2020 R1Archive
  • All Files

This page is not yet available in your language.

Privacy by design and privacy by default

According to GDPR, the controller of personal data, when processing such data, has an obligation to implement technical or organizational measures which are designed to implement the data protection principles set out in GDPR. GDPR refers to this as privacy by design.

In the context of a camera, a relevant example of privacy by design would be a feature that digitally allows the user to restrict image capture to a certain perimeter, preventing the camera from capturing any imagery outside this perimeter that would otherwise be captured.

In the XProtect VMS, there is support for privacy masking in two forms: permanent masks that cannot be removed, and liftable masks that (with the right permissions) can be lifted to reveal the image behind the mask.

The Data Controller also has an obligation to implement technical or organizational measures which by default ensure the least privacy intrusive processing of the personal data in question. GDPR refers to this as privacy by default. In the context of a camera, a relevant example of privacy by default could be using privacy masking to keep a sensitive area within the view of the camera private.

What is an example for an XProtect feature that supports the privacy by design approach?

Milestone develops its portfolio of products continuously, and privacy by default is a key evaluation criterion in making XProtect GDPR compliant. The Milestone Secure Development Lifecycle guide is an integral part of privacy by default, applying principles such as "defense in depth," "least privileges," and avoiding less secure default settings and turning off infrequently used features by default.

What should you do to ensure privacy by design?

  • Consider the resolution of different points in the camera scene and document these settings

    Different purposes require different image qualities. When identification is not necessary, the camera resolution and other modifiable factors should be chosen to ensure that no recognizable facial images are captured.

  • Encrypt your recordings

    Milestone recommends that you secure your recordings by enabling at least Light encryption on your recording servers' storage and archives. Milestone uses the AES-256 algorithm for encryption. When you select Light encryption, only a part of the recording is encrypted. When you select Strong encryption, the entire recording is encrypted.

  • Secure the network

    Milestone recommends that you select cameras that support HTTPS. It is recommended that you set the cameras on separate VLANs and use HTTPS for your camera to recording server communication, as well as clients to recording server communication.

    It is recommended that you enable encryption of the media communication from the Recording Server to other servers and clients.

    It is recommended that XProtect Smart Client and XProtect Smart Wall are on the same VLAN as the servers.

    Use a VPN encrypted network or similar if using Smart Client or Smart Wall from a remote location.

  • Enable and document the intended retention time

    According to Article 17 subparagraph 1a of the GDPR, recordings must not be retained longer than necessary for the specific purposes for which they were made. Milestone recommends that you set the retention time appropriately. This, then, automates the disposal of video.

  • Secure exports

    Milestone recommends that you only allow access to export functionality for a select set of users that need this permission.

    Milestone also recommends that the Smart Client profile is changed to only allow export in XProtect Format with encryption enabled. AVI and JPEG exports should not be allowed, because they can not be made secure. This makes export of any evidence material password protected, encrypted and digitally signed, making sure forensic material is genuine, untampered with and viewed by the authorized receiver only.

  • Enable privacy masking – permanent or liftable

    Use privacy masking to help eliminate surveillance of areas irrelevant to your surveillance target.

  • Restrict access rights with roles

    Apply the principle of least privilege (PoLP).

    Milestone recommends that you only allow access to functionality for a select set of users that need this permission. By default, only the system administrator can access the system and perform tasks. All new roles and users that are created have no access to any functions until they are deliberately configured by an administrator.

    Set up permissions for all functionality, including: viewing live video and recordings, listening to audio, accessing metadata, controlling PTZ cameras, accessing and configuring Smart Wall, lifting privacy masks, working with exports, saving snapshots, and so on.

    Restrict access to recorded video, audio, and metadata for operators, either completely, or restrict access to only the video, audio, or metadata recorded in the past few hours or less.

    Regularly assess and review roles and responsibilities for operators, investigators, system administrators and others with access to the system. Does the principle of least privilege still apply?

  • Enable and use two-step verification

    Milestone recommends that you specify an additional login step for users of XProtect Mobile or XProtect Web Client by enabling two-step verification.

  • Restrict administrator permissions

    Milestone recommends that you limit the number of users that have an Administrator Role.