Recommendation 3: Ensure all measures are in place, consistent with legal requirements, to protect personal privacy when processing location data
| Implementation guidance | Related information |
|---|---|
Why
- Compliance with data protection and privacy law is mandatory. Failure to comply will attract significant financial penalties, particularly under General Data Protection Regulation (GDPR). There is a risk that without adequate provisions to protect personal data, there will be a breach of national or European data protection and privacy laws.
- The protection of personal data is a fundamental right. Users of public services expect their rights to be protected and public administrations have an obligation to put in place the necessary protections.
- Failure to protect personal data will erode citizen trust and confidence in the services.
- Without clear and appropriate data protection procedures, there is a risk in not being able to deal adequately with crisis situations such as systematic unlawful use of personal data or major data leakages.
- A governance framework focusing on privacy allows organisations to better implement privacy related principles and respect personal data protection in all processes. Furthermore, according to the General Data Protection Regulation (GDPR), every public administration has to appoint a Data Protection Officer (DPO). Having a DPO and, where appropriate, a supporting team allows for supervision and transparency of (location) data processing, implementation of the data protection strategy, and creation of trust towards data subjects.
How
Data protection policy approach
- Set up a governance structure and data management programme for location data protection which includes:
- Developing a data protection strategy in-line with the organisation’s strategy;
- Creating and implementing data protection policies, standards and guidelines. Policy documents should be created around rights of access requests, data retention cookies, privacy and consent protocols where required;
- Implementing processes and systems to automate the task of governance compliance;
- Defining metrics to measure the effectiveness of the data protection programme.
- Appoint a responsible and certified 1 person for data protection – Data Protection Officer (DPO) – to supervise the management of personal location data and provide transparency within the organisation and towards data subjects.
- Connect the DPO with the Chief Information Security Officer (CISO) to secure adequately the processing of personal location data: There are security control frameworks such as ISO 27018 for data protection but also more general frameworks such as the ISO 2700x family, ISF Standard of Good Practices, NIST or SANS publications that can help.
Data management approach
- Ensure lawful processing of personal location data and that the processing of personal location data is fair and transparent - individual 'data subjects' should know why their location data is being collected, how it will be used, how this will benefit them, if it will be shared and with whom, and how long it will be retained; data subjects should not be deceived or misled.
- Use clear and unambiguous language about what data is being collected, why it is being collected and how it will help the user.
- Be open about collecting the data including if it is required under legislation.
- Assess the risks for data subjects when data is exposed and their location data processed. Also, perform periodic privacy risk assessments to guarantee an accurate level of data protection towards the data subjects.
- Minimise the data collected to ensure that only the minimum amount of data is collected that the task requires, and that the data is retained only as long as is needed.
- Prepare for data subjects’ rights of access, rectification, erasure, to be forgotten, data portability, restriction of processing and notification of data breaches (in the latter case to both data subjects and supervisory authorities).
- Unless required by legislation, ensure anonymisation of personal data before publication (see Annex II of the EULF guidelines on location privacy).
- Have Data Protection Impact Assessment (DPIA) defined and in place for both future and legacy processes including significant updates/changes to legacy systems.
Location data awareness in data protection community
- Ensure DPOs are aware of the scenarios for use of location data within the organisation and the potential data privacy risks.
- Check the website of your national Data Regulator.
- Review the EULF Guidelines on GDPR and location data.
- Link to the ELISE community on location data and GDPR.
- Link into local and European wide bodies that specialise in location data. For example, EUROGI is European wide professional body that brings together industry and individuals involved in location data.
Trust measures
- Create trust with data subjects. Be transparent and open with regard to data collection, processing, security, and privacy measures applied:
- Keep all notices and terms in simple, clear and unambiguous language;
- Publish a privacy notice that describes how the organisation collects, uses, retains and discloses what personal data is collected, how the data is used, what technical security measures are in place to protect personal data, with whom the data is shared, how a data subject can access or rectify personal data, and contact information of the DPO;
- Make explicit statements on actions taken regarding data minimisation to protect privacy, for example recording ’approximate location’ rather than ’precise location’;
- Require informed consent from customers and users on the use of their personal data. PLEASE NOTE CONSENT MAY NOT ALWAYS BE NEEDED IF PERSONAL DATA IS REQUIRED TO BE COLLECTED FOR EXAMPLE UNDER LEGISLATION, However, this should be stated clearly, concisely, and in plain and simple language to the data subject;
- Supplementing the above, include repeat consent requests rather than rely on a first response, which may have been made hastily or may not be relevant of time;
- Have a contact point for data subjects where they can direct their enquiries.
Challenges
- Although the laws relating to data protection are clear, it is not always obvious that a geographical context to the data presents a personal data threat - personal location data can often be context dependent and embedded within other processes.
- The use of mobile apps is increasing immensely and mobile phones are often seen as the channel of choice by users. Public authorities are making more of their services available through mobile apps. However, the fast pace of industry development and the sophistication and openness of many of the devices, creates vulnerabilities. Furthermore, almost all devices enable a user’s location to be identified. Public authorities need to implement the same protections and protocols for user authorisation as the leading commercial mobile apps.
