How to ensure security without compromising privacy

Most organizations collect and store a significant amount of sensitive information as part of their security operations. This includes personally identifiable information gathered through video surveillance, license plate readers, access control systems, and more. The data collected by these systems can help quickly resolve security concerns and reveal important operational insights.

Yet, privacy concerns regarding personal data are becoming more prominent. In Cisco’s 2022 Consumer Privacy Survey, three-quarters of respondents said they wouldn’t buy from a company they don’t trust with their data. Over 80% said they believe how an organization treats personal data indicates how the organization views and respects its customers.

More governments around the world are also enacting new privacy laws that hold organizations accountable for how they collect, store, and access personal information. To date, 71% of countries have implemented legislation to restrict the collection, processing, and access to personal data.

The good news is, security leaders don’t have to choose between protecting privacy and maintaining security. They can find the proper balance between securing an organization and protecting individual privacy.

Privacy, by design

The gold standard for ensuring privacy is a framework developed by the former Privacy and Information Commissioner for Ontario, Dr. Ann Cavoukian. It’s called Privacy by Design and is the basis for the General Data Protection Regulation (GDPR) and other privacy laws.

The Privacy by Design framework defaults to the highest levels of privacy protection. Security leaders can collect and store only the information needed and limit access to sensitive data. Security leaders can also fine-tune who can access sensitive data, define how long this data is held, and under what circumstances it’s deleted.

For example, modern ALPR systems typically store only the ‘read value’ of a license plate. They don’t store the image of the plate itself and may offer the option to store information only if a plate matches with a hotlist.

Having encryption built in is also an example of privacy by design. Captured data is automatically encrypted. Only operators with the correct credentials can view it. Some companies have a “four eyes” principle, requiring two people to provide credentials to access the information.

Embracing Privacy by Design in business is a win-win scenario. Security leaders ensure the highest levels of data protection for their organization, and their customers or visitors gain more control over their personal information.

What about privacy masking?

For privacy related to video surveillance applications specifically, consider privacy masking. A privacy mask hides or anonymizes a part of the video. This is done to protect the privacy of individuals or sensitive information within a monitored space.

By applying privacy masks, specific zones or objects can be intentionally obscured in the video feed, ensuring they’re not visible or recorded. This feature is important in environments where there are legal or ethical considerations regarding privacy, such as public spaces or even correctional facilities.

Let’s dive into the different types of privacy masking – static and dynamic.

Traditional privacy masking is static. The mask blocks defined areas in an image or live video feed. Typically, this is done directly on the camera and can be used, for example, to hide the keypad of a credit card terminal in a top-down view at a cash register.

Dynamic masking blurs or anonymizes all relevant objects or people in motion. Everything else in the video frame or image can be seen and monitored as usual. This ensures identities are protected while still allowing operators to see what’s happening in the video footage. A dynamic video anonymization solution is a more effective masking method for privacy protection. It completely removes individuals’ identities from masked video streams.

Implementing privacy masking at your facilities is a good first step to proactively address concerns about video surveillance footage. But what happens when someone needs to share video with an external stakeholder?

Redaction is a post-processing technique that is applied after the video has been recorded. It involves removing or blurring specific sections of the video during the review or export process. Redaction is often used when there’s a need to share video footage for evidence or public disclosure while safeguarding sensitive details.

Building trust and transparency

Security leaders want their customers to trust that their data is being handled properly. Three simple ways you can improve your privacy posture are:

Make sure the only people who have access to sensitive data are those who really need it.
Be selective about the data to collect, only collect and store the information that’s necessary.
Develop an internal privacy policy that describes what data is collected, how it’s stored (and for how long), who can access this data, and under what circumstances.

Investing in physical security technology that is designed from the ground up with privacy in mind makes it easy to stay compliant with privacy best practices. These solutions give security leaders complete control over their data so that they can adjust protection methods and processes to meet evolving regulations. Security leaders can configure the system to define who has access to sensitive data and footage without slowing down response times or investigations. When these measures are in place, it’s a team effort to ensure security with strong privacy protection.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.