How Is Your Organization Protecting Video Privacy?

A growing body of legislation means more schools, hospitals, and institutions of higher education need a tech strategy that defaults to anonymization and privacy.
Published: August 19, 2024

In the digital age, society has come to a general understanding of what personal data needs protecting. This includes health records, for example, as well as financial records, browser histories, and students’ grades.

Governments have taken a variety of steps to legislate data privacy. In the U.S., decades ago, lawmakers even decided a person’s videotape rental habits were protected. Now courts are deciding whether that covers online streaming.

Related Article: How Physical Security Can Improve Campus Policy and Procedure Compliance

Generally, we’ve known how such data was generated, who had it, and roughly where it resided and needed protection. But data evolves. Beyond records held in databases and digital documents, data now includes the millions of terabytes of video created every day.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

Video from CCTV security and IP cameras, drones, body-worn cameras, smartphones, you name it. And if a person or person’s property (like a car) is identifiable in that video, it can be deemed personal data that increasingly must be protected.

We see aspects of this already today: local authorities want to share security video to help identify a suspect, for instance, but they don’t want to share the identities of all the bystanders to protect their privacy.

Or a TV news station plans to broadcast smartphone footage of a protest but must be mindful of showing onlookers. Or even video that may fall under existing privacy laws, like the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA).

If a doctor’s office maintains cameras for its own security, video of its patients coming and going may need to be protected from unauthorized viewing, sharing, or identification.

The Privacy Landscape Is Evolving

So, how do we do protect video data privacy in a time when video comes from myriad sources; is stored on devices, servers, and in the cloud; and is governed by a patchwork of privacy regulations that’s constantly evolving? This is especially important at a time when umbrella privacy regulations are becoming the norm.

Related Article: 3 Ways to Balance Security and Privacy on Healthcare and College Campuses

The best course is what I’ll call default security. In other words, today’s myriad video systems should default to privacy protection through technology that anonymizes all video data as necessary — and as privacy frameworks evolve — yet still allows organizations to use that video information for the various reasons they require it — physical security, monitoring, and operations improvement, to name a few.

Not only does default video security ensure compliance, it goes a long way toward building trust among consumers, employees, and institutions.

Legislation Could Impact Video Data Practices

In the U.S. the biggest privacy framework on every organization’s radar is the American Privacy Rights Act (APRA). Currently under consideration by congress, APRA would establish national consumer data privacy rights and set standards for data security, effectively unifying the patchwork of state and federal data protection measures already in effect.

In many ways, APRA is like the European Union’s General Data Protection Regulation (GDPR), published in 2016, in that it seeks to safeguard personal information and empower individuals with greater control over their data, including video data. But even if APRA changes dramatically — or never passes into law — the patchwork remains and evolves, ensuring video data privacy is an ever-present consideration as our digital lives advance.

With video cameras permeating everyday life, and courts essentially agreeing that if an organization discloses its use of video, it can record in publicly accessible locations, individuals have largely come to accept they’re often on camera. But that doesn’t change the fact that in most cases, that footage may be considered personally identifiable data that needs protecting — especially now, as generative artificial intelligence (AI) can allow nefarious actors to manipulate unprotected video, audio, and imagery. It’s one thing to criminalize publication of so-called “deepfake” videos; it’s another to protect video data before it can be altered. And with so much video being stored and handled in the cloud, security is paramount.

Related Article: Safeguarding Education: Navigating Privacy and Compliance in Teacher Communications

So if we accept that different organizations use video for varied, productive reasons — video security in retail stores and schools, police body cameras, municipal traffic cameras, surveillance in transportation hubs, offices, elevators, etc. — and we support standards and legislation to protect individuals’ video data as we would their digital records and information, then we’re faced with a challenge.

How do we create the infrastructure to not just manage but also protect video data across their enterprise in compliance with current and future laws?

Consider Implementing Default Anonymization as Privacy Layer

The best way to think about the challenge is to consider real-world situations. For example, think about a Freedom of Information Act (FOIA) request for video footage of some event or occurrence. To fulfill such a request while protecting the privacy of bystanders in the video, faces may need to be digitally “blurred out” — a potentially painstaking process.

Or, as legislation like GDPR and eventually APRA give consumers more control over their privacy, they would be within their rights to seek all video footage of themselves in relevant locations, like malls, hospitals, office buildings, or schools. But they don’t have rights to others’ identities in the same footage.

The solution is to introduce a privacy layer to video management platforms that effectively defaults to complete security and gives organizations the power to anonymize personally identifiable information in their video streams.

Related Article: 2023 Video Surveillance Survey Finds AI, the Cloud, and LPR Gaining Traction on Campuses

Whether it’s live or recorded video, this privacy layer uses artificial intelligence (AI) and machine learning to digitally detect and redact the video data that needs protecting, like faces, addresses, license plate numbers, and more. What’s more, it should be powerful enough to track and anonymize individuals in every frame of the video for maximum compliance.

By giving organizations a privacy layer that defaults to complete security — in other words, anonymizing all the video it handles — the organization is in a better position to comply with whatever data protection and handling regulations come its way. Not to mention, this privacy layer dramatically accelerates and streamlines the handling and sharing of video in compliance with data requests or other situations.

Ultimately, a privacy layer for video management acts as future-proofing not only against new regulations, but also in support of innovative applications. Imagine real-time video footage of busy transit hubs.

By anonymizing the video through a privacy layer, operators can publicly share the footage, so people know when traffic is heavy or light, while remaining in compliance with prevailing privacy laws.

The fact is data privacy legislation like APRA represents a tipping point in the handling of video data. Suddenly, any organization — public or private — that collects video should be prepared to protect it as personal data.

That could prove a tall task, unless the video management system it uses defaults to privacy.

Simon Randall is the chief executive officer of Pimloc. This article originally appeared in CS sister publication Security Sales & Integration and has been edited.

Note: The views expressed by guest bloggers and contributors are those of the authors and do not necessarily represent the views of, and should not be attributed to, Campus Safety.

ADVERTISEMENT
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series