In our introductory podcast in the Privacy Matters series, we talked broadly about what privacy is… and set the stage for further discussion about the opportunities privacy best practice can present in an Internet of Things (IoT) eco-system.
Privacy is about the protection of personal information in accordance with the law.
It’s not surprising, then, that the term “personal information” has a specific meaning in privacy law. Although definitions do vary slightly across jurisdictions, the term is generally understood to mean information about an identified individual, information that identifies an individual or could reasonably lead to the identification of an individual. An individual is a person. And only a natural person (that is, someone who is alive) can have personal information.
Depending on which country you’re standing in, there is some potential for confusion when dealing with privacy language - particularly if you are somewhere that uses the term
“personal data” in place of what others would call personal information. For instance, in its General Data Protection Regulation, the European Union talks about personal data – which is defined as any information relating to an identified or identifiable natural person.
When talking about data, some professionals take the view that data are random, meaningless facts, figures, numbers or shapes unless they are processed, structured, organised, interpreted or presented in some way as to make them meaningful – and that it is the meaningful presentation of data that then makes information.
This is quite possibly a subject warranting a session of its very own, and opinions on the matter are surely divided. But, as a privacy professional, and in the context of what privacy laws worldwide are intended to do, I would simply offer that we must treat any perceived difference between personal information and personal data as semantic.
Personal information is about the nature of the information, not how it’s captured. It is technology neutral – it can exist across media and in a variety of formats. It can be captured and held in myriad ways – including on paper, on film, on a computer or other device, or in the cloud. It may be easy to understand just from looking at it, or it may be a more complex series of numbers or letters.
How do we, though, apply what we know? We have a definition for personal information, but what does it actually mean? What does personal information look like? And just how much information are we talking about here?
Personal information is vast.
It can include what I think of as “the basics”:
- Contact details, like name, address, telephone number;
- Demographic details, like birth date, age, sex, marital status, nationality or citizenship; and
- Education, financial, criminal or employment history.
But, for the uninitiated, it can also include information that might not immediately come to mind, including:
- Unique identifiers, such as an ID or license number, finger print, iris scan or DNA profile;
- Location details on a given day or time;
- Recorded image (such as a photo or video);
- A voice recording;
- An opinion or point of view;
- Online browsing history or patterns; and
- Other data that is generated or captured by a network or device (such as payment history, number of steps travelled, or the end-point of a taxi trip).
Sometimes you may already know who a person is, and various additional elements of their personal information can be combined to form a profile. Perhaps it’s a financial risk profile, a health (or fitness) profile or something linked to whatever it is you’re selling, like a profile for the “person most likely to drive an electric sports car”.
In your role within the IoT eco-system, if you wonder whether something is personal information, ask yourself the following: Is this information about a living person? Is the information about a person whose identity is known to you? If not, is the person identified by this information? Or, could this information reasonably lead to them being identified (whether the information is taken on its own or in combination with other information)?
It’s a fallacy to think that personal information is simply a means to a marketing end. It is, in fact, used across sectors to attend to any number of business functions.
In an IoT direct-to-consumer context, such as enabling smart homes or selling smart cars, I would expect personal information to be collected and used to:
- Entice or sign up a customer base;
- Personalise customer experiences with a product;
- Maintain accounts and contact with customers over time;
- Identify opportunities to up-sell;
- Gauge customer satisfaction; and
- Address problems, faults or questions relating to a product.
Now if IoT technologies are deployed in a wider context, such as in a smart or sustainable city environment (where vendors, industry champions and cities work together), I would expect personal information to be central to:
- Providing, on a large scale, beneficial technologies to citizens (such as free urban wi- fi, smart water meters or a public transport route planning app).
Additionally, such information would be involved in:
- Identifying, understanding and perhaps even influencing economic, social or environmental outcomes in the community (for example, improving bushfire evacuation timeframes through use of environmental sensors linked to early warning applications on mobile phones or smart TVs);
- Implementing technical or physical security safeguards in vulnerable city locations (such as strategically placed monitoring devices in public buildings);
- Tracking citizen behaviour across an area of interest (such as which demographic regularly uses bike-share services in the inner city);
- Understanding consumption patterns in the community - whether in relation to resources (like water), infrastructure (like roads) or essential services;
- Identifying opportunities to on-sell a product directly to citizens (such as smart garbage bins in areas of low recycling uptake); and, of course,
- Engaging in direct marketing so that vendors can attract the community to additional products or services.
In a cities-centred IoT environment, citizens generally give over their personal information in exchange for a service, benefit or perceived benefit. They may be able to opt-in, such as by choosing to download a cool app that lets them know when their library selections are available for pick-up. In other cases they have little choice, such as when a city rolls out a new way of delivering an old service… like compliance officers now wearing body-worn cameras when attending a complaint (as opposed to using the old pen-and-paper approach).
Personal information can be both what a person gives to you in order to participate in your initiative or use your product and what you (as in, your network, application or relevant IoT device) learn or generate about a person. Consider, for example, the extent of personal information a home assistant device for the elderly may acquire over time… and just what will, or could, happen to that information.
It bears reminding that the ability to collect personal information – and to store it, do things with it, share it with or sell it to others - imposes an obligation on vendors, data storage providers, industry champions, public policy makers, municipalities, data brokers and others with involvement in the supply and deployment of IoT devices. In addition to the requirement to protect personal information in accordance with the law, there is a responsibility, a duty, to handle it in a way that is fair and within the reasonable expectation of the person to whom it relates.
Failing to embrace this duty – failing to promote privacy accountability within your part of the IoT eco-system – will undermine community trust and, likely, the success of whatever your initiative is.
I am Nicole Stephensen. I’m the Executive Director for Privacy and Data Protection at the Internet of Things Security Institute. I invite you to join me for future episodes in the Privacy Matters series. Here at the IoTSI, we are committed to enhancing the profile of privacy as a critical and ongoing touchstone in the IoT space.