By Andrew Seldon.
One of the crucial aspects of commercial security is visitor management. The security of any location with a constant flow of people is to no small degree dependent on the careful and effective control of visitors, contractors and anyone legitimately coming and going throughout the course of a day.
A crucial aspect of visitor management, however, is privacy. In the past, companies paid scant attention to privacy and details collected from visitors, even details as sensitive as identity numbers, were handled carelessly. Today, privacy is becoming an important issue globally, and the introduction of the POPI Act, when it is eventually enforced, will have significant implications as to the collection, use and disposal of such information.
Hi-Tech Security Solutions approached a number of experts in the field of visitor management and asked them for some insight into the topic, especially as far as privacy is concerned. Our interviewees were:
• Mark Paynter from Ideco,
• Gary Chalmers from iPulse, and
• Barry East from Impro Technologies.
Hi-Tech Security Solutions: Privacy is a major issue today. Many visitor management solutions read very personal information, such as ID numbers from drivers’ licences and collect phone numbers and so forth. Is all this information really necessary for access to a location? Why do they require this information and what do they do with it?
Mark Paynter: There are two crucial considerations to the above. Firstly, occupational health and safety legislation and the physical security and risk exposure of an organisation, and secondly the protection and risk exposure of visitors’ and organisations’ personal information.
Physical security and fraud: One of the biggest operational challenges faced by organisations in South Africa these days is physical security and fraud. Statistics show that incidents of armed robberies, intrusions and related occurrences continue to follow an upward trajectory. Commercial fraud also follows an upward trend year on year. This is forecast to increase with the current economic downturn. It is therefore vital that organisations mitigate and minimise their physical security and fraud risk exposure by implementing the latest solutions and proven best-of-breed crime prevention systems.
All crimes start somewhere, and generally a crime begins with someone giving out sensitive operational information and with a syndicate ‘scouting’ the target organisation via contractors, security guards, casual vendors or company staff. Having a crime syndicate associate or scout on your premises is comparative to having a Trojan Horse virus in your company’s ICT system. It is dangerous, malicious, unwanted and often difficult to detect. By implementing a system which accurately records and verifies the visitors’ personal details and information, an organisation’s exposure and risk is drastically reduced and criminals opt to rather focus on a more vulnerable target, where their fingerprints and ID numbers are not recorded or verified.
Occupational health and safety: The OHS Act states that organisations “shall keep a register of the entries and exits contemplated in sub-regulation (1) and that register shall be available for inspection by an inspector.
“Whenever in any legal proceedings in terms of this Act it is proved that any person was present on or in any premises, that person shall, unless the contrary is proved, be presumed to be an employee.”
So in terms of OHSA, an accurate visitors’ register is a legal requirement. Dependent on the environment, an organisation may be required by law to record and store all visitor information for up to 20 years.
Protection of personal information: The recent implementation of the POPI Act makes it imperative for visitors to record, manage, process and store visitor information in a responsible and compliant manner. In my opinion, this is a good thing. I would far rather allow my personal details to be recorded and managed by a POPI compliant system than by a redundant visitor register where my sensitive information is susceptible to fraud, manipulation and misuse.
Gary Chalmers: Most of the visitor systems in place today are outdated and stemmed from a safety requirement to know who was in your building, specifically in case of a fire or other emergency. However, in practice, the system most often translates to a ‘visitor logbook’, with information clearly visible to everyone, and in which most people submit inaccurate information at best. To add insult to injury, the completion of these log books is normally followed by someone manually opening a gate on the visitor’s behalf, thus losing any tracking information.
Since the introduction of the POPI Act, these visitor books are actually in contravention of a person’s right to privacy, and are not in any way compliant with the Act. While the information being collected is often valid in terms of security and the right of the building owner or tenant to have access to information about people who visit their sites, the manner in which it is collected is no longer legal, nor does it actually fulfil the ultimate requirements of increasing security and providing information about visitors.
Barry East: There is always a balancing act between security and convenience. The more security that is needed or wanted, the less convenience there will be for the visitor as more information will be collected to verify their identity. This information is also used in the event of a problem in order to contact and, if necessary, prosecute the offender.
Hi-Tech Security Solutions: When collecting this information, what privacy issues should organisations take into account? What problems do they expose themselves to if this data is lost or stolen? Can they protect themselves by outsourcing to a guarding company and letting them be accountable?
