Recommendation 3

Recommendation 3: Comply with data protection principles as defined by European and national law when processing location data

Why:

  • Compliance with data protection and privacy law is mandatory. There is a risk that without adequate provisions to protect personal data, there will be a breach of national or European data protection and privacy laws
  • The protection of personal data is a fundamental right. Users of public services expect their rights to be protected and public administrations have an obligation to put in place the necessary protections
  • Without clear and appropriate data protection procedures, there is a risk in not being able to deal adequately with crisis situations such as systematic unlawful use of personal data or major data leakages
  • A governance framework focusing on privacy allows organisations to better implement privacy related principles and respect personal data protection in all processes. Furthermore, according to the General Data Protection Regulation (GDPR), every public administration has to appoint a Data Protection Officer (DPO). The DPO and his team allows for supervision of (location) data processing, implementation of the data protection strategy, and creates trust towards data subjects

How:

Find detailed guidance for public administrations on location privacy in the EULF Guidelines on Location Privacy

  • Appoint a responsible and certified 1 person for data protection – Data Protection Officer (DPO) – to supervise the management of personal location data and provide transparency within the organisation and towards data subjects
  • Ensure DPOs are aware of the scenarios for use of location data within the organisation and the potential data privacy risks
  • Ensure lawful processing of personal location data and that the processing of personal location data is fair – individuals may not be deceived or misled – and is transparent in relation to the data subjects
  • Apply data protection and take into account privacy from the start of the developments by data controllers and data processors
  • Apply data minimisation to ensure that only adequate and relevant location data is collected and processed
  • Limit the time data is stored to the strict minimal required
  • Assess the risks for data subjects when data is exposed and their location data processed. Also, perform periodic privacy risk assessments to guarantee an accurate level of data protection towards the data subjects
  • Connect the DPO with the Chief Information Security Officer (CISO) to secure adequately the processing of personal location data: There are security control frameworks such as ISO 27018 for data protection but also more general frameworks such as the ISO 2700x family, ISF Standard of Good Practices, NIST or SANS publications that can help
  • Set up a governance structure and data management programme for location data protection which includes:
    • Developing a data protection strategy in-line with the organisation’s strategy
    • Put together a data protection team with a DPO
    • Implement data protection policies, standards and guidelines
    • Define activities to raise awareness on data management, risk management, incident management, audit and compliance.
    • Implement processes and systems to automate the task of governance compliance
    • Define metrics to measure the effectiveness of your data protection programme
  • Prepare for data subjects’ rights of access, rectification, erasure, to be forgotten, data portability, restriction of processing and notification of data breaches (in the latter case to both data subjects and supervisory authorities)
  • Create trust with data subjects. Be transparent and open with regard to data collection, processing, security, and privacy measures applied:
    • Publish a privacy notice that describes how the organisation collects, uses, retains and discloses what personal data is collected, how the data is used, what technical security measures are in place to protect personal data, with whom the data is shared, how a data subject can access or rectify personal data, and contact information of the DPO
    • Require informed consent from customers and users on the use of their personal data
    • Have a contact point for data subjects where they can direct their enquiries

Challenges:

  • Although the laws relating to data protection are clear, it is not always obvious that a geographical context to the data presents a personal data threat
  • The use of mobile apps is increasing immensely and mobile phones are often seen as the channel of choice by users. Public authorities are making more of their services available through mobile apps. However, the fast pace of industry development and the sophistication and openness of many of the devices, creates vulnerabilities. Furthermore, almost all devices enable a user’s location to be identified. Public authorities need to implement the same protections and protocols for user authorisation as the leading commercial mobile apps
  • To have a complete ‘protection without sharing’ approach can result in lost opportunities. As in the commercial world, the release of personal data can benefit users of public services. In the same way that users of internet retail sites may feel they benefit from targeted marketing (others may not of course), there can be similar advantages for users of public services, e.g. to take advantage of energy subsidies they may not otherwise know about
  • Introducing personal data protection presents extra considerations and efforts for all projects. Also, the drive towards more ‘open government data’ and more data sharing between administrations, raises more situations where privacy risks need to be considered

Best Practices:

Please see also https://joinup.ec.europa.eu/sites/default/files/news/attachment/jrc103110_1-dc246-d3.2_eulf_guideline_on_location_privacy_v1.00_final_-_pubsy.pdf for further case studies of Transport for London (Oyster) and EUCARIS (EUropean CAR and driving licence Information System)

Further reading:

1 The EC expressed preference for certificate evidence through Article 42 and 43 of the General Data Protection Regulation. Accredited certifications include e.g. the Certified Information Privacy Professional Europe (CIPP/E) of International Association for Privacy Professionals’ International Association for Privacy Professionals (IAPP)or the Certification Programme for Data Protection Officers and Other Data Protection Professionals from the European Institute of Public Administration (EIPA)

Nature of documentation: Technical report

Categorisation

Type of document
Document
Licence
European Union Public License, Version 1.1 or later (EUPL) 
Login or create an account to comment.