Visitor Management and Data Retention Compliance
Habitually, privacy and security have similar goals of protecting data. Many organizations implement security efforts to protect private information, that may include employees, patients, students, visitors, vendors, and other group types depending on the very nature of the organization. Nonetheless, the ever-increasing sea of compliance rules force organizations to adhere with privacy regulations that often creates pressure for information technology (i.e., “IT”) and legal departments to respond with a solution that will address both data privacy and security concerns.
Regulators VS. Advocacy Groups
But in some cases, privacy and security common goals can stray away from the matter of deciding policies for data retention. A great resource on this topic is The Electronic Frontier Foundation (“eff.org”) that seeks to ensure rights and freedoms as our use of technology grows, and they keep track of the ongoing efforts related to data retention laws and regulations that ask “data owners”, Internet Service Providers (“ISP”), phone service providers, email service providers (e.g., Google via GMAIL), and others, to retain extensive records of individuals’ activities. This would include: websites visited, emails sent, phone calls made, purchases made, and other data points – for lengths of time that exceed what is necessary for business operations – just in case this information later is subpoena.
The argument behind these laws according to policymakers, is to improve security – to protect nations against terrorist attacks or acts of war, and to provide law enforcement agencies (e.g., CIA, FBI, and local officials) with the data they need to find, charge, and prosecute offenders. Nevertheless, data retention laws face resistance and scrutiny from privacy rights advocacy groups such as the American Civil Liberties Union (“ACLU”), who contend that lawmakers use “national security” as an excuse to violate citizens’ rights and in fact the ACLU has stated: “The government security establishment is not the only threat to our privacy; most of the transactions that we engage in are with private companies”.
For instance, in response to the terrorist acts of September 11, 2001 the United States enacted the Patriot Act to provide tools required to intercept and obstruct terrorism. The law was originally passed as a provisional practice, thereafter, the U.S. government was further carped for extending this policy. In comparison to today's political climate, the legislation passed with overwhelming support by the Senate with a 98 to 1 vote and in the House of Representatives with a 357 to 66 vote. The legislation was criticized by privacy rights advocate groups that claimed that the law overstepped on citizens’ privacy rights and compromised their Constitutional rights to freedom of religion and speech. Furthermore, the Patriot Act was lambasted because it granted government intelligence and law enforcement agencies the right to force data owners and ISP providers to retain a specific users’ personal data and activity history, indeterminately, if this data was considered indispensable to an ongoing investigation.
Likewise, privacy advocate groups have also mounted ardent disagreement against the variety of data retention laws enacted over the last couple of years. Meaning, new data privacy regulations seem to spawn up all the time, and this can cause unexpected problems for an organization. For example, the Federal Information Modernization Act (“FISMA”) under the U.S. Department of Homeland Security (“DHS”) is responsible for codifying DHS authority and for third party contractors, to administer the implementation of information security policies. And if applicable, organizations are forced to implement some security controls in order to achieve privacy regulation compliance, but many organizations invest just enough security to convince auditors to issue the “Compliant” seal of completion. Nevertheless, the term “compliant” does not necessarily mean “secure.” But despite the compliance pressures, IT security budgets are limited to maintaining operations, and sometimes they are precluded from investing in the latest and greatest security tools. And in worst case scenarios, procure systems that cannot perform accordingly. Hence, the conundrum between privacy and data retention can be problematic for enterprise IT managers. And it is no surprise that complying with rules requires legal guidance from subject matter experts, who often need to deal with these challenges on a case-by-case basis.
Retention can Slow a Visitor Management System
The problem is that not all software systems maintain the initial level of performance, as the database grows, and the same holds true for visitor management systems. If a system is working today, it does not mean that it will work a year later. Like many systems, one possible reason for a decrease in performance is the load increase that a system may be subjected due to new concurrent users, or an increase in visitor traffic, that means processing more data than it did previously and retaining more data. Well here is a simple question, how will the system work with 100 MB versus 10 GB of data? Therefore, it is important to consider questions in the form of “If the system grows at a certain rate per day or week, what are the options for handling future growth?” And “How can we add computing resources to deal with the additional load?”. More than anything this will help foresee the growth rate of the database, and therefore allow proper planning for supplying adequate hardware resources. Finally, it is important for a visitor management system to have a robust framework to maintain performance while retaining data to meet compliance.
Erci Moisa, MBA