The Information Commissioner’s Office (ICO) in the UK has published guidance for organisations providing WiFi services to their staff and customers. The guidance considers how WiFi operators can use location and other analytics information in a manner that complies with data protection laws. As the core data protection principles in the UK and Irish Data Protections Acts are the same, the guidance is also of interest to Irish businesses.
The guidance highlights that it is possible for WiFi operators to collect data from devices covertly, and therefore it is vital that individuals are warned that their data may be collected. This can be done by installing clear signage at the entrance to and throughout WiFi zones, on websites and in WiFi sign-up or registration pages, notifying device users of the potential processing of their data.
What is WiFi analytics?
WiFi analytics involves the use of information obtained through MAC addresses, which are transmitted by WiFi enabled devices when searching for WiFi networks. Monitoring of the WiFi signal strength received by an access point can also estimate the distance of the device from the access point. This means organisations can track location and behaviour of individuals, without a device actually connecting to a Wi-Fi network (it is simply required for the Wi-Fi feature to be switched on). Accordingly, there is a risk that data relating to an individual may be collected in a covert manner.
ICO’s recommendations
The guidance recommends that WiFi operators:
- Conduct a privacy impact assessments (PIA) to identify and reduce privacy risks. A PIA will help data controllers consider what personal data is being collected through the WiFi network and question whether it is necessary to process personal data to provide a service.
- Define the purposes for which personal data is collected and implement design solutions to limit usage to this purpose.
- Be clear and transparent – notify individuals of the data collection through signage at the entrance to and throughout WiFi zones, on websites and on WiFi registration pages, and of how to control collection through settings on their devices.
- Remove identifiable elements of data collected by converting the MAC address into an alternative format that removes the identifiable elements and delete original data once it is no longer required.
- Define the bounds of collection, consider the location of the data collection device, and reduce the volume or privacy intrusion of the data collected (eg. by defining specific collection periods at certain times of day).
- Define a data retention period which is no longer that is necessary for the purpose you obtained the data for.
- Create a simple and effective means for individuals to control collection particularly for those such as frequent visitors, employees or volunteers, who could be subject to a higher level of data collection, such as an opt-in or opt-out choice to the processing.