- To have a complete ‘protection without sharing’ approach can result in lost opportunities. As in the commercial world, the release of personal data can benefit users of public services. In the same way that users of internet retail sites may feel they benefit from targeted marketing (others may not of course), there can be similar advantages for users of public services, e.g. to take advantage of energy subsidies they may not otherwise know about. This is why transparency, and clear and simple communication are so important. If the data subjects understand and can see the benefit to them, they are more likely to share their location or any other personal data.
- Introducing personal data protection presents extra considerations and efforts for all projects. Also, the drive towards more ‘open government data’ and more data sharing between administrations raises more situations where privacy risks need to be considered.
- Organisation culture can be difficult to change and managing personal data across an organisation under GDPR may require a series of changes that will need to be implemented across organisations.
- A key tool to protect the data subject, where data is to be shared, is the anonymisation of the data. There are a number of ways of doing this, however, ongoing reviews are needed as new and other data sets become available. The newly available data may invalidate or compromise the anonymisation method used resulting in a requirement to re-anonymise.
Best Practices
Please see also EULF Guidelines for public administrations on location privacy for further case studies of Transport for London (Oyster) and EUCARIS (EUropean CAR and driving licence Information System).
LIFO Monitoring
The Location Information Framework Observatory (LIFO) monitors the implementation of EULF Blueprint recommendations in European countries. Read about the implementation of Recommendation 3 in the LIFO Country Factsheets or the LIFO European State of Play Report. Explore the results for selected countries at LIFO Interactive Dashboards - Recommendations.
Related Frameworks: European Interoperability Framework (EIF)
| EIF Pillars | Recommendations |
|---|---|
| Underlying Principle 3: Transparency | Recommendation 5: Ensure internal visibility and provide external interfaces for European public services. |
| Underlying Principle 8: Security and privacy | Recommendation 15: Define a common security and privacy framework and establish processes for public services to ensure secure and trustworthy data exchange between public administrations and in interactions with citizens and businesses. |
| Basic Component 3: Base registries | Recommendation 37: Make authoritative sources of information available to others while implementing access and control mechanisms to ensure security and privacy in accordance with the relevant legislation. |
| Basic Component 3: Base registries | Recommendation 38: Develop interfaces with base registries and authoritative sources of information, publish the semantic and technical means and documentation needed for others to connect and reuse available information. |
| Basic Component 7: Security and privacy | Recommendation 46: Consider the specific security and privacy requirements and identify measures for the provision of each public service according to risk management plans. |
Related Frameworks: UN-GGIM Integrated Geospatial Information Framework (IGIF)
Strategic Pathway 2: Policy and Legal
| Documentation | Elements |
|---|---|
|
Data Protection, Licensing and Sharing
|
| Actions | Tools |
|---|---|
| 5. Addressing Coherence | |
| Privacy and Data Protection |
ELISE Resources
| Type | Resource | Date |
|---|---|---|
| Guidance | EULF guidelines for public administrations on location privacy v2 | 2020 |
| Webinar | Guidance on location data privacy | 2020 |
| Workshop | INSPIRE Conference: General Data Protection Regulation (GDPR): Trusting the use of your personal location data | 2018 |
Further Reading
- European Commission, Data Protection
- Your Europe European Union: Data protection under GDPR
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, General Data Protection Regulation
- European Data Protection Board
- EDPB, National bodies responsible for data protection
- European Union Agency for Fundamental Rights, Handbook on European data protection law (2018)EU Agency for Network Information and Security (ENISA): Privacy, Accountability and Trust – Challenges and Opportunities
- EU Agency for Network Information and Security (ENISA): Privacy and Data Protection by Design – from policy to engineering
- EU Agency for Network Information and Security (ENISA): Privacy by Design in Big Data
- UK Information Commissioner’s Office : Privacy by Design Guidelines
- The Location Forum: Location Data Privacy – Guidelines, Assessment & Recommendations
- ISO/IEC 27018:2014
- ISO/IEC 27001 - Information security management
- NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management
- European Automobile Manufacturers Association: Principles of data protection in relation to connected vehicles and services, September 2015
- Information Commissioner’s Office (ICO) (November 2012), Anonymisation: managing data protection risk code of practice
- Elliot, Mackey, O’Hara and Tudor, UKAN (2016), The Anonymisation Decision-Making Framework
- Companies that fail to see privacy as a business priority risk crossing the creepy line, KPMG (2016)
- Building Ethics into Privacy Frameworks for Big Data and AI, UN Global Pulse and International Association of Privacy Professionals (2018)
- Location data, privacy and consent, the Benchmark Initiative, 2019
- The Ethical Framework: Ethics by Design, the Benchmark Initiative, 2020
- Geospatial Information and Privacy: Policy Perspectives and Imperatives for the Geospatial Industry, World Geospatial Industry Council (2020)
1 The EC expressed preference for certificate evidence through Article 42 and 43 of the General Data Protection Regulation. Accredited certifications include e.g. the Certified Information Privacy Professional Europe (CIPP/E) of International Association for Privacy Professionals’ International Association for Privacy Professionals (IAPP)or the Certification Programme for Data Protection Officers and Other Data Protection Professionals from the European Institute of Public Administration (EIPA)