home or office and
that telephone tapping, a form of technological eavesdropping’ infringed the
right to privacy”.
However, in Govind v. State of Madhya Pradesh (1975) 2 SCC 148, a case of surveillance under the Madhya Pradesh Police Regulations, though the Supreme Court acknowledged a limited right to privacy, it upheld the impugned regulation which authorised domiciliary visits in its entirety.
Reference:
1.
Article
from securityindustry.org
2.
https://www.infosecurity-magazine.com/opinions/privacy-video-surveillance-paris/
Investing online has been a main source of income, that's why knowledge plays a very important role in humanity, you don't need to over work yourself for money.All you need is the right information, and you could build your own wealth from the comfort of your home! Binary trading is dependent on timely signals, assets or controlled strategies which when mastered increases chance of winning up to 90%-100% with trading. It’s possible to earn $10,000 to $20,000 trading weekly-monthly in cryptocurrency(bitcoin) investment, just get in contact with Mr Bernie Doran my broker. I had almost given up on everything about binary trading and never getting my lost funds back, till i met with him, with his help and guidance now i have my lost funds back to my bank account, gained more profit and I can now trade successfully with his profitable strategies and signals! Reach out to him on Gmail ( BERNIEDORANSIGNALS@GMAIL.COM ) , or his WhatsApp : +1(424)285-0682 for inquiries
ReplyDeleteIn Gore, a formal graduation ceremony for the Class of 2020 has been scheduled for 6 p.m. Saturday, June 13, in the Event Center.
Central Public School has rescheduled graduation ceremonies for Friday, June 26, at 7 p.m. “In the event that we are unable to hold a traditional graduation ceremony, we are in the process of gathering information for a virtual graduation. Seniors will be notified about the virtual graduation procedures in the near future,” Central Superintendent Larry Henson stated.
Gans has set a tentative date for a graduation ceremony of July 17 at 7 p.m. to be held at the football field.
Muldrow is tentatively set to have a graduation ceremony on June 26 at 8 p.m. at the football field. School officials are working on a date and location for a Baccalaureate service.