Privacy considerations have two areas of impact when it comes to security systems and devices: system use and system design. Security practitioners are affected by both and must be aware of the corporate, legal and security implications. Privacy issues are becoming more common because convergence is continually increasing the data collection, data analysis and data integration capabilities of security systems.
While the information in this article definitely applies to corporate/physical security for compliance to privacy regulations such as HIPAA, the primary focus of the article is on addressing privacy requirements relating to the use of security technology.
Privacy-Restricted Security Data
When deploying an emergency notification system, for example, the natural approach today is to populate the system with employee data automatically from an HR database or corporate directory. However, in many cases information such as employee home addresses and phone numbers is now privacy-restricted data. This means that to receive such information, a security or notification system must meet the IT department's system and network security requirements for handling restricted data. Some training is in order for security personnel who are given access to the restricted data. What is the full spectrum of use of the information? In an emergency situation, might the data be printed and taken off site? Security's application may go beyond the bounds originally envisioned for the data, and this may require some security analysis and security policy generation to cover the extended usage. Security systems and networks which receive such data become subject to the many of the same audit requirements that apply to the original systems that hold the data — but are the security systems auditable in the manner required?
Some of the ideas discussed in this article may very well be new to most readers. They are not new to most information security practitioners, who deal with them on a regular basis. As privacy concerns continue to increase, privacy issues will not remain new for long in the worlds of corporate and physical security practitioners.
The Privacy Issue
In April 2002, ST&D published an article by Ray Bernard titled, “Privacy: Security's Key Issue for This Decade,” (www.go-rbcs.com/Privacy.htm) which contains key privacy information references, including the U.S. Privacy Act and the seven Fair Information Practices it identifies. These are especially applicable to surveillance video recordings.
Since that article was published, we have seen the escalation of identity theft crimes, the continued occurrence of private data security breaches, and the growth of regulations mandating privacy protections for data and establishing fines and requiring disclosures for personal data breaches. These prove that collectors and custodians of private information must take privacy issues seriously. As requirements increase and penalties grow, it becomes more important for security directors and managers to be aware of the implications for the privacy-restricted data related to their security systems and security programs.
Respecting Privacy Rights
Legislation, legal precedents, industry de facto standards and corporate custom combine to dictate the privacy rights of personnel, visitors, customers and other individuals who enter your facility or come within the range of security surveillance technology. Individual privacy rights constitute some of the requirements relating to privacy-restricted security data. For example, where video surveillance is in effect, personnel should be notified one way or another, such as by the terms of an employment contract or by facility signage. Privacy rights vary depending upon state and country. The Human Resources (HR) and Legal/Risk Management departments are good starting point for identifying the organizational compliance requirements.
Privacy and Security Systems Use
Many security managers have already had to address a privacy issue with regard to outward-facing video cameras, where the use of camera masking features can keep them from looking into homes in the surrounding residential neighborhoods. Some public facilities have neighborhood committees, whose representatives periodically audit the camera mask settings. Collaboration with the legal department is a good idea to ensure that all legal and liability issues are being taken into account, and that the corporate legal risk managers are apprised of security's compliance to the full spectrum of requirements. Collaboration with the public relations department can help ensure that the neighboring community is kept informed of the privacy measures, and that their feedback is received and taken into account.
Today, many security systems, such as access control and emergency notification, integrate with HR systems or directories to obtain employee information. As mentioned earlier, where such information contains home addresses, telephone numbers or other information deemed subject to legislated or corporate privacy restrictions, the information must be managed — which means received, stored, distributed, used, protected and destroyed — in compliance with specified requirements.
This article presents an approach to protecting privacy-restricted data in any form. In the near future security managers will be both expected and required to present at least an outline of how privacy-restricted security data will be protected, prior to granting approval for its use.
Protecting Privacy-Restricted Data
Protective measures apply to more than the computers and databases that hold the data. A data lifecycle analysis should be performed for the data, to identify all of the forms and all of the locations in which the data can exist. The well-known information security standard, ISO/IEC 17799:2005, states in its introduction: Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected.
Managers of security systems that collect or receive data — video surveillance, access control and other types of systems — must clearly define the purposes for which the data will be used, along with the restrictions that apply to such usage. Then a data lifecycle security analysis should be performed to determine where, when and how the information can appear, and what protective measures are appropriate for each instance of data. Although the following information presents the data lifecycle security analysis in the context of protecting data restricted for privacy purposes, it applies to all types of critical data and is a valuable tool in developing sound information security measures, including for business continuity plans.
Data Lifecycles
There are six aspects of information handling that form a simple checklist that can be used to guide the effort to identify the various forms information can take:
* Creation and receipt
* Storage
* Distribution and transmittal
* Access and use
* Maintenance
* Disposition and destruction
Creation and receipt deal with information from the point of its origination or entry into the security department. Privacy-restricted information can be written, printed, electronic or verbal and include correspondence, transaction or log records, and many other forms of data.
Storage refers to all of the places where any form of the privacy-restricted information is stored, including human memory.
Distribution and transmittal are processes involved in getting information to locations where it can be accessed and used. This may happen automatically according to some process or policy, or upon request or demand.
Access and use take place after information is distributed, and may involve converting the data from one form to another, such as printing data for use, and information sharing on an individual or group basis.
Maintenance is the management of information. This can include processes such as information filing, archiving, retrieval and transfers.
