Privacy analysis necessary for access control systems
01 December, 2009
category: Contactless, Corporate, Library
One of the clues that lead the New Haven, Conn. Police Department to the murderer of a Yale lab technician was the audit logs of the physical access control system in place at the research facility. The card swipe logs showed that Raymond Clark III was the last person to access the lab where Annie Le’s body was discovered and proved to be a key piece of evidence that lead to his arrest.
This is an example of how a physical access control system can be used for good, but corporations deploying such systems also need to make sure employees know how information in the system is being used and stored and what’s on the card itself, says Kathleen Carroll, director of government relations at HID Global. “As use of these cards expand the issue comes to the forefront a lot more,” she says.
Corporations need to keep abreast of any state legislation that may impact the use of different ID technologies, Carroll suggests. States often use RFID to define any technology that communicates via radio waves, which affects contactless smart cards. California and Washington state have passed legislation that bans surreptitious reading of RFID. “The good news is legislators have banned the wrong behavior instead of the technology,” Carroll says.
Multi-national companies also need to keep up with legislation from all states in which they have offices. The European Commission has recommendations regarding the implementation of privacy and data protection principles in applications supported by RFID that would affect smart card applications as well.
After making sure the system is in compliance with any laws the next step is to conduct a privacy impact analysis, Carroll says. Corporations can find templates for the survey on the U.S. Department of Homeland Security Web site.
Overall, however, corporations will want to make sure to:
- Minimize use of personally identifiable information
- Limit the length of time that data is retained
- Use available technology solutions such as encryption to protect personally identifiable information
- Control access to data collected and make sire an audit trail is in place in case of a breach
- Establish mitigation procedures if a breach occurs
Depending on what information is stored in the ID management database employers will want to take steps to protect that as well, Carroll says. Some contain an employee’s name, phone number, license plate number and other data. Employers want to limit access to this information and encrypt it.
Employees should also know what information is being stored, how it may be used and if they are monitored, Carroll says. If the information is used to monitor employees the employer should get their consent as well.
Here are guidelines an employer should consider before deploying a system:
- Use of physical access control systems data for employee monitoring should be based on the employer’s legitimate business justification.
- If a third-party service provider stores the information generated through system monitoring, the service contract should prohibit any use or disclosure of said information without the employer’s consent or by force of law.
- Policy should be drafted on use of the system by both by the employer and the employee and communicated to all parties.
Many employers already notify employees that they track their computer usage so this would be an additional step. As physical access control converges credentials with logical access control employers need to make employees aware. “If you’re up front you avoid any problems down the road,” Carroll says.