by Laura Fannin August-31-2016 in Commercial & Business, Data Protection

The Office of the Data Protection Commissioner (DPC) has recently issued a guidance note on the collection and use of location data, in response to the rate at which technological innovation continues to grow. Any information which can link an individual with a particular place is considered to be location data. The use of smartphone apps which require access to a phone’s location services is a prime example of when information relating to an individual’s location is being collected and processed by an organisation.

The guidance note advises organisations to comply with their obligations in relation to the collecting and processing of individuals’ location data. The DPC has also issued FAQ: Location Data for Individuals,a document which informs individuals of their data protection rights and encourages people to be aware of the information they might be providing to organisations.

Key points for organisations using location data

If location data held by an organisation relates to a living person, and it is possible to identify the person, the Data Protection Acts 1988 and 2003 will apply, and that data will be deemed to be “personal data”. Location data that is collected from a smartphone should always be considered data which relates to a living person as the movements of a smartphone will, in most cases, represent the movements of the user of the phone. In many circumstances an individual can be clearly identified from data collected as it may contain their name, email address, or phone number. In other cases a person may be identified as the data subject simply by recording a person’s movements over a period of time, which may reveal where a person lives and works. Organisations which collect personal data must ensure that they comply with the Data Protection Acts which prohibit the excessive collection or processing of data.

If the identity of an individual (or “data subject”) is not relevant to the location data collected, the organisation (or “data controller”) should take the necessary steps to ensure the subject is not identifiable. Location data which cannot be linked to a living person is not governed by the Data Protection Acts. Therefore an organisation can essentially collect and process anonymised location data without having to comply with Data Protection rules. However, if this type of location data is being collected, it is vitally important to ensure that a data subject cannot be identified through either their movements or by a Media Access Control address. A Media Access Control address is a unique number assigned to electronic devices which are capable of connecting to the internet or another network. As this number normally cannot be changed, it represents a permanent identifier of the device.

Location data must be obtained fairly. Before collecting personal location data, an organisation must:

  • ensure they have a legal basis for doing so
  • inform the data subject in advance, giving them the option to opt in or opt out
  • make it clear when data is being obtained
  • inform the data subject what purpose the data is being collected for
  • inform the data subject of who the information will be shared with.

There are two valid grounds on which located data obtained can be processed fairly: consent and on a legitimate interest basis. Consent must be given by the data subject, the user of the device rather than the owner. Consent cannot be given as part of the terms and conditions of a service and it must be possible for a person to opt out of the processing of location data. In circumstances where processing is required to protect a legitimate interest, data processing is allowed only where it does not amount to an unwarranted infringement of the fundamental rights of the data subject. This involves a balancing exercise which must be carried-out to examine the interests of the data controller, against the rights and interests of the data subject.

Data Controllers must not retain personal data, including personal location data, for any longer than is necessary for the purpose it is required. The data must not be used for any purpose other than for which it was obtained.

The Central Statistics Office (CSO) has recently asked the European Commission to broaden the rules governing the use of mobile phone data for statistical purposes to allow for data to be collected and processed without the need for consent to be given. The organisation has stated that such data would enhance the development of the tourist industry as statistics would highlight tourist trends and reveal which areas are most and least popular to tourists of different nationalities. The CSO claim that people’s privacy rights would not be infringed as the technology they intend to use would not allow for the identification of individuals.

The use of location data has become an everyday occurrence for most individuals who own a smartphone whether they are aware of it or not. From checking the weather to ordering a taxi, there are many benefits available to the owner of a smartphone with the capability of pinpointing its location. Likewise, the collection and processing of location data can be very useful to an organisation from a marketing perspective. When using services which gather location data, it is important for organisations to be aware of their obligations.

See the DPC guidance note here.

 

 

 

Back to Full News