Why a Uniform Privacy Law Would Be Good for the Security Industry

Kathleen Carroll
Kathleen Carroll is chair of the SIA Data Privacy Advisory Board.

Compliance costs are a drag on profitability for all businesses, and security companies are no exception. As privacy laws are enacted on a state-by-state basis, complying with them will introduce new costs for all of us. As troubling are efforts to ban some of the technologies many security conscious organizations, including law enforcement, are using to keep all of us safe. 

Laws introduced in the name of privacy include bans on the use of facial recognition technology as well as limits on the use of other biometric security technologies. In addition, there are General Data Protection Regulation-like privacy bills being enacted and introduced in states from Washington to Virginia to Florida. The result is a compliance nightmare for many of us. A viable option comes from the Uniform Law Commission (ULC) in the form of a uniform privacy law. The ULC’s Collection and Use of Personally Identifiable Data Committee is currently working on a draft model law. The committee is drafting the Uniform Personal Data Protection Act and is open to the participation and comments of interested parties.

The draft law introduces the concept of duty in the context of obligations imposed on data controllers and data processors. Collecting controllers means a controller that “initially collects personal data from a data subject.” Controller means “a person that alone, or with others, determines the purpose and means of processing.” A data processor is defined as a person that the controller authorizes to access personal data…and performs designated operations including collection, use, storage, disclosure, analysis, prediction and modification. Duty applies to accepted privacy principles. Here are some of the eight duties defined:

  • Duty of loyalty – refraining from unfair, deceptive or abusive practices
  • Duty of data security – requires the adoption, implementation and maintenance of reasonable data security measures
  • Duty of data minimization – limits the collection, processing or retaining of personal data to only that which is required to accomplish the specified purpose
  • Duty of transparency – requires providing data subjects with “reasonably accessible, clear and meaningful privacy notices which make a series of specified disclosures.”

The other duties include a duty of purpose limitation, duty to conduct all processes by written agreement, duty to designate a data privacy officer and a duty to conduct a data privacy assessment. Conducting a data privacy assessment is one of the most basic ways to determine the risk to privacy associated with the processing of personal data in a security context. This leads me to what I consider an important provision in the proposed model law and that is the idea of “safe harbor.”

The draft act “creates a safe harbor for covered entities that comply with voluntary consensus standards,” which are defined as being written “through a private process that assures that all stakeholders participate in the development of standards.” Part of the reasoning for providing a safe harbor is that data practices differ significantly from industry to industry (and in the security industry even from technology to technology), as do customers’ privacy expectations. For example, in some security applications, customers (consumers) may want to share more personal information to ensure the safety of family members or employees. A case in point is the sharing of location data in the case of an emergency.

Two caveats: voluntary consensus standards do not encompass industry codes or other forms of self-regulation, and they must substantially comply with the provisions of the act. The act describes the process for creating voluntary consensus standards which are to be developed in concert with consumers, businesses and other stakeholders. In the case of the security industry, we could include law enforcement. Some of the elements of a voluntary consensus standard might focus on creating a format for a data privacy policy that is transparent and “will provide consistent and fair communication of the policy to data subjects,” rules for how and when affirmative consent from the data subject is required and a framework for implementing reasonable security to protect personal data. Sections 14 and 15 of the act discuss the process for development and recognition of a voluntary consensus standard.

The SIA Data Privacy Advisory Board is proposing to create codes of practice for the different security technologies we manufacture, deploy and operate that could form the basis for voluntary consensus standards. To achieve such a goal, I believe we should include all stakeholders in this process as the codes of practices will be more universally accepted if they have buy-in from the community of users at large. The board welcomes the comments and participation of SIA membership as we work toward building privacy into our solutions.

You can follow the Committee here. As chair of SIA’s Data Privacy Advisory Board, I encourage my fellow members to engage with the ULC if only to follow new developments as the Uniform Personal Data Protection Act goes through the drafting process. To learn more and get involved, contact Ron Hawkins, director of industry relations at SIA, at rhawkins@securityindustry.org.