Mark Paynter: To collect and manage visitors’ information in a non-POPI compliant manner is not only illegal, but is also irresponsible and inefficient. The POPI Act carries penalties and even possible imprisonment for non-compliance. This is, in effect, a progressive legislative move, as it forces organisations to manage people sensitive personal information in a responsible manner.
Traditional paper-based systems are widely abused and are generally not trusted by visitors. Industry studies have shown that more than 75% of the time the information recorded is illegible, inaccurate or incomplete. Apart from this presenting a compliance risk to organisations, it is also a security and fraud risk, because criminals know that they can gain access to an organisation’s premises without their details being accurately recorded.
In terms of the POPI Act, an organisation must be able to prove consent by the visitor to store his/her personal information. This can be achieved via electronic biometric signature or digital signature pad, or may also be done via manual paper-based signature. The obvious challenge with a manual paper-based consent is that the consent documentation then also needs to follow a POPI compliant process, which in effect would defeat the objective of digitising the process. VM systems which claim POPI compliancy, yet have no proof of visitor consent, are in effect fraudulently misleading consumers.
In terms of OHS legislation, organisations are required to store visitor information for up to 20 years. This however needs to be done in a POPI compliant manner. Organisations need to properly understand the critical importance of this responsibility and the onus which they are then placed under to operate VM systems which are compliant. To ensure correct and compliant VM processes is, in my opinion, a very specialised and detailed process.
An organisation is ultimately responsible for compliance with POPI legislation, however, by outsourcing the process to a specialist service provider or security company, some of the risk and responsibility would naturally be mitigated. It is imperative to ensure that the company appointed to manage the VM process has a proven track record and that their system and process has been audited and approved by POPI experts.
Legislation around POPI is specific and comprehensive. There are many service providers and companies which claim (even in marketing) that their VM system is POPI-complaint when in fact a basic overview of the system shows one or more non-compliance issues. This is misleading for end-users and is false advertising. An example is a VM system which claims compliancy, yet has no record of the visitor’s consent for their information to be recorded and stored.
Gary Chalmers: As per the above, the POPI Act is very clear on the collection, usage, storage and disposal of information, amongst other items. Unless companies carefully and clearly stipulate their policies around all of these aspects of the data collection, storage and disposal, they are at risk, regardless of who is collecting the data on their behalf, and can be held personally liable (in the case of directors and officers of the company).
Barry East: All sites should ensure they have the correct legal counsel depending on the usage and storage facilities used, to ensure they adhere to the relevant legislation. Further, each site has unique requirements/elements which need to be taken into account and a solution tailored to those needs, while remaining mindful of the legal obligation to ensure data security, regardless of whether an on-premise or cloud-based solution is chosen. This is no different to the situation with employee data or contractor data that is also collected in the normal course of business – the same rules apply.
Hi-Tech Security Solutions: How can technology help in protecting privacy in the visitor management space? What proven solutions are available?
Mark Paynter: The POPI Act is regarded by privacy experts to be both progressive and also aligned with best global practices for protection of personal information. In my opinion, this is a pocket of excellence for a very troubled South Africa. By digitising the VM process, full compliancy is not only possible, but is already commercially available as a standard offering via the EVIM platform.
A VM service provider should be both knowledgeable and in compliance with personal information protection laws. Some visitor management systems take photos of visitors at time of check-in. If the photo is retained, it must be stored in a secured and protected environment. Hosting solutions and platforms should regularly be audited for compliancy and penetration tested for exposure and hacking. EVIM protects and secures visitor data not only in compliance with personal information protection laws but also in compliance with OHS act legislation.
The EVIM solution conducts a real-time ‘live’ check of a visitor’s identity against a national database. This live ID check is not done against the DHA database as is often incorrectly claimed. This Live ID verification drastically reduces an organisations exposure to crime and fraud, and organisations which implement the EVIM Live ID checking solution have to date all reported a 0% crime rate since implementation.
Gary Chalmers: iPulse provides a visitor management system called VisitorIQ, which when combined with our hosted database, BIOVAULT, provides a completely POPI-compliant solution for companies wanting to track visitors coming into or going off the premises. Used in conjunction with devices like our eSkan 250, vehicle registration discs and driver’s licences can be read to provide additional information about both individuals and vehicles entering and leaving the premises.
