Protect your organization's data by properly using video management systems.
By Juan Carlos George*
Ongoing training is essential to understand how complex confidentiality regulations, such as data protection regulations (GDPR), apply in a video surveillance environment. Data processing employees, including operators, security officers and system administrators, must learn how to identify and protect personal data using tools such as privacy masks, and also taking protective measures when exporting evidence.
However, the responsibility does not fall only on who receives the data and treasures it in the most cautious way; the people and institutions that deliver the data are also responsible, since they are the main stakeholders in ensuring that they do not fall into the hands of cyber criminals who are on the prowl all the time, waiting for the slightest opportunity to ask people for data.
Different data confidentiality policies around the world require organizations using video management systems (VMS) to be proactive in protecting personal data at all stages of data processing and storage. Continuing education is one of the most effective ways to help data processors identify sensitive information and process it securely.
New international laws
The new international laws on the protection of confidentiality, recently enacted in Australia, Brazil, Japan and the European Union, are very diverse in terms of policies and sanctions. The GDPR, considered the most important modification in the regulation of the confidentiality of information that has been made in the last 20 years, is an excellent example of a strict policy that raises difficult compliance issues for many companies with operations in the European Union.
The Data Protection Law (LGPD), approved in Brazil, already has the industry in motion that will have to make modifications; not only to representative entities of the information technology (IT) sector or entrepreneurs of the segment, but also to all those companies that manipulate personal data of employees, customers, among others.
Colombia has one of the most developed data protection legislations in Latin America, with laws that have been in force since 2012. These were updated and, today, contain information on how to store and process personal data, how to use, amend or delete them, and also establish different measures based on the type and size of the company. A permission from users is required to use the information.
Mexico has enacted data protection laws some years ago. In 2017, the General Law on the Protection of Personal Data in Possession of Obliged Subjects was issued, with which the regulations on the matter were harmonized. Thus, there are 9'two specific laws that dictate obligations, duties, procedures, sanctions and resources in the matter, both for the public and private sectors.
In Chile, despite the existence of the much-questioned Law on the Protection of Private Life (Law 19,628), only since June 16, 2018, the protection of personal data has undoubted constitutional status by virtue of the publication of Law 21,096, which enshrines it as an autonomous right, although related to the right to privacy contemplated in Article 19 No. 4.
Identification of personal data
The issue of privacy has become increasingly important in recent years due to many technologies collecting personal data. Personal data is considered to be any type of information that, directly or indirectly, can be used to identify a person, such as name, identification number, location data, and includes videos and still images, as well as other identifiers.
Some personal data does not necessarily serve to identify someone, but is more sensitive, such as sexual orientation, religious beliefs, health status, ethnicity or race. For example, a VMS installed in a hospital may collect personal data related to a person's health status. When such information is combined with direct identifiers such as your name, image or national id, such information ceases to be confidential.
With a VMS, the amount of personal data collected varies depending on the type of technologies used. By using video cameras, companies only capture visual details. However, when these details are combined with microphones, access control, facial recognition, license plate recognition, or other types of systems, the company will have more access to personal data. Such a combination of detailed information makes the information even more confidential. That's why it's important to protect all types of private data.
Data protection impact assessment
Before installing and deploying video surveillance systems, both system designers and end users should jointly conduct an assessment of the impact of confidentiality and protection of information. This evaluation makes it possible, on the one hand, to establish the impact that the proposed system will have on the confidentiality of individuals and on other fundamental rights, and on the other, to identify possible ways of protecting confidentiality.
The impact assessment should look at all areas of a facility and document why the recording is necessary and how people's privacy will be protected. One possible solution is to use privacy masks, a function that hides parts of a certain field of view, for example, when viewing windows and other areas of the premises or houses that are around. The masking option gives the operator an adequate visualization of an area, but without compromising confidentiality.
End users should work hand in hand with security professionals to conduct the assessment and establish a detailed video surveillance policy that provides an overview of the VMS and its purpose. It is advisable for the policy to describe how the system operates, how personal data is used, and what data protection measures are in place.
Handling the export of evidence
When evidence is shared following a criminal incident, privacy is put at risk the moment the exported data leaves the surveillance system and is transferred to removable storage, such as a USB drive or optical disc. If that data falls into the wrong hands, the confidentiality of the subjects linked to the evidence would be lost.
VMS users should be trained to perform a transparent procedure for exporting evidence containing guidelines on authorized personnel, storage and access to evidence, export formats and encryption, and timelines for destroying evidence.
VMS software tools can also be used to protect exported data; among others, password protection and digital signatures that verify that the evidence has not been tampered with.
Mitigate risk, stay informed
As the challenges faced by systems design companies and end users continue to increase in the complexity of compliance with confidentiality standards, the trend of allocating more budget money to education in these areas to mitigate risks will continue to grow.
Continuous training, self-learning strategies and awareness are essential components to creating a culture of responsibility towards data protection. Security professionals in all disciplines should be well versed in local, regional and national regulations, and work to take advantage of market-available technologies, best data handling practices and valuable consultant guidance to ensure regulatory compliance, avoiding embarrassing and wasteful confidentiality issues.
* Juan Carlos George, sales manager of Milestone Systems for Latin America.
Leave your comment