One of the much discussed aspects of Privacy is the use of AI technology in surveillance. For law makers, it is always a challenge to balance the needs of surveillance for security purposes vs the ethics of avoiding privacy infringement. CCTV cameras on the road or in large premises can often be source of privacy infringement since the footages can be linked to a facial recognition system and cause infringement of privacy.
Laws often provide exemptions in privacy laws for law enforcement agencies for surveillance. In India, Any instrumentality of the state is exempted from the provisions of DPDPA in the interests of sovereignty and integrity of state etc including “Maintenance of Public Order” or “Preventing incitement to any cognizable offence related to national security or public order.
But these exemptions are not available for private sector organizations who may use similar surveillance to protect corporate assets. In most cases software service providers may have easy access to the data from the law enforcement agencies either with their knowledge or otherwise.
CCTVs are also used by private sector in their offices and factory premises and in these organizations the justification has to be built on “Security” of the enterprise. Most of the gated communities use CCTV and Visitor Entry systems where the facial identity of the individuals is captured by the security agencies as a routine. In such instances, use of AI to identify people both from facial recognition as well as other behavioural factors such as gait recognition is an interesting challenge to the DPO.
The pictures collected for Visitors in most cases are good enough to be used with AI for a successful KYC in any Banking systems. Hence these close range pictures are highly risky from the privacy perspective and leaving it in the hands of security agencies is a matter of concern. The DPOs have very little controls of misuse in such cases.
Normally, the physical security managers who monitor CCTV or Visitor management are not part of the Information Security system. They may report to facility managers and not to CISOs.
Recognizing the importance of “Electronic Vigilance” and impact on Privacy, it is time for organizations to think if they are sufficiently involving facility managers in their Information Security management team or involving their CISOs and DPOs in facility management.
Most information security standards do recognize the physical security aspects such as Power systems, AC ducts, Lift systems, etc along with the network of CCTV are part of the overall Information Security systems. But most of these stop at looking at past CCTV footages when a crime is committed and identifying criminal actions.
With the advent of AI it is now possible to identify a suspected behaviour in real time and prevent occurrence of a crime. Common sense says that there should be no disagreement in using technology to enhance security in a corporate premises or a gated community. But Privacy professionals may have an objection to the behavioural monitoring without consent and taking some automated decisions that could cause harm to data principals.
Currently, CCTV capturing is done with just a notice pasted on the wall. The Visitor Management systems may not have specific electronic consent built into the system. Hopefully some of the developers of this system may be building in such consents on the screen. There are many security managers who even collect Aadhaar Cards or PAN cards and hold them in safe custody for return of the visitor badges issued. The DPOs of such organizations need to recognize the risk of the security personnel misusing the temporary custody of the document. Similarly all hotels collect copies of such documents and retain it for a long time even after the person checks out.
While it is perfectly justifiable to collect identity documents, make analysis of available data for security purpose, the organizations need to have adequate security measures to prevent misuse. Developing appropriate policies, creating awareness and training of the manpower are therefore as big a challenge as preventing Phishing and Ransomware attacks.
DPOs need to focus on such Electronic Vigilance systems in the post DPDPA scenario.
Naavi
