The Office of the Data Protection Commissioner (ODPC) has issued guidelines, for individuals and organisations, on the gathering and processing of location data. With the increased use of technologies that can track a user’s location, this data, when used appropriately can provide organisations with novel opportunities to enhance users’ experiences. However, misuse of such data can reveal considerable detail about personal matters and pose unexpected risks to privacy.
The guidelines serve as a timely reminder that location data must be handled in accordance with the Data Protection Acts (DP Acts). Information about devices that can be tracked or located electronically should be treated as "personal data" if it is possible to identify any person from the location data. In certain circumstances, even a broad indication of location may be enough to identify a person.
Location data which cannot be linked to a living person will not be governed by the DP Acts, for example, the collection and use of aggregated or anonymised location data for statistical or service monitoring purposes. In such cases, care should be taken that the technical processes used are effective to prevent individuals from being identified.
Sensitive personal data
Particular care should be taken where location data could constitute "sensitive personal data". This could comprise information about the religious or political beliefs of a person, physical/mental health or sexuality. Sensitive personal data can only be processed under special conditions specified in the DP Acts.
To reduce the risk of inadvertently gathering sensitive personal data, data controllers and processors should seek to minimise the amount of location data gathered about individuals. The more precise the location data gathered, the greater the risk.
Obtaining personal location data fairly
Very precise location data can be collected without an individual being aware of it. This may occur if individuals were never informed, or it was never made clear when or how location data would be collected and used. In order to collect personal location data lawfully, there must be an appropriate basis for doing so. Each user must be informed in advance and given the opportunity to opt in or out. A data controller or processor also has a duty to make it clear when location data are being collected. If it is collected on an ongoing basis, it is necessary to include periodic reminders.
Under the DP Acts, consent is a valid ground for processing personal data. Sensitive personal data may only be processed with the explicit consent of the data subject.
The recommended approach for processing other personal location data is to obtain the prior informed consent of the individuals concerned.
Consent to the processing of personal location data should be provided for by way of a clause specifically for that purpose and it should be separated from the general terms and conditions. It must also be easy to withdraw consent.
Retaining and deleting location data
Under the DP Acts, data controllers may only retain personal data for as long as is necessary for the purposes for which it was obtained, or any further permitted purpose. Timely deletion of unnecessary data is especially important in the context of location data and data controllers should avoid retaining of personal location data unless absolutely necessary. In some cases, this may even mean deleting the information immediately after it has been processed.
Data subject/individual rights
Individuals have a right to know what information an organisation holds about them, to request access to that information, or have any personal information that is not required deleted. When providing the location data in response to such a request, the controller must provide the data in "intelligible form". This may mean plotting the location on a map.
The ODPC has made clear the obligations on data controllers in relation to personal location data and it is important that these guidelines are observed in order to ensure compliance with the DP Acts.