14 March 2016
The ICO has published guidance to help Wi-Fi and other communications networks comply with data protection law when using location and other analytics information.
What’s the issue?
Many organisations offer free Wi-Fi to their customers and others install a network on their premises for their own use. Any Wi-Fi enabled device will (when on) continually send ‘probe requests’ to find in-range networks. The requests and responses will contain a media access control address (MAC) which is intended to be unique to the device. The first part of the MAC address will also identify the manufacturer or the Wi-Fi interface controller. The detail in the MAC address enables location tracking and, potentially behaviour monitoring in relation to a particular device. Where it allows an individual to be identified (not necessarily by discovering their name but by enabling them to be singled out or treated differently), personal data will be processed.
What’s the development?
The ICO has published Wi-Fi location analytics guidance designed to help the operators of Wi-Fi and other networks to comply with data protection law when using location and other analytics information. The emphasis is particularly on avoiding covert processing of personal data due to the fact that a Wi-Fi network can collect analytics data from a device without the device connecting to the network provided the Wi-Fi function and the device are switched on.
What does this mean for you?
This guidance is useful for all organisations which have a Wi-Fi network, simply from the point of view of prompting them to make sure they are not inadvertently processing personal data, but, particularly, for those which use that network to collect data analytics and process them in such a way that the information constitutes personal data. It is particularly (but not exclusively) targeted at retailers and organisations providing free Wi-Fi to consumers.
The ICO covers the steps an organisation should go through to ensure they are complying with data protection law and giving individuals sufficient information and choice about any data processing being carried out through their Wi-Fi networks.
Organisations reading this may well wonder how they are supposed to provide the required information to individuals in a way which is both clear and prominent but is not so intrusive in itself as to act as a deterrent. As the list of information which needs to be given to consumers in shops (for example), grows, there is a real tension between compliance and providing a pleasant customer experience. The advice of the ICO cannot, however, be ignored. Given the risk of covert processing of personal data, individuals must be informed if the Wi-Fi network is processing personal data but this does not necessarily mean rafts of terms need to greet a customer at the door to a shop using a Wi-Fi network. It may be sufficient to use an appropriate symbol and re-direct users to a website for more information.
The ICO recommends a clear set of steps for data controllers to take:
- conduct a privacy impact assessment (PIA) – this is the analysis of what is actually happening, the data being processed, the potential risk to privacy the processing involves and the extent to which the processing is necessary;
- define your purposes – organisations need to be clear about the purpose for collecting the data and what they are going to do with it in order to comply with the second data protection principle;
be clear and transparent – notify individuals – this step is key to data protection compliance. The ICO recommends giving individuals clear and transparent information which sets out the identity of the data controller, the purposes of the processing, and information about any third parties which may be given access to the data. This is all the more important because individuals may have no other way of knowing that data is being processed. The ICO suggests a number of ways in which individuals can be given the information, including:
- using signs at the entrance;
- placing reminders throughout the location;
- placing information on relevant websites and any sign-up page or portal of the Wi-Fi network they are providing;
- giving individuals information about how to control the collection of data through their device settings;
- remove identifiable elements – organisations are urged to consider converting MAC addresses to an alternative format which remains fit for purpose while removing identifiable elements. Data should also be deleted once it is no longer required;
- define the bounds of collection – data controllers should make sure individuals are given a chance to view information about processing before it occurs. Efforts should also be made to ensure that data location devices are not located in places where they might pick up data accidentally e.g. from passers by in the street;
- define a data retention period – data should not be held for longer than necessary and the ICO recommends that organisations define the length of time for which they will retain the data and delete it when it is no longer needed; and
- create a simple and effective means to control collection – organisations should give individuals a simple and effective way of controlling the processing. This might include offering an opt-in or opt-out choice, whether on a sign up page or via redirection to a website; or by making use of industry-wide opt-in or opt-out list to control collection.