Disposition and destruction involve handling information that is rarely accessed or is required to be retained in specific formats for specific time periods, and is then destroyed by appropriately secure means when it is no longer valuable or required to be retained. For example, most video information is subject to automatic deletion after a certain number of days; and video relating to an incident or investigation is archived outside of the standard video storage so that it will not be deleted automatically. It is important to include backed up data in such planning, including data that is stored in off-site backup locations. Such data should be recycled back into the organization for destruction, or be subject to verified destruction in the secure backup facility.
A data lifecycle security analysis for a corporate security department follows the same steps used for a data lifecycle security analysis for any critical data:
* the full lifecycle of each privacy-restricted data type (creation or receipt, storage, distribution and transmittal, access and use, maintenance, disposition and destruction);
* all the forms in which the data can exist at each point during its lifecycle;
* all the physical locations at which each form can be found or produced;
* what corporate security policies and procedures exist (if any) regarding the various forms of data in each location;
* what personnel (internal and external) can possibly access the data, regardless of whether or not such access would violate any policies that may exist; and
* the effectiveness of any security measures being applied, including inspections and audits.
This provides a baseline picture that can be used to develop a list of cost-effective measures (including those required by legislation or corporate policy) that should be applied to each type of privacy-restricted data throughout its lifecycle. Employee agreements and training apply to the human memory forms of data. While such measures are usually simple, they should not be neglected.
Auditable Security Controls
Whatever automated or procedural security controls are in place with regard to the security department's privacy-restricted data, they should be auditable. If you cannot verify them, how do you know they are in place and working? This aspect can get rather technical, and it is here where colleagues from the IT and audit departments can help. Part of the picture is that fact that auditing can be made easy or difficult depending on the design of the security systems. This is where the monitoring capabilities of a rules-based system, such as SAFE from Quantum Secure (www.QuantumSecure.com), can help. For example, it can monitor the access privilege assignments involving privacy-restricted data across multiple systems, and ensure that access is granted only to those people specifically approved for such access, and report attempted violations (which may be accidental or intentional).
Security Privacy Compliance Plan
For the security department's privacy-restricted data, documentation of the privacy requirements, data lifecycle analysis, data handling plans and procedures — including computer and data security, training and the means of auditing compliance — should be assembled into a security privacy compliance plan. The fewer the types of privacy-restricted data, the simpler the compliance plan may be.
Privacy and Security System Design
Audit requirements are not new to security systems in the IT domain, but unfortunately, they have been given little consideration in the physical security industry. For example, now that video is being shared over corporate networks for quality control, supervision, compliance, training and marketing evaluation purposes, it is important that access to video be able to be restricted by camera, time of day, age of video recording and so on. Yet most hardware-based Digital Video Recorders (DVRs) or Network Video Recorders (NVRs) have limited ability to restrict operator privilege restrictions and usually support a limited number of operators. Software-based security management systems fare much better in this regard, but generally no video management systems provide an audit trail of operator privilege changes. Thus, someone could assign access in violation of privacy requirements, and there would be no record of it. Where operator access must be controlled according for compliance to privacy requirements, today's systems require support from third-party compliance management products.
While a complete discussion of biometrics is beyond the scope of this article, a note relating to privacy and biometrics data is in order. The loss of a security card or credit card can be remedied by timely cancellation and replacement. One cannot cancel and replace fingerprints and other biometric signatures. The history of private data loss by governments and large organizations raises a cautionary flag about placing biometric data collections in such hands. Smart cards can be used to store biometric data, keeping the data literally in the hands of the user. Privaris (www.privaris.com) has taken biometrics a step further by producing a key fob — named plusID — which stores a biometric template on the fob and emulates multiple card technologies including proximity and smart cards. The plusID device transmits the card information only after the swipe of a valid thumb or fingerprint on the fob. In most cases, this enables the use of biometrics with without changing card access systems or readers, and allows individual users to maintain biometric control over their card functionality. Systems which don't collect and store biometric data centrally eliminate one primary source of risk and liability for the system custodian.
Prior to investing in new security technology, security practitioners must closely examine the technology features which support privacy controls over the data and the use of the technology. There can be significant differences between one brand of technology and another.
Research on Privacy and Technology
University and corporate research centers, especially in Europe , have done significant future-oriented research on the privacy implications and impacts of computer technology. The Xerox Research Centre Europe (www.xrce.xerox.com) and other organizations have published a number of articles resulting from research projects on privacy in audio and video surveillance-rich environments. One such paper, “Design for Privacy in Ubiquitous Computing Environments,” is available from multiple sources via a Google search. It states:
“Any realistic definition of privacy cannot be static. With the introduction of new technology, patterns of use and social norms develop around it and what is deemed ‘acceptable' behavior is subject to change. Naturally evolving social practices may interact with organizational policies for correct usage. In addition, people are more prepared to accept potentially invasive technology if they consider that its benefits outweigh potential risks. In recognition of these facts we take privacy to be a personal notion shaped by culturally determined expectations amid perceptions about one's environment.
“The social practices and policies that determine any rights an individual has to privacy interact with the technical and interface design aspects of the technology they use. Technology is not neutral when it comes to privacy. It can increase or reduce the extent to which people have control over personal data. Our concern is to ensure that privacy should be a central design issue in its own right.”
In a world where privacy concerns grow daily, and where it is a certainty that privacy regulations will increase, security technology providers must actively address privacy concerns from the dual perspectives of the monitored individuals and the security practitioners who deploy the technology.
In support of technology improvements relating to privacy, security practitioners must document their privacy-related technology requirements and share them with leading technology providers. Regardless of the degree of privacy-compliance support currently available from security technologies, security practitioners must be aware of their organization's responsibilities in this regard and act accordingly.
Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 20 years. He is founder and publisher of “The Security Minute” 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.
