The Office of the Data ProtectionCommissioner (ODPC) has issued guidelines, for individuals and organisations,on the gathering and processing of location data. With the increased use oftechnologies that can track a user’s location, this data, when usedappropriately, can provide organisations with novelopportunities to enhance users’ experiences. However,misuse of such data can reveal considerable detail about personal matters andpose unexpected risks to privacy.
The guidelines serve as a timelyreminder that location data must be handled in accordance with the DataProtection Acts (DP Acts). Information about devices that can be tracked orlocated electronically should be treated as ‘personal data’ if it is possibleto identify any person from the location data. In certain circumstances, even abroad indication of location may be enough to identify a person.
Location data which cannot be linkedto a living person will not be governed by the DP Acts, for example, thecollection and use of aggregated or anonymised location data for statistical orservice monitoring purposes. In such cases, care should be taken that thetechnical processes used are effective to prevent individuals from beingidentified.
Sensitive personal data
Particular care should be taken wherelocation data could constitute ‘sensitive personal data’. This could compriseinformation about the religious or political beliefs of a person,physical/mental health or sexuality. Sensitive personal data can only beprocessed under special conditions specified in the DPActs.
To reduce the risk of inadvertentlygathering sensitive personal data, data controllersand processors should seek to minimise the amount of location data gatheredabout individuals. The more precise the location data gathered, the greater therisk.
Obtaining personal locationdata fairly
Very precise location data can becollected without an individual being aware of it. This may occur ifindividuals were never informed, or it was never made clear when or howlocation data would be collected and used. In order to collect personallocation data lawfully, there must be an appropriate basis for doing so. Eachuser must be informed in advance and given the opportunity to opt in or out. Adata controller or processor also has a duty to make it clear when locationdata are being collected. If it is collected on an ongoing basis, it isnecessary to include periodic reminders.
Consent
Under the DP Acts, consent is avalid ground for processing personal data. Sensitive personal data mayonly be processed with the explicit consent of the data subject.
The recommended approach forprocessing other personal location data is to obtain the prior informed consentof the individuals concerned.
Consent to the processing ofpersonal location data should be provided for by way of a clause specificallyfor that purpose and it should be separated from the general terms andconditions. It must also be easy to withdraw consent.
Retaining and deletinglocation data
Under the DP Acts, data controllersmay only retain personal data for as long as is necessary for the purposes forwhich it was obtained, or any further permitted purpose. Timely deletion ofunnecessary data is especially important in the context of location data anddata controllers should avoid retaining personal location data unlessabsolutely necessary. In some cases, this may even mean deleting theinformation immediately after it has been processed.
Data subject/individualrights
Individuals have a right to know whatinformation an organisation holds about them, to request access to thatinformation, or have any personal information that is not required deleted.When providing the location data in response to such a request, the controllermust provide the data in ‘intelligible form’. This may mean plotting thelocation on a map.
Conclusion
The ODPC has made clear theobligations on data controllers in relation to personal location data and it isimportant that these guidelines are observed in order to ensure compliance withthe DP Acts.
Contributed byDavidCullen
