For Face Recognition–Enabled CCTV Deployments in India
(Aligned with the Digital Personal Data Protection Act, 2023 and DPDP Rules, 2025)
Table of contents
- Objective and Scope
- Roles and Accountability Under DPDP
- Data Classification and Processing Boundaries
- Lawful Basis, Purpose Limitation, and Necessity
- Consent and Notice Governance
- Retention and Deletion Framework
- Access Control and Privilege Management
- Audit Logging and Accountability
- Security Safeguards
- Breach Detection and Response Readiness
- Accuracy, Bias, and Human Oversight
- Exit, Termination, and Portability
- Audit and Verification Rights
- Closing Statement
Objective and Scope
This annexure documents the privacy, data protection, and governance controls applicable to the deployment of face recognition–enabled CCTV systems in India.
The objective is to ensure that biometric-based identification is:
- lawful under the DPDP Act, 2023,
- defensible under post-Puttaswamy constitutional privacy standards,
- operationally governable during audits, incidents, and disputes.
This annexure is intended to support:
- enterprise and government procurement due diligence,
- internal risk and legal review,
- regulatory or third-party audit readiness.
Roles and Accountability Under DPDP
2.1 Data Fiduciary
The deploying organization (enterprise, institution, government body, or housing society) acts as the Data Fiduciary, responsible for:
- determining purpose and necessity of face recognition,
- defining retention periods,
- ensuring valid consent or lawful basis,
- responding to Data Principal requests and grievances.
2.2 Data Processor (Technology Provider)
The technology platform provider (e.g., IndoAI) acts strictly as a Data Processor, processing personal data:
- only on documented instructions of the Data Fiduciary,
- without independent purpose determination,
- without secondary use, profiling, or model training unless explicitly authorized.
This distinction is contractually enforced through a Data Processing Agreement (DPA).
Data Classification and Processing Boundaries
All data processed by the system is explicitly classified to ensure purpose limitation and proportional safeguards.
3.1 Data Categories
| Data Category | Description | Risk Classification |
| Video Footage | Raw CCTV streams and recordings | Personal Data |
| Facial Templates | Biometric embeddings used for identification | High-Impact Personal Data |
| Event Metadata | Alerts, timestamps, camera IDs | Contextual Personal Data |
| Audit Logs | Records of access, searches, exports, configuration changes | Compliance Data |
Each category is governed independently with respect to access, retention, and deletion.
Lawful Basis, Purpose Limitation, and Necessity
4.1 Purpose Definition
Face recognition is enabled only for explicitly documented purposes, such as:
- controlled access to restricted areas,
- security incident investigation,
- safety compliance in regulated environments.
4.2 Prohibited Uses
Unless explicitly approved by the Data Fiduciary and documented:
- no behavioral profiling,
- no customer or employee monitoring beyond stated purpose,
- no cross-site or cross-customer identity correlation,
- no monetization or analytics reuse of biometric data.
Purpose creep is actively prevented at both system and contractual levels.
Consent and Notice Governance
5.1 Consent Applicability
Where consent is the lawful basis:
- consent is obtained prior to biometric enrollment,
- consent artefacts are recorded, versioned, and timestamped,
- withdrawal of consent is supported without adverse consequences.
5.2 Non-Biometric Alternatives
To avoid coerced consent:
- non-biometric access paths (QR, card, OTP, manual verification) are supported,
- denial of biometric consent does not automatically deny essential services unless legally required.
5.3 Notice Requirements
Notice clearly communicates:
- nature and purpose of facial processing,
- categories of data collected,
- retention periods,
- grievance and withdrawal mechanisms.
Notice is provided through physical signage and digital disclosure.
Retention and Deletion Framework
6.1 Retention Principles
Retention is governed by:
- duration of purpose,
- legal necessity,
- proportionality and risk.
Default retention values are configurable by the Data Fiduciary.
6.2 Category-Specific Retention Logic
| Data Type | Retention Control |
| Video Footage | Time-bound, auto-deleted unless flagged |
| Facial Templates | Relationship-bound; deleted on exit |
| Visitor Data | Ephemeral or short-term only |
| Audit Logs | Retained to meet DPDP accountability expectations |
6.3 Deletion Assurance
- automated deletion workflows,
- deletion confirmation logs,
- exception reporting for failures.
Deletion is verifiable and auditable, not assumed.
Access Control and Privilege Management
7.1 Role-Based Access Control (RBAC)
Access is granted strictly on a least-privilege basis.
| Role | Authorized Capabilities |
| Operator | Live monitoring only |
| Supervisor | Playback, incident tagging |
| System Administrator | Infrastructure configuration |
| Privacy / Compliance Officer | Audit log review |
7.2 Separation of Duties
- No single role can both modify retention policies and export data.
- Sensitive actions (exports, watchlist changes) require elevated authorization or dual control.
Audit Logging and Accountability
8.1 Logged Activities
Immutable audit logs are maintained for:
- facial search queries and results,
- biometric enrollment and deletion,
- data exports and downloads,
- retention and configuration changes.
8.2 Log Governance
- logs are tamper-resistant,
- access to logs is restricted,
- logs are retained to support breach investigation and regulatory reporting timelines.
Audit logs constitute the primary evidence of DPDP compliance.
Security Safeguards
9.1 Technical Measures
- encryption of biometric data at rest and in transit,
- secure key management,
- hardened edge devices and servers,
- network segmentation for CCTV and analytics workloads.
9.2 Organizational Measures
- documented access and escalation policies,
- operator training,
- periodic review of privileges.
These safeguards are designed to meet DPDP’s “reasonable security practices” standard.
Breach Detection and Response Readiness
10.1 Detection and Containment
The system supports:
- detection of unauthorized access,
- rapid containment and isolation,
- forensic reconstruction using audit logs.
10.2 Notification Support
In the event of a personal data breach:
- the Data Fiduciary is supported in notifying affected Data Principals without delay,
- information required by the Data Protection Board can be assembled within statutory timelines (commonly operationalized as ~72 hours).
The processor’s role is supportive, not substitutive, of fiduciary obligations.
Accuracy, Bias, and Human Oversight
11.1 Operational Controls
- configurable confidence thresholds,
- context-specific tuning,
- human confirmation for adverse actions.
11.2 Risk Mitigation
Facial recognition outputs are treated as decision support, not deterministic outcomes, reducing risk from false positives and demographic bias.
Exit, Termination, and Portability
Upon termination of services:
- biometric data is deleted or returned as instructed by the Data Fiduciary,
- deletion certificates are generated,
- residual data in backups is purged per agreed timelines.
No silent or indefinite retention is permitted.
Audit and Verification Rights
The Data Fiduciary retains the right to:
- review compliance documentation,
- inspect audit logs and controls,
- request evidence of deletion and access governance.
This framework is designed to be verifiable under audit, not merely declarative.
Closing Statement
This annexure reflects a privacy-by-architecture approach to face recognition on CCTV in India.Compliance with DPDP is treated not as a documentation exercise, but as a system-level design constraint, ensuring deployments remain defensible under legal scrutiny, regulatory inquiry, and public accountability.
