Last updated: 
3 months 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Wifi location data

Wednesday, May 4, 2016 - 15:15

More than a decade ago the e-Privacy Directive mentioned "location data" in the context of telecommunications services. At the time that was almost entirely about mobile phone locations - data processed by just a handful of network providers - but nowadays many more organisations are able to gather location data about wifi-enabled devices in range of their access points. The law (and our own instincts) treats location as a relatively intrusive form of personal data - though it's not included within the formal category of "sensitive personal data" - so organisations are rightly concerned to handle it correctly.

Although the e-Privacy Directive's location provisions formally only apply to users of publicly available telecommunications services (Art.2(c)), the Directive is derived from general data protection law so provides at least good practice guidance for private networks as well. The Information Commissioner has recently published advice on wifi location data, though three different types of use are covered in three different documents:

  • First a category that's only mentioned in the Directive: location data that is traffic data (Article 9's special rules only apply to "Location Data Other Than Traffic Data"). Where the location of the device is processed "for the purpose of the conveyance of a communication on an electronic communications network" (Art.2(b)) it can be treated in the same way as IP addresses and other traffic data. This would seem to cover things like knowing which access points a device is near in order to transmit its traffic from the best location. These are covered by the ICO's general guidance on Traffic Data.
  • Then there's a range of location-aware services that can be offered to the user. These could range from "where is my (lost) device?" to "where is the nearest helpdesk/printer/bus?". Legally, these are still relatively straightforward as location data only needs to be processed for the devices whose users have signed up to the service. Information about the data and processing involved can be provided to users as part of the signing up process: the ICO's guidance on Location Data suggests how organisations can ensure they have valid consent for this processing. In particular location data shouldn't be processed for anyone who hasn't signed up to the service.
  • Finally, some organisations are using the radio signals emitted by wifi devices to identify popular locations, how people move around an area, and so on. This is considerably more challenging from a legal perspective as it's likely to capture and process locations of all live devices, including those that haven't signed up to a service or connected to a network. Unless the system is only deployed in a physically secure area, it can't even be assumed that all devices are carried by members of the organisation. As the ICO's guidance on Wi-fi Location Analytics points out, the only way to inform individuals of this processing is likely to be through physical signs. With the only ways to opt-out of processing being to avoid the area or turn off your device – neither of which will be possible for some visitors – the ICO strongly recommends conducting a privacy impact assessment to ensure the activity can be justified, and using strong technical and organisational measures to protect all those affected by it.