Where does your video live? The importance of data residency
By Colin Bodbyl
With the increasing popularity of software as a service (SaaS) in video surveillance, one often overlooked question users should be asking themselves is where that data is being stored.
Despite the name, even cloud services have physical servers storing user data somewhere in the world. The physical or geographical location where that data is stored is called data residency.
If you are part of a company that is developing its own software and running it on a cloud service like Microsoft Azure or Amazon Web Services, you likely know which data centre is storing your information and where it is located. On the other hand, if you are part of a company that is using a SaaS or hosted solutions where you pay to use a web-based software or portal, it is usually less clear where your data resides.
This might sound concerning, but Canada has in place the Personal Information Protection and Electronic Documents Act (PIPEDA) to govern how commercial businesses collect, use, and disclose personal information. PIPEDA does not restrict the transfer of personal data outside the country, but it does allow the government to hold organizations accountable for the protection of personal information, including when transferred to foreign businesses.
The question then becomes, is video surveillance footage protected under the laws of data residency in Canada? The answer is yes. Video surveillance footage that captures any information about an identifiable individual is subject to privacy laws in Canada. This is not restricted to recorded video and includes live streaming to remote locations.
While a lot of surveillance cameras capture data that would not be considered personal, the improvements in resolution along with new uses of surveillance cameras has complicated the matter. Today, a high-resolution camera could easily capture an identifiable image of an individual from hundreds of feet away. In addition, surveillance cameras are now being used to capture the behaviour of individuals, like where they walk, or what products they buy.
The most invasive and personal of all surveillance products is facial recognition. In the past, this technology required a camera to be positioned at close range in front of a user’s face, but today even discreet cameras can be used for facial recognition.
Video surveillance companies need to be careful to follow data residency laws, and particularly careful when transferring that video out of the country. Fortunately, there are a few things companies can do to limit their risk and better protect client data.
Signage is a simple and effective way to make the public aware that they are being monitored by a surveillance system. Respect the privacy of those individuals and provide them with answers, including access to footage where they were captured on camera.
Limit access to the video and educate those who have access on privacy laws. In addition, formal policies should be in place for those who do have access, and they should be educated on the importance of protecting individuals’ privacy.
Data residency is a complicated and often times confusing topic. The complexity only increases when using cloud or SaaS products where the location of that data is sometimes unclear.
Fortunately, there are some simple steps businesses can take to minimize their risk. As more software moves offsite and into the cloud, video surveillance companies need to understand the impact of data residency, and their responsibility in protecting the privacy of not only their customers, but the people captured on those systems.
Colin Bodbyl is the chief technology officer of Stealth Monitoring (www.stealthmonitoring.com).