AI-powered surveillance collects and processes personal data at scale, which brings genuine compliance and privacy obligations alongside its security benefits. This FAQ is for security, legal, and compliance teams at Indian enterprises who need to understand how facial recognition, video analytics, and access control data should be governed under India's evolving data protection landscape.
1. Does India's data protection law apply to AI surveillance and facial recognition systems?
Yes, India's Digital Personal Data Protection (DPDP) Act applies to personal data processed through AI surveillance, including facial recognition and biometric access control, since this data can identify specific individuals. Enterprises deploying such systems are expected to have a lawful basis for processing this data, provide appropriate notice to individuals where required, and implement reasonable security safeguards around storage and access. This is a meaningful shift for security teams who previously treated CCTV footage as purely an operational tool — under the DPDP framework, footage and derived data (like facial embeddings) need to be governed with the same care as any other personal data an enterprise holds, including clear retention and deletion practices.
2. How long should video footage and surveillance data be retained?
Video footage should be retained only as long as necessary for the specific security or operational purpose it serves, with clear, documented retention periods rather than indefinite storage by default. Many Indian enterprises set retention windows ranging from a few weeks to a few months for routine footage, with exceptions for footage tied to an active investigation or legal matter, which may need to be preserved longer. Indefinite retention increases both storage costs and privacy risk without a corresponding security benefit, so a defined retention and automatic deletion policy — reviewed periodically against actual investigation needs — is considered good practice rather than an optional extra.
3. What are the privacy considerations around using facial recognition in the workplace or public spaces?
Facial recognition involves processing biometric data, which is considered sensitive, so enterprises need a clear, legitimate purpose, appropriate notice to employees or visitors, and strong access controls over who can query the system and for what reason. Deploying facial recognition in employee-facing contexts like attendance or access control is generally more defensible than broad, unannounced use in public-facing areas, where individuals have less awareness that their biometric data is being captured and matched. Enterprises should also consider that facial recognition accuracy can vary across different demographic groups and lighting conditions, which has both an operational and a fairness dimension worth accounting for in deployment decisions.
4. Who should have access to surveillance footage and AI-generated alerts within an enterprise?
Access to surveillance footage and alerts should be restricted to personnel with a legitimate operational need, governed by role-based access controls and an audit log of who viewed or exported footage and when. Broad, unrestricted access to camera feeds or historical footage across an organisation increases both privacy risk and the chance of misuse, so most well-governed security operations limit live monitoring access to control room staff and restrict historical footage retrieval to documented investigation requests. This access governance is also something auditors and regulators increasingly expect to see documented, not just practiced informally.
5. How is surveillance data secured against unauthorised access or breaches?
Surveillance data is secured through a combination of encrypted storage, encrypted transmission between cameras and servers, role-based access controls, and network segmentation that isolates camera systems from general enterprise IT networks. Because camera systems are often connected devices with their own firmware, they can be an underappreciated attack surface if not properly secured and kept updated. Enterprises should treat their surveillance infrastructure with the same security rigor as other critical systems — including regular firmware updates, strong authentication for system access, and monitoring for unusual access patterns to the surveillance platform itself, not just the physical premises it monitors.
6. Are there specific regulations for surveillance in BFSI, healthcare, or government facilities in India?
Yes, sector-specific regulators impose additional requirements — the RBI has expectations around security and data protection for regulated banks and NBFCs, healthcare facilities must consider patient privacy alongside general data protection obligations, and government facilities often have their own procurement and data localisation requirements for security systems. These sector-specific layers sit on top of the general DPDP Act obligations, meaning a bank branch's surveillance and access control deployment needs to satisfy both general data protection principles and RBI-aligned security expectations. Enterprises in these sectors should involve their compliance function early in vendor selection, since not all AI security vendors are equipped to meet sector-specific requirements out of the box.
7. Can surveillance footage be used as evidence, and how should it be preserved for legal purposes?
Yes, surveillance footage can be used as evidence in legal or disciplinary proceedings, provided it is preserved with a clear chain of custody demonstrating it has not been altered or tampered with since capture. This means enterprises need a documented process for exporting, storing, and handling footage once it becomes relevant to an investigation or legal matter, distinct from routine footage that gets automatically deleted per the standard retention policy. Establishing this process before an incident occurs — rather than improvising it afterward — is important, since courts and internal disciplinary processes both scrutinise how evidence was handled from the moment it was flagged as relevant.
8. What consent or notice obligations apply when deploying AI surveillance?
Enterprises are generally expected to provide clear notice that surveillance and, where applicable, facial recognition or biometric processing is in use — typically through signage at entry points and documented policies for employees and visitors. While surveillance in security contexts often relies on legitimate interest rather than explicit consent for every individual, transparency about what is being captured and why remains an expectation under India's data protection framework. Enterprises should avoid covert or undisclosed use of facial recognition or biometric matching, since this creates both legal exposure and reputational risk if discovered, particularly in employee or public-facing contexts.
9. How should third-party AI security vendors be evaluated for data protection compliance?
Vendors should be evaluated on where and how they store data, whether they process video and biometric data on-premise or transmit it to external servers, what security certifications or practices they follow, and how clearly their contract addresses data ownership, retention, and deletion. A vendor's data handling practices become the enterprise's compliance responsibility once deployed, so it is not sufficient to assume a vendor's product is compliant without reviewing their actual data flows and contractual commitments. Enterprises in regulated sectors should specifically ask whether the vendor supports on-premise or in-country processing, since data localisation preferences are common in BFSI and government deployments.
10. What internal governance practices should accompany an AI surveillance deployment?
Internal governance should include a documented data retention and deletion policy, defined access control roles, an audit trail of footage access and system changes, and periodic review of whether the surveillance deployment still matches its original stated purpose. It is good practice to designate clear ownership — someone accountable for the privacy and security posture of the surveillance system, not just its technical operation — and to review this governance framework periodically as the deployment scales to new sites or use cases. Enterprises that treat AI surveillance governance as a one-time setup task, rather than an ongoing responsibility, tend to accumulate compliance gaps as the system grows.
Related Reading
Related reading
Talk to YuVerse
Discuss a compliant, privacy-aware AI surveillance approach for your organisation — talk to YuVerse.