This differs from the current paper-based systems in two critical areas:
1. The information collected in this manner is accurate, up-to-date and reliable.
2. The data can be searched, tracked, used and disposed of in a measurable, audited manner.
Barry East: There are a myriad of different solutions available in the IT world, as on-premise or in-cloud security is not unique to visitor management, or even access control. The protection of personal information, whether that is business documentation, IP or personal credentials, all face the same risk in this day and age; and the extent to which you can protect the data is tightly linked to the budget you’re willing to allocate to that risk.
Hi-Tech Security Solutions: How will the current state of visitor management change when POPI is in effect?
Mark Paynter: In theory, organisations should be ensuring POPI compliancy already, because although the act is not yet being policed or enforced, it is already signed into legislation and is operative. I envisage that all manual and paper-based VM processes as well as non-compliant digital VM processes will be viewed as illegal and irresponsible in the not too distant future.
Gary Chalmers: This has been dealt with above. I believe that currently an estimated 95% of all businesses and property owners are in contravention of the POPI Act with their current visitor books and manual systems. Over the next few years this is ultimately going to become a major issue – especially once an example or two has been made, something I believe is coming shortly.
Barry East: Whether your site is on-premise on a traditional server, or on a VM server, or in the cloud in a hosted VM environment, the requirements to meet the POPI Act will be the same – there is no different rule for different technologies.
However, certain hosted environments have the option of additional security and protection as part of their extended offering, which go a long way to addressing the POPI need. A good example of this would be Microsoft’s Azure environment, cloud-based servers that provide guaranteed up time, data encryption and enhanced protection against such threats as hacking.
Hi-Tech Security Solutions: If you were to advise on a new visitor management project, what are the top three pieces of advice you would offer to the customer to ensure the final solution is effective, reliable, legal and safe for users?
Mark Paynter: Data security – does the VM service provider conduct independent annual third-party audits for data security and POPI compliance, and is regular penetration and breech testing conducted on their hosting servers? In this day and age, every service provider should be required to prove that they are handling data responsibly and securely and that they have completed an annual audit stating that they adhere to industry standards for data security and privacy. For SaaS (Software as a Service) VM service providers, have they passed a penetration test in the past 12 months? Do they have third-parties regularly perform penetration tests?
Live ID screening – does the VM system conduct a live compliant ID check? If it doesn’t then any fraudulent and fake details or ID credentials will go unchallenged making the system a toothless watchdog.
Watch lists/do not admit listing – does the visitor management system have a global ‘watch list’ or ‘do not admit’ list for all locations within an enterprise corporation or all companies in a multi-tenant environment, and is the service provider able to integrate with law enforcement and intelligence watch lists to ensure that high risk visitors and vehicles are flagged? Organisations with multiple locations and facilities down the road or in another province, need to be able to update and share a barred visitors list, in real time. Some visitor management solutions integrate with corporate HR networks to ensure that ex-employees, disgruntled ex-customers, and those that should otherwise be barred from your building are denied access.
Gary Chalmers: In general, the three key things to look for in any VM project would be as follows:
• A clearly defined collection methodology that ensures that you get clear and accurate data which is usable in the case of an event such as a fire or theft occurring.
• A clearly defined methodology for storing, retrieving, displaying and disposing of the data stored in the system that meets the requirements laid down by POPI.
• A system that meets the above criteria, but is convenient and not too overwhelming for first time, and especially returning visitors or contractors.
Barry East: My first question would be, do you have the in-house IT expertise to design, deploy, configure and manage a VM environment, whether on-premise or in the cloud? This is a crucial question as IT expertise is a must. Depending on the answer, it would dictate whether this function is undertaken in-house or outsourced.
The next focus would be on whether your stored data is critical to your operation, and if you’re able to comply with ISO 27001 standards. And finally that there should be an annual IT audit to ensure ongoing compliance, with a full risk assessment to ensure you meet changing circumstances.
In closing, data security is primarily an internal IT function. If the design and deployment of the IT infrastructure, whether on-premise or in the cloud, has not been carefully considered, loopholes well outside the control of the system vendor can exist and expose the end user to potential threats or legal complications. As more IP devices are added to the network, so the need to ensure the necessary level of IT competence and expertise increases. This trend will only grow as the technologies advance; what we see today in the business environment will be the future of home environments with elements such as the Internet of Things and IPV6 devices.[/text_output][/container]