Security & Legislation
Data protection regulated in Viso
Viso - the Noldus AV recording tool - is used in many different fields: psychology, healthcare, education, consumer research, user experience, and more. In all these applications, Noldus software provides a high degree of security to protect the data from illicit use.
Data protection is the fair and proper use of information about people. It is part of the fundamental right to privacy – but on a more practical level, it is really about building trust between people and organizations. It is about treating people fairly and openly, recognizing their right to have control over their own identity, and their interactions with others.
Noldus complies with the governing laws presiding over our customers for data protection. The legislations of the European Union (EU) and United States of America (USA) are most prominent and will be discussed here.
In the EU, the General Data Protection Regulation (GDPR) legislation went into effect on 25 May 2018. GDPR applies to all forms of data that targets or is collected in relation to people in the EU. As a global professional IT company, Noldus complies with all GDPR regulations.
In the USA, the Health Information Portability and Accountability Act of 1996 (HIPAA) protects patients’ medical records with rules and regulations on collecting and storing patient information electronically or otherwise.
Another important US law is the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, designed to support health information management across computerized systems and the secure exchange of health information. This law is especially relevant to our customers in healthcare.
Additionally, the Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records and is therefore important for all users in the field of training and education.
HIPAA and FERPA ensure that the personal information of individuals is protected and that unauthorized access to this information is prevented. This is especially important for customers who work in a healthcare setting. Health facilities with student practitioners are required to comply with FERPA, thus ensuring that the education records of the students are protected. HIPAA regulates the privacy of non-student patients.
Complying with legislation
All the above-mentioned legislations state that data should be kept in a safe place and should not be accessible to others. This can be achieved in several ways: placing the computers in a secure and locked room, strong password protection of the computers, encryption of the entire HDD in a computer, requiring hardware keys for software access, and sophisticated user management.
GDPR has no statutory compliance certification. The mechanisms of compliance are described in the GDPR but will be created (or not) ultimately by the supervisory authorities. They do not yet exist. However, all Noldus software and activities, including those related to Viso, are carefully screened to comply with GDPR.
HIPAA rules do “not assume the task of certifying software and off-the-shelf products” (p. 8352 Federal Register / Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regulations of the Final Security Rule). Since HIPAA rules are scalable to accommodate the enormous range in types and sizes of entities that must comply with them, there is no single standardized program that could appropriately train employees of all entities.
HIPAA rules also do not set the criteria for or accredit independent agencies that provide HIPAA certifications. However, a number of resources exist to help small to midsized businesses like Noldus ensure that their employees are knowledgeable about the protection of health information. Noldus requires all its employees who may be exposed to patient health information to go through a training course.
HITECH refers to the testing and certification of Electronic Health Records (EHR) programs and modules. Noldus Viso is not an Electronic Health Record program or module.
Regulations translated to the AV tool Viso
Viso is a closed network software solution. Data is stored on video servers in the Viso network under the control of the security procedures of the user’s network. Noldus IT does not require access to any video files, secure health information, or educational records; even when we provide technical support or perform upgrades, all our activities are carried out independently of patient information access. Noldus IT does not maintain an active connection to any Viso system at any time. Such a connection can only be initiated, authorized, and supervised by Viso users. Noldus IT therefore falls into the category of ‘Software Vendor’ rather than ‘Business Associate.’
One of the primary reasons for attaining a Viso system is probably to record students, participants, or patients on video. Noldus IT takes the privacy and security of the recorded data very seriously.
In Viso, several features have been implemented to safeguard unauthorized access as required by HIPAA. Viso distinguishes three types of security measures: 1) Administrative, 2) Physical and 3) Technical.
1) Administrative safety measures
Administrative safety measures are described as policies and procedures designed to manage the selection, development, implementation, and maintenance of security measures. These protect electronically stored health information and manage the conduct of the user’s organization in the protection of that information.
Noldus IT trains its employees on how to identify protected data and ensure it is never accessed without permission or removed from client sites.
2) Physical safety measures
A locked door in the facility is the first safeguard when we consider physical safeguards. Since Noldus IT never collects or transfers data, it is the responsibility of the Viso users to secure their facilities, workstations, and mobile devices.
3) Technical safety measures
Several technical safeguards have been implemented into Viso to make the system secure.
Viso technical safeguards start with the built-in user management feature, which grants access to Viso at different user levels. Administrators at the client site are responsible for assigning user permissions. Regardless of the user level, a unique username and password combination is required for access.
Data in transit is encrypted by Transport Layer Security (TLS). This prevents information from being extracted by network traffic sniffing, and prevents data from being altered during transfer.
User activities regarding the use of video (recording, replacing, and deleting videos) are registered in the audit trail functionality and are accessible at the Administrator level.
Users are logged out automatically if a preset time of inactivity is reached.
Which features of Viso contribute to legislation compliance?
Viso can integrate with your own LDAP; therefore no usernames or passwords are stored in Viso. However, you can also choose to generate usernames and passwords locally, within Viso. In these cases, they are encrypted in the Viso database.
Sophisticated user management
Viso supports a robust user management structure. The Administrator can assign four levels of dedicated user roles, which provide a high level of security and complete control over who sees which recordings.
The Viso audit trail feature creates a log file with all the activities regarding video creation, deletion, and access of the users of his/her choice. The retention period of the audit trail is up to the client, and can be set to comply with GDPR and HIPAA.
At the client’s request, camera(s) in the Viso system can be equipped with a physical privacy switch. When turned on, this switch places a black privacy cover over the camera to prevent a recording from taking place. An optional light can indicate whether the feed is ‘live” and/or a recording is in progress.