If you visit many office buildings in Manhattan, it is common practice to show your ID before you can access the building. In some buildings I have visited, the conversations with front lobby security went like this:
Me: Hi! I’m here to see Captain America (well let’s just call whoever I went to see that name)
Lobby Security: ID please.
Me: (I hand over my ID)
Lobby Security: (Scans it, enters some details and gives it back to me)
Lobby Security: Please stand back and look in this camera.
Me: (I stand back and look in the camera)
Lobby Security: (photo taken) Gives me visitor’s pass and points to the elevator.
Does the use of visitor management software by front desk security constitute an invasion of privacy?
I observed other visitors and noticed that nobody asked (including me) why his or her ID was swiped or scanned, or how they intended to use the information received or if it was secure. There wasn’t any info posted anywhere about the building management’s privacy policy.
My CIPP curiosity was immediately piqued and I pondered:
Isn’t the visitor’s consent required to scan the ID? Who is liable: the building management company or the visitor software development company?
Some may not see this as a big deal but an office building is not an airport where it is expected that your personal information will be scanned before you can travel.
I’m not against scanning an ID for security reasons because it is important to know who is in your building. I do understand that it may be a legitimate business need but here’s the data privacy issue with visitor management software:
The issue is whether there is compliance with data privacy laws when a building security staff scans your ID (most likely a driver’s license which includes your personal information) when you visit an office building. Does using visitor management software to create a database of swiped personal information without the individual’s consent constitute a legitimate business need? Which information is accessed and which is stored?
Many would argue that by scanning driver’s license, they are protected under the Drivers Privacy Protection Act for legitimate business purposes.
In my humble opinion (and to avoid future issues), building management who utilize visitor management software for tracking visitors should post a clear notice that all visitors IDs will be scanned, give the reason why, how the data will be used, whether it will be retained (if at all), for how long and whether it will be secure. Also, because IDs contain personal information, give the visitor a simple sheet of paper to sign that obtains his or her consent.
What do you think about front desk security personnel in buildings scanning visitors IDs? Is it good or bad? Do you think it’s an invasion of your privacy?
Image: courtesy of sxc
Belinda is a Global Privacy and Cybersecurity Consultant, Corporate Trainer, Writer, and International Speaker with a unique blend of law and technology expertise. In addition, she is a digital entrepreneur, ordained pastor, mentor to women ready to impact their generation. She is the host of Destiny Chats podcast and lives in New York with her family. For consultation , click here
Leave a Reply