The Irish Data Protection Office recently issued detailed guidance for organizations regarding recommended best practices for handling location data. According to the Irish DPO, since location data pinpoints a person’s location—and even the precise pattern of an individual’s movements over time—it can constitute personal or even sensitive data protected by the Data Protection Acts of 1988 and 2003. In the case where it is possible to identify the person to whom the location data relates, or from the location data together with other information which the organization has, such data would be deemed personal data. Location data may be sensitive data if it reveals any defined sensitive traits (e.g. religious or political beliefs) about the individual—such data is granted further protection under the Data Protection Acts.
The guidance reassures organizations that location data which cannot be linked to a living person is not governed by the Data Protection Acts and that in principle aggregated or anonymised location data may be collected for statistical or service monitoring purposes. However, the guidance cautions that “extreme” care should be exercised to ensure that the technical processes used to aggregate or anonymise data are effective to prevent the data subjects from being identified. The actual processing of location data, in order to make it anonymous, must also be done fairly, in accordance with the Data Protection Acts.
TIP: This guidance is a reminder that location data is a concern for regulators, and companies should take care in how they design programs that collect such information.