New Guidelines on Location Data
![]()
The Office of the Data Protection Commissioner has issued guidelines, for individuals and organisations, on the gathering and processing of location data
The Office of the Data Protection
Commissioner (ODPC) has issued guidelines, for individuals and organisations,
on the gathering and processing of location data. With the increased use of
technologies that can track a user's location, this data, when used
appropriately, can provide organisations with novel
opportunities to enhance users' experiences. However,
misuse of such data can reveal considerable detail about personal matters and
pose unexpected risks to privacy.
The guidelines serve as a timely
reminder that location data must be handled in accordance with the Data
Protection Acts (DP Acts). Information about devices that can be tracked or
located electronically should be treated as 'personal data' if it is possible
to identify any person from the location data. In certain circumstances, even a
broad indication of location may be enough to identify a person.
Location data which cannot be linked
to a living person will not be governed by the DP Acts, for example, the
collection and use of aggregated or anonymised location data for statistical or
service monitoring purposes. In such cases, care should be taken that the
technical processes used are effective to prevent individuals from being
identified.
Sensitive personal data
Particular care should be taken where
location data could constitute 'sensitive personal data'. This could comprise
information about the religious or political beliefs of a person,
physical/mental health or sexuality. Sensitive personal data can only be
processed under special conditions specified in the DP
Acts.
To reduce the risk of inadvertently
gathering sensitive personal data, data controllers
and processors should seek to minimise the amount of location data gathered
about individuals. The more precise the location data gathered, the greater the
risk.
Obtaining personal location
data fairly
Very precise location data can be
collected without an individual being aware of it. This may occur if
individuals were never informed, or it was never made clear when or how
location data would be collected and used. In order to collect personal
location data lawfully, there must be an appropriate basis for doing so. Each
user must be informed in advance and given the opportunity to opt in or out. A
data controller or processor also has a duty to make it clear when location
data are being collected. If it is collected on an ongoing basis, it is
necessary to include periodic reminders.
Consent
Under the DP Acts, consent is a
valid ground for processing personal data. Sensitive personal data may
only be processed with the explicit consent of the data subject.
The recommended approach for
processing other personal location data is to obtain the prior informed consent
of the individuals concerned.
Consent to the processing of
personal location data should be provided for by way of a clause specifically
for that purpose and it should be separated from the general terms and
conditions. It must also be easy to withdraw consent.
Retaining and deleting
location data
Under the DP Acts, data controllers
may only retain personal data for as long as is necessary for the purposes for
which it was obtained, or any further permitted purpose. Timely deletion of
unnecessary data is especially important in the context of location data and
data controllers should avoid retaining personal location data unless
absolutely necessary. In some cases, this may even mean deleting the
information immediately after it has been processed.
Data subject/individual
rights
Individuals have a right to know what
information an organisation holds about them, to request access to that
information, or have any personal information that is not required deleted.
When providing the location data in response to such a request, the controller
must provide the data in 'intelligible form'. This may mean plotting the
location on a map.
Conclusion
The ODPC has made clear the
obligations on data controllers in relation to personal location data and it is
important that these guidelines are observed in order to ensure compliance with
the DP Acts.
Contributed by
David
Cullen
Back to Legal News