Heritage sites experimenting with MLA take note. The ICO yesterday released a blog post addressing the potential danger to privacy of Mobile Location Analytics and, incidentally, Intelligent Video Analytics. Simon Rice, Group Manager for Technology, who also sits on the International Working Group on Data Protection in Telecommunications, says “Here at the ICO, we’re interested in Wi-Fi location tracking because it could involve the use of personal data. This means it falls under the Data Protection Act and that’s where we come in. […] The use of this type of technology is not just confined to the retail environment – airports, railway stations and even city-wide Wi-Fi networks could use it to monitor individuals. […] Therefore the working group has written a list of recommendations for use of the technology.”
The working paper itself is worth a read, and definitely more balanced than some newspaper coverage (as usual). It makes many references to checking out what you are planning against the local legislation wherever you are working, but also recommends seven safeguards that should be built into your work (and which, I imaging will be built into legislation over time):
- Notification to individuals – Organisations must ensure that there is sufficient information, including a range of physical and digital signage, to clearly inform individuals that location technology is in operation. The information must clearly state the purpose for collection and identify the organisation responsible. It is recommended that the industry develop a standard symbol which can be distributed throughout an area to remind individuals that the technology is in operation, similar to the effect from CCTV signage. Specific consideration must be given to staff, employees or other individuals who, if not excluded from the tracking, may be subject to extensive data collection;
- Limiting the bounds of data collection – Collection should only take place once the
individual has been suitably informed and organisations must not seek to collect and
monitor outside their premises. This can be achieved through careful placement of receivers, limiting data collection through a sampling method and to specified time periods or times of day (e.g., during store opening hours). The frequency of collection
should also be limited to that which supports the specified purpose. The use of airgaps to create a non-contiguous data collection area and ensuring that collection only takes place in areas which are relevant to the specified purpose should also reduce the risk of privacy intrusion. Organisations should also seek to identify “privacy zones” where no tracking can take place as a result of technical or physical measures. This can be important in areas which have particular sensitivity such as toilets or rooms set aside for first-aid or worship. In jurisdictions where tracking outside of the organisation’s premises can be carried out in compliance with the law, sufficient safeguards should be in place to protect individuals’ privacy; - Anonymise data without delay – Organisations should seek to delete or anonymise
data as soon as the data is no longer required in its original form; - Appropriate retention of individual level data – In cases where there is a clear legal
basis for the processing of personal data, organisations should apply methods to
convert unique identifiers, such as MAC addresses, into a form which reduces the potential for privacy intrusion. For example, if the identification of repeat visits is not envisaged then pseudonymising the identifier would prevent this possibility yet still provide sufficient analytics of daily footfall and routes taken. At the end of the legally
permissible retention period, the relevant data should be anonymised or securely destroyed. An analysis comparing events over multiple reporting periods (e.g., percentage change in visitors in a given period of time) can be performed by comparing individual period aggregates; - Consent for the combination with other information – Individuals should be fully
informed when location data is intended to be combined with other information such
as transaction history. This is especially relevant when location tracking is added as a
feature to an existing loyalty scheme, for example, adding BLE beacon functionality to
an existing retailer’s smart phone app. The user’s acceptance of an update via the
app store is unlikely to be sufficient to qualify as being fully informed. Legislation in
some jurisdictions may also require explicit consent for certain types of personal
data; - Consent for the sharing of individually identifiable data with third parties – Organisations should not share data which could be used to identify an individual with
third parties without the valid informed consent of the individual concerned (this would include sharing data with other clients of a single third-party location analytics provider) unless there is a lawful exception; and - Implement a simple and effective means to control collection – Organisations
should also establish a system which allows individuals to control the collection of
such data even in cases where this is not explicitly required by applicable privacy legislation. Organizations should prominently display the existence of choice and control options in the area of data collection. This should include an easily accessible, clearly communicated and effective means to exert control. It is recommended that a single mechanism be supported by all operators of location analytics services such that an individual is only required to express their preference once. If the tracking is based on informed consent then individuals must be enabled to revoke their consent in an easy and persistent manner. Where technically possible, clear audit trails allowing end users to know when and for what purpose data has been collected about their devices and by whom would also be recommended. Users should also be enabled to delete all or part of the previously collected data.