Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Wi-Fi operators must notify device users of potential data processing before processing occurs, says ICO

Organisations that provide Wi-Fi services to their staff or customers must notify device users of the potential for their data to be analysed before they begin to process their information, the UK's data protection watchdog has said.18 Feb 2016

Wireless connectivity between Wi-Fi connection points and electronic devices, like mobile phones, has the potential to reveal data about people's location and behaviours, the Information Commissioner's Office (ICO) said in new guidance it has issued on Wi-Fi location analytics (10-page / 334KB PDF).

The ICO said notifying people of the potential for their data to be processed is just one of the data protection issues operators of Wi-Fi networks need to account for before they can analyse personal information that can be gleaned about device users.

"Clear and prominent information is one way to alert individuals that certain processing is taking place," the ICO said in its guidance. "The information should clearly define: the identity of the data controller; the defined purposes of the processing; and information relating to any third-parties or other organisation that the data may be shared with."

The ICO said that it is possible for Wi-Fi operators to collect data from devices covertly. To address this, data controllers should consider putting up signs at the entrance to areas where data is collected to notify device users of the potential processing of their data, as well as "reminder information throughout the location where data is being collected", the ICO said. Information about data processing could also be detailed on their websites or within Wi-Fi "sign-up" pages.

Consideration should also be given to supplying device users with "detailed information to explain how individuals can control the collection of personal data using the settings on their device", the watchdog said.

Wi-Fi operators must "ensure that individuals are given ample opportunity to view information about processing before it occurs", it said.

The ICO backed the use of privacy impact assessments as a way of identifying and limiting privacy risks. It said anonymisation measures could be used to address "unnecessary privacy risk".

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that data derived from connections between devices and Wi-Fi networks can be "very powerful datasets" that businesses can use.

"For example, take an airport. Data from airport Wi-Fi systems might be able to convey how many people are in a specific location at a specific time, and how they move around. The information could help them understand where the most popular spots are for retail outlets and be matched with other data to support more targeted advertising of products and services," he said.

Retailers were last month urged to create 'CCTV-like' symbol to inform customers of mobile tracking in a new working paper that was issued by an international working group on data protection in telecommunications, of which the ICO is a part.

Samantha Livesey, an expert in retail data privacy at Pinsent Masons, has previously highlighted the rise of new 'beacon' technologies that help retailers connect with consumers via their mobile devices as they move around shopping centres and within individual stores.

Livesey said the technology allows retailers to prompt consumers with promotional offers for goods as they approach particular parts of a shop, and said the ability to collect valuable personal data can help retailers identify future customer trends or improvements in store layouts. However, she recommended that retailers adopt a layered approach to address privacy issues so as to remain compliant with data protection laws.