Matthew Rice, senior policy officer at the Information Commissioner’s Office’s Innovation Hub, calls for input into the further development of the relevant guidance
Teams in cities, towns and places across the UK are exploring how technology can improve the delivery of key services and meeting key targets such as pushing emissions towards net zero. Benefits can be realised through the deployment of innovative new technologies, or the use of existing data in new and innovative ways.
With the introduction of any new form of processing people’s personal information, data protection is a key consideration. It makes sure the use of the technology upholds the rights of the same individuals that your project is aiming to benefit, building trust in the new technology. It is a way of making sure your projects are a win for service delivery, and a win for responsible, safe and trusted use of personal data.
With more teams considering the adoption of smart places technology, the ICO is keen to hear about any challenges that you may have from a data protection perspective. We are alive to the fact that there can be uncertainty.
The Innovation Hub works with developers and adopters of innovative technologies that are raising challenging data protection questions to ensure that the solutions are developed in a privacy respectful way. We are in the early stages of this work and welcome the opportunity to hear from those operating in this area.
What is personal data?
Even if you don’t mean to identify people in your smart places projects, if you can distinguish them from other individuals it will engage data protection law, which applies to the processing of personal data relating to people who “can be identified or who are identifiable”. This includes identifiable directly from the information, or indirectly in combination with other information. This means that pseudonymous data or more seemingly obscure identifiers are personal data.
Identifiers are more than just the name of a person. It can include types of information that may be quite familiar in smart places products, such as location data, or an online identifier such as IP addresses and cookie identifiers.
Gathering media access control (MAC) addresses of smartphones like the City of London did in 2013 or capturing Wi-Fi device identifiers like Transport for London undertook in 2016 are likely to be considered processing of personal data.
These technologies may not directly identify the individual, but you are likely to be able to single them out, and that is enough for data protection law to apply. The use of location data may also engage responsibilities under the Privacy and Electronic Communications Regulations.
Data protection authorities are scrutinising this area. This year the Dutch Data Protection Authority fined the municipality of Enschede for using Wi-Fi tracking in the centre of the city in a way that was prohibited. The municipality, applying a series of anonymisation techniques, believed data protection law did not apply. Despite the measures it took, the Dutch Data Protection Authority concluded that given the different pieces of data collected, and the length of retention of the data, it constituted personal data and further that location patterns could be deduced from the dataset.
A key part of complying with data protection law will be ensuring your smart places project follows a data protection by design and default process. This is key to gaining the trust of the public in service delivery. For smart places it means answering key questions, amongst them:
- What personal data do we actually need to achieve our purpose?
- How can we limit our collection to just that data?
- If it is aggregate data, how do we reduce or remove the identifiability of individuals?
- How long do we need this data? and
- What process do we have in place to ensure we are regularly deleting unnecessary personal data?
Assess your privacy impact
It is advisable to undertake a data protection impact assessment (DPIA), given the scale of these projects. In some circumstances where processing is ‘high risk’, it is a legal requirement to undertake a DPIA and to the consult the ICO if there are high risks that you cannot mitigate following the assessment.
A DPIA helps you to identify and take steps to mitigate the data protection risks of a project. It is a process that helps you clarify and answer those questions asked above. Available mitigations like setting a limited retention schedule with regular reviews and deletion or an emphasis on reducing the identifiability of the personal data are measures that we would expect to see in these projects.
There is no exhaustive definition of ‘high risk’ processing making a DPIA a legal requirement, but there are some types of processing set out in the UK GDPR that always require a DPIA. One to note for smart places is “public monitoring” where there is a systematic monitoring of a publicly accessible area on a large scale.
The ICO also includes the use of innovative technologies such as smart technologies, as requiring a DPIA.
While your processing may be considered ‘high risk’, it can still be allowed to proceed. There is a need to ensure that the processing respects the key data protection principles. It is also about setting out the risks in the project, and how you can reduce them.
If you can achieve that reduction, and show how you can achieve it, your project is likely to go ahead. It is also likely to ensure the successful delivery of your service.
Mitigating ‘high risk’ processing
One of the most common mitigations for smart places projects are the use of privacy enhancing technologies (PETs). These incorporate a variety of techniques, from allowing analysis to be performed on encrypted personal data, through to the use of algorithms that enable population-level insights to be derived whilst limiting what can be learned about an individual in a dataset.
We have recently begun to update our guidance on anonysmisation to which interested parties should consider contributing.
These techniques have a role to play to ensure your project upholds data protection standards, but like the example from Enschede, it is not the end of the conversation.
The success of the project also relies on strong system design and policies. This can include: limiting the personal data collected; clarity to people about what you are doing with their personal data; and clear deletion policies and practices that ensure the project lifecycle has data protection running throughout.
We want to hear from you
Amongst this work there may be questions that arise that existing guidance from the ICO cannot answer. It is these difficult to answer questions that the Innovation Hub has been set up to respond to. Its role is to actively engage with innovators and project teams deploying innovative technologies on their hard to answer questions and assist in guiding them.
The earlier we begin those conversations, the better for us, and for your overall project. If you are undertaking smart places projects that have raised hard to answer data protection questions , we would like to hear from you at hub@ico.org.uk.
Image from ICO