Due to the increased use of video data and video sharing, as well as growing video privacy concerns, many companies are updating or creating “acceptable use of video” policies as well as related procedures and practices.
Q: We are a multiple-site organization, and I’ve been asked to develop a corporate policy regarding the acceptable use of security video. What does this need to include?
A: At a minimum, it should include handling of personally identifiable information (PII) and video confidentiality. More is needed to fully address corporate liabilities regarding video misuse.
Acceptable Use Policies
IT departments have used acceptable use policies for over four decades for company network and computer resources, and such documents can serve as reference templates in terms of scope, coverage and language. You can find many examples of these on the Internet, such as those published by schools and universities. However, it’s important to understand three key differences between IT acceptable use policies and a security video acceptable use policy.
Computer and Network User Counts
First, IT policies are written for the hundreds or thousands of end-users of an organization’s computers and networks and including the use of networks by personally-owned devices. Hotels, for example, have often limited the use of their free network access and allowing video streaming only for paid network usage. In many organizations with high computer and network usage, network bandwidth management is a challenge as bandwidth is never unlimited. The situation for security video is very different because the organization (typically Security) controls the video cameras and their network utilization, and the number of end-users of video management software is a few or a few dozen, depending on the size of the organization and whether video is shared outside of security.
Modern video management systems support the submission of photos and images from employee smartphones, for example, as evidence regarding a security or safety incident or to report a problem condition on facility grounds such as a vehicle wrongly parked, a dangerous animal, or trash that needs collection. Such submissions rarely consume much network bandwidth and are only potentially numerous during an event, civil unrest conditions, or natural disasters – situations in which the organization wants to receive the video.
Control of Usage
Second, it is impossible to control in an absolute sense the use of computers and networks in an organization, primarily due to the high user counts, and difficult to monitor and control all computer activity. However, a security video system’s use must be strictly controlled and easily can be, due to the nature of the system, the low users counts even when video is shared, and the job-specific nature of video use. An additional purpose for a security video use policy is the protection of employees and the organization from misuse of security cameras and video by the organization's employees and service contractors, such as installation and maintenance service providers as well as security officer service companies.
Camera Locations and Nature of Surveillance
Third, a security video acceptable use policy should disclose the purpose and scope of video surveillance, the intended uses of video including whether or not covert video surveillance may be used and for what purposes, and the video retention policy or practice. The EU’s General Data Privacy Regulation (GDPR) specifies details to be provided about video surveillance. The policy should also include an organizational commitment to respect the privacy rights of individuals subject to surveillance. Always consult with your legal counsel to help ensure that corporate liability issues are satisfactorily addressed.
Example Policies
A web search on acceptable use policy for security video will provide many dozens of acceptable use policies, mostly from schools, universities and city/county/federal organizations but also a few from other sources. None that I have seen are all-inclusive and I was able to find major faults with a few and minor faults with most – which you can avoid by comparing a selection of examples and identifying material suitable for your own organization’s use.
Although many policies I saw did not have a definitions section or left it blank, it is important to define terms you may use, such as “confidential”, and any other terms necessary for the intended audience to clearly understand each part of the policy.
Information and Notification
Employees should be informed of the organization’s use of video as part of their onboarding process, and ideally, their employment contract will include an acknowledgment of the use of safety and security video on the organization’s premises. Signage at building and facility grounds entrances is the appropriate way to notify customers, visitors and others about video surveillance usage. The GDPR requires specific details be provided in video surveillance signage. One of the first GDPR fines issued in Austria (about $5,400) was for a small business’s failure to provide proper signage informing that a camera inside its office included in its field of view a portion of the public sidewalk in front of its main window.
Related Policies
Additionally, your organization will need a separate policy (or one that includes a publishable acceptable use statement) that clearly defines and assigns the roles and responsibilities related to the management of video systems and devices as well as video information. (Editor’s note: Watch for an upcoming article on Corporate Security Video Policies.) The scope of roles and responsibilities must be directly relatable to the organization’s purpose for video use and also its commitment to respecting and enforcing the privacy of video subjects and maintaining the confidentiality of video information. Video information should be subject to the organization’s data governance policies and practices, including the assignment of data stewardship roles. See the September/October Convergence Q&A column for more details on data governance and stewardship for security information.
It’s a good idea to have a knowledgeable security consultant review your video policies. It’s a very small piece of work that can provide significant assurance of addressing the full range of organization liabilities relating to the use of security video.
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS
