What does this cover?
The ICO have produced guidance on Wi-Fi analytics usage; covering the DPA compliant use of location and other analytics.
Wi-Fi analytics encompasses the collecting of data received as a result of 'probe requests' from Wi-Fi enabled devices. Wi-Fi enabled devices, such as smart phones, constantly send probe requests to find Wi-Fi networks to connect to. The requests have unique signatures (the media access control ("MAC") address) which can identify a particular device because part of the address contains unique identifiers of the device manufacture. Organisations are able to collate device range and location data from the probe requests it receives. It is recognised that, over time information regarding a particular probe requests source could be collated and used to identify an individual together with their habitual activity, in which case the data becomes personal data under the DPA.
The guidance gives examples of how a variety of businesses might utilise Wi-Fi and location analytics to monitor their employees, contractors and/or customers, such as:
"An organisation [which] intends to use Wi-Fi analytics to count the number of visitors per hour across different retail outlets…An airport is considering using Wi-Fi analytics to provide a more accurate picture of passenger journeys….A sports stadium is considering using Wi-Fi analytics to review supporters’ movements through the venue…"
Key take-aways from the ICO's guidance include that organisations which operate Wi-Fi networks (either directly or via third party-suppliers) should :
- ensure to "give clear and comprehensive information for individuals to make them aware of the processing". This includes notifying individuals of their definitive data processing purposes and being clear and transparent;
- avoid excessive data collection and take steps to reduce the risk of identification of the individuals in the collected data;
- conduct a privacy impact assessment;
- remove identifiable elements of data collated and gathered. Failure to do so promotes an "unnecessary privacy risk; and
- be mindful of obligations and restrictions when contracting out the processing of personal data to suppliers. The ICO have previously released guidance to assist companies intending to outsource this activity.
To view the ICO's guidance on Wi-Fi analytics, please click here.
What action could be taken to manage risks that may arise from this development?
Organisations should ensure that where they operate a Wi-Fi network (whether regarding employees within their business premises or customers/potential customers at their branches), that they are complying with the data protection principles discussed in the guidance, which includes ensuring that the third party providing the Wi-Fi service is subject to controls as to how they in turn use the data collected.
Should organisations wish to collate data obtained through their Wi-Fi network by way of data analytics (whether regarding employees within their business premises or customers/potential customers of their network or at their branches or sites) they should ensure that the Wi-Fi service provider complies with processing the personal data in an appropriate manner and that the key take-aways detailed in this article are considered.