New guidance from ICO on WiFi Location Analytics

What is WiFi analytics?

Mobile phones, tablets and other WiFi enabled devices contain a unique identifier. An identifier is specific to a device (although it can be modified or spoofed using software) and is also known as a ‘Media Access Control (MAC) address’.

WiFi analytics involves the use of information obtained through MAC addresses, which are transmitted by WiFi enabled devices when searching for WiFi networks. By way of example, if a WiFi enabled device is switched on it will continually signal to find the WiFi networks available in its geographical location. WiFi operators can collect these MAC addresses and use them to monitor a location of a device and track its behaviour over time. Such information could be personal data if individuals can be identified from the MAC addresses or other information held by network operators- without the individual’s knowledge.

Recommendations

The ICO guidance recommends that the WiFi operators:

• Conduct privacy impact assessments to consider whether information is being collected through WiFi networks and how to manage the data collected.

• Define the purpose for collecting personal data and implement design solutions to limit usage to this purpose.

• Be clear and transparent – notify individuals of the collection of data. This can be through signage at the entrance to the WiFi collection area, on websites, WiFi sign-up or portal pages, and providing detailed information on how individuals can control the collection of data through changing the settings on WiFi enabled devices.

• Remove identifiable elements of data collected by converting MAC addresses into an anonymised format and deleting the original data once it is no longer required.

• Define the bounds of collection and consider the location of the device from which data is being collected (certain areas and locations could be more sensitive than others), timing of the collection and the use of sampling methods to reduce the volume or privacy intrusion of the data collected.

• Define a data retention period which is no longer than necessary to achieve the purpose for which the data was collected. For instance, if individual level data is collected to generate aggregate reports identifying individual movements at a particular location the individual level data should be deleted once the reports have been prepared.

• Create data collection control systems for individuals, so that individuals are able to control the processing of their personal data. It is particularly important to have these control systems in place and available to employees or frequent visitors to a location. This could include providing individuals with the option to opt-in or opt-out of the collection and/or processing of their data.

What next?

It is clear that data can be collected from WiFi enabled devices without individuals having to connect to any WiFi network (all that is required is for the WiFi feature to be turned on), which increases the risk of data relating to an individual being collected and processed in a covert manner.

This guidance highlights the important role of the WiFi operator in a move to promote individual awareness of data collection in relation to WiFi analytics. It is not acceptable for data collected via MAC addresses to be processed without the device holder’s knowledge and WiFi operators must ensure that all practices followed are in line with their obligations under the Data Protection Act 1998.

Tim Ryan