Is your organisation collecting ‘location data’?
The Office of the Data Protection Commissioner (“ODPC”) has issued helpful guidance for both data subjects on how to protect their location data and for data controllers on how to comply with the Data Protection Acts 1988 and 2003 (the Acts), when collecting location data.
The following is a summary of the key issues for data controllers.
What is Location Data?
Location data is any information about a living individual’s current locations, or information about a living individual’s movement in the past. Location data is personal data if it is possible to identify the person from the location data itself, or from the location data together with other information which the data controller has or is likely to acquire.
Even though a data controller will normally be collecting data about the location of an electronic device, such location data is considered to relate to a living person where it is possible to infer information about a living person from the location of a device. For example, as was noted by the Article 29 Data Protection Working Party (“Working Party”), the location of a smartphone, which would normally be kept close to its user, should always be considered as relating to a living person as its movements are likely to mirror those of its user.
It is interesting to note that while the definition of personal data in the Acts does not specifically include location data, the definition of personal data in the EU General Data Protection Regulation (“Regulation”) includes location data and thereby brings the definition of personal data up to date with the ‘online’ world in which we now live.
Location data is valuable to organisations as it can allow very specific targeting of services and advertising. For example Facebook’s location tracker locates an individual in San Francisco and advertising on that individual’s Facebook page now relates to services in San Francisco; that individual returns to Ireland and is then receiving adverts more appropriate to this jurisdiction.
Data Controller Responsibilities
In order to comply with the Acts data controllers must handle location data as they would personal data and sensitive personal data, with specific consideration being given for this type of personal data. The following is a synopsis of these specific considerations:
- Identifying the data subject
A data subject will be identifiable if location data about that person is linked to the individual's name, phone number, e-mail address or a unique number, assigned for example, to a particular customer, employee or student. However, because of the intimate nature of location data, identification and singling-out of an individual will often be calculable in the absence of such information. So, even if the data controller never intend to link the location data to a particular person, it will likely amount to personal data despite not naming the individual in question.
If linked location data reveals a person's movements over a period of time, (even if this period is relatively short) that behavior alone will often be enough to identify the data subject, for example by identifying their home address or place of work based on their daily routine.
Data controllers could collect and hold personal data without that being their intention and therefore need to be vigilant in understanding the data that is being collected and how that is being treated.
- Excessive collection or processing
The Acts preclude the excessive collection or processing of personal data. Data controllers must take steps to prevent identification of the data subject if this is not needed for the purpose for which the location data is gathered. However the ODPC cautions that location data should be treated as personal data, due to the difficulties in ensuring that location data has been effectively anonymised.
- When is location data “sensitive personal data”
Location data may be sensitive personal data if it is possible to discover any of the defined sensitive traits about the data subject from the data. The guidance gives the example of a person who is shown to attend a place of worship or to make repeat visits to a hospital as this might reveal information about that person’s religious faith or health.
A data controller could inadvertently gather sensitive personal data and therefore again data controllers need to be vigilant in understanding the data they are collecting and the resulting obligations arising from the classification of that data.
- Location data relates to the user and not the owner
Location data relates to the user and not the owner. Therefore if seeking consent it is the user that must provide consent and not the owner. This would arise in the case of a mobile phone owned by the employer and used by the employee. It is the employee that must provide the consent and not the employer.
The Working Party considers that consent in relation location data cannot be given as part of the general terms and conditions of a service, and that it must be possible to opt out of the processing of location data. Data controllers should draw particular attention to the fact that location data will be processed when seeking consent, especially where it may not be obvious to a data subject that location data is being processed, or that it is being processed for a particular purpose.
- Make it clear when location data is being collected
Data controllers must make it clear when location data is actually being collected, or in other words, that the location service is "on" and being monitored. A distinction can be drawn between the collection of location data on a once-off basis (or each time a service is specifically requested by a user) and ongoing collection. The Working Group has emphasised the need for information about ongoing collection of location data to be available on an ongoing basis. This should include periodic reminders that location data is being collected and ideally a recognisable and visible indication whenever data collection is occurring.
- Reduce the accuracy of the location data
Reduce the accuracy of location data to minimise the amount of personal data collected and the risks of a data breach. For example if the data controller only needs the city location of the data subject as opposed to the street location, then only collect the city location.
- Timely deletion
Timely deletion of unnecessary personal data is especially important in the context of location data. The pattern of a person's movements over time can reveal intimate details of their life, and the more location data that is available or linked together, the more likely it is that sensitive personal data will be revealed. Accordingly, data controllers should avoid retaining location data which is personal unless absolutely necessary. In some cases it may be appropriate to immediately delete location data once it has been processed.
When responding to subject access requests, the Acts provide that personal data must be provided to the data subject "in intelligible form". When providing location data, this may mean plotting the location data on a map or providing an address corresponding to the location. Providing numerical co-ordinates alone is not sufficient to satisfy the "intelligible form" requirement.Summary
In relation to location data, organisations must ascertain if the data is personal data or sensitive personal data, having consideration to the ‘build up’ of location data over time and handle in compliance with the Acts, bearing in mind the specific considerations highlighted above.
As with any personal data being held by a data controller, less is more. The less data that is retained, the less chance your organisation has of getting into difficulty with compliance of the Acts. Remember the mantra: Reduce Reduce Reduce
Click here for a guide for data controllers on location data.
Click here for guide for individuals on location data.