Any purchase you bought on a high street shop may be collecting your personal data right now. Lyda Mastrantonio of Preiskel & Co explains how the UK data protection law protects your personal data from unauthorised processing by automatic devices.
The internet of things combines communications “anytime, anywhere” for anyone (on any device) with “anything”. Examples of this concept are the objects that have been modified to automatically tweet their actions, such as a hi-tech kettle developed by British designers. The ‘twettle’ connects to the local Wi-Fi network of your house and automatically tweets when the water boils. Other house appliances were modified to broadcast their use via internet, such as toilets and washing machines. It is also possible to check a non-commercial sensor that tweets when humidity is detected on a baby’s diapers.
Among these new technologies is the radio frequency identification (RFID), which receives and transmits information by radio waves through tiny microchips (RFID tags) in order to identify any object, animal, or person without previous direct contact.
RFID technology is usually used for retail check-outs to read product and pricing information, in warehouses for taking stock inventories or for security systems, which require people to use smart-cards to gain access to secure areas. However, it may also be misused: it is common practice in retail, for example, to use the RFID tags of the products to track the location of the consumer (even after the consumer has left the shop) to gain valuable marketing data. The danger lies in the temptation for retailers to use such data without consent for direct marketing purposes.
Such data, on its own or combined with other information such as credit or loyalty card information, may constitute “personal data” as defined in the UK Data Protection Act 1998 (“DPA”) if it allows the identification of the individual. Also, if it enables the data controller to distinguish one data subject from another, the DPA may apply even if the RFID data cannot be connected to a name or address.
The use of RFID technology may be justified under the DPA because it protects the legitimate interests of the retailer in managing the supply chain. However, where the retailer wants to use the data for other purposes (e.g. direct marketing), it is advisable to obtain the consent of the individual. This can be done by displaying notices on the products stating for what purposes the data will be used. If the retailer wants to track the location of the product, this should be made clear in the notice, because displaying this information may be considered necessary to make the data processing fair.
The UK Information Commissioner published a guidance note for those who use RFID technology, giving orientation about how the DPA regulates it. According to this guidance, those who collect personal data using RFID tags must take actions such as:
- Tell data subjects that their products carry RFID tags and explain what information is collected, by whom and for what purpose.
- Use passwords and encryption against “skimming” (the reading of tags by unauthorised reading equipment) and “cloning” (the unauthorised copying of personal data from tags, which can be used for identity theft).
- Limit the use of the resulting personal data to specified legitimate purposes and comply with the other data protection principles.
- Take account of these issues at an early stage, i.e., is when planning the architecture of the RFID system.
With objects communicating without the need for continuous human command, it seems to be only a matter of time before your fridge will send you a message of what you are short of when it detects that you are walking past a supermarket – or simply send you a photo of its inside. It is clearly vital to ensure that the legal position of any similar services are carefully considered and tackled head-on prior to launch.
Lyda Mastrantonio is an Associate at Preiskel & Co, a boutique law firm based in the City of London and MEF member. Follow them on Twitter. Preiskel & Co are a key member of MEF’s Privacy in Apps working group, and recently shared a useful summary of laws relevant to app developers in the UK: visit the App Privacy website for more information.