Data protection issues with intelligent transport systems, vehicle telematics & road pricing

01 July 2009

Peter Elliott, Barry Jennings

First published in TEC: Traffic Engineering and Control July 2009


Intelligent Transport Systems (ITS) and vehicle telematics represent the latest stages in the evolution of the operation of road vehicles and road networks.

Vehicle telematics involves the use of positioning technologies, such as Global Positioning Systems (GPS), in combination with IT and mobile communications technology in road vehicles to achieve improvements in security, road safety and congestion. These telematic technologies now enable a broad variety of applications including vehicle tracking, satellite navigation, road pricing, safety and emergency warning systems, remote vehicle diagnostics and pay-as-you-go motor insurance. However, they do require the collection and storage of data about the location of individuals – a politically and legally complex subject that agitates a general public both sensitive to the dangers of a "Big Brother" state and sceptical about the Government’s ability to keep data secure.

This article looks at some of the main areas of data collection and usage at the moment and highlights the key legal issues, considerations and developments.

Vehicle Tracking

Vehicle tracking uses GPS to monitor the location, movements, status and behaviour of a vehicle or fleet of vehicles. It can be used for a variety of purposes, including fleet management, road pricing schemes, pay-as-you-go insurance, tracking stolen vehicles and providing passengers with arrival information on bus routes.

The main barrier to the deployment of telematics technologies in this area is the public’s fear of a surveillance society and the encroachment of "Big Brother". For instance, a delivery driver who is authorised to have personal use of a fleet vehicle outside of business hours would probably feel it an invasion of his privacy for his employer to track when and where he used that vehicle outside of business hours. This adds human rights, as well as data protection, issues to the debate.

To some extent this specific issue has been addressed by the Employment Practices Code produced by the Information Commissioner’s Office, which states that in most circumstances such systems should include a ‘privacy button’ that can be used when the vehicle is being used outside of business hours but it is unclear how far such guidance is actually followed in practice.

Similarly, if a driver’s vehicle use is captured for one purpose can it be used for another, e.g. passed to law enforcement agencies investigating traffic offences? Undoubtedly, the police will want access to this information, if not for traffic offences then for anti-terrorism or criminal investigations. So far the approaches of data controllers to the release of such data have been inconsistent, mainly because of misunderstanding or misapplication of data protection legislation. Given this engrained level of uncertainty, we believe the most effective approach is likely to be for a code of practice to cover vehicle tracking and automatic number plate recognition (ANPR). This would be agreed between the operators (not always employers), police, Information Commissioner and the system manufacturers. Alternatively, this type of guidance may be developed as part of the EU’s latest ITS Action Plan (published in December 2008).

In terms of public buy-in, the need for some of these measures would lessen with greater awareness of what is actually involved in vehicle tracking when compared to other everyday technology. In particular, manufacturers and service providers in this field stress the point that most current vehicle tracking is far less invasive than the level of tracking and information gathering currently carried out as part of mobile telephony provision – and this is something to which, rightly or wrongly, almost no-one gives a second thought. Similar points apply to privacy issues in wider telematics and ITS.

Pay-as-you-go Insurance

Under a pay-as-you-go insurance policy, risk would be assessed based on a driver’s behaviour in addition to the standard risk factors already used. As well as distance travelled, risk factors could include driving in excess of the speed limit, driving for long periods without a break, driving at night or in poor conditions and driving in particular areas or at particular times.

Whilst this system would provide commercial advantages to insurance companies (virtually eliminating insurance fraud), there are strong arguments that it would be an infringement of individuals’ privacy. Again, police would no doubt be keen to access such information, particularly with regard to vehicles travelling above the speed limit, but the difficulties in identification of the driver without the use of speed cameras may restrict its usefulness to the police. Companies often anonymise or aggregate data they hold at the earliest possible point to avoid it having a separate enforcement value – without this consumers may be sceptical about signing up to such tracking schemes.

Along with insurance companies, the concept of pay-as-you-go insurance is supported by environmental and road safety groups, who predict that it would encourage people to use their cars less and drive within speed limits. Drivers also seem keen on schemes that are more responsive to their individual actions and potentially offer significant cost benefits, and experience of trials suggest that they are generally willing to compromise privacy and allow tracking where they see a clear benefit to themselves in the schemes. In purely legal terms, so long as general data protection principles (such as keeping the data secure and not using it for other purposes) are followed, there should at this stage be no major legal issues in the UK.

Road Pricing Schemes

When 1.8 million people signed the petition against road pricing on the Downing Street website in 2007, it was clear that, along with increased driving costs, the issue concerning most people was the prospect of a universal surveillance system tracking citizens across the country’s road networks. The use of data by the public sector has always been a sensitive topic in the UK and now it is becoming increasingly high profile.

Despite this and the further setback of the recent ‘no’ vote on the localised Manchester scheme, the implementation of road pricing schemes seems inevitable given the rapid increase in congestion in the UK. If the government does implement a national road pricing scheme, it will probably be a system which formulates the charge based not only on distance travelled, but also on the length of time the road is used and the consequences of using that road at that time of day. GNSS has certain advantages over the other methods in terms of achieving this in that it allows national monitoring of real-time vehicle use.

The Transport Act 2000 provides the legal framework for local authorities to introduce local road pricing schemes and provides the Secretary of State for Transport (or the National Assembly in Wales) with certain regulatory powers. However, the draft Local Transport Bill (presented in May 2007) proposes curtailing the requirement to consult the Secretary of State for charging schemes proposed in England and abolishing the power of the Secretary of State to require consultation on charging schemes proposed in England.

Ensuring compliance with the Data Protection Act – in terms of both use of personal data and security and accuracy of data held – will be at the forefront of operators’ minds, particularly as data storage and handling is likely to be outsourced to the private sector. In addition, if a road pricing scheme was interpreted as providing a public communications network (and schemes based on the use of telematics could well be), the Data Retention (EC Directive) Regulations 2007 would also apply and would require certain data to be retained for at least 12 months.

Traffic trend data could be of significant commercial value to third parties, but if a public authority seeks to licence this data to third parties (potentially recouping some of the operating costs of the road pricing scheme) it will need to ensure that:

  • it has the authority to use the data in this way;

  • it complies with the licensing rules under the Re-Use of Public Sector Information Regulations 2005; and

  • it deals with location data in compliance with explicit provisions, particularly regarding consent, contained within the Privacy & Electronic Communications Directive 2002 (implemented by the Privacy and Electronic Communications (EC Directive) Regulations 2003).

Road pricing enforcement

One question that will need to be answered by any operator of an electronic tolling system is how to enforce the scheme and furthermore, who is liable for the charge – the owner of the vehicle or the driver? Improvements in the technology used in the speed camera system have now largely overcome the problem of identifying who was driving a vehicle at any point in time, so a scheme including cameras could be beneficial. Assuming an approach analogous with current speed cameras and congestion charging in London where the owner is held liable, the scheme would require links to the DVLA database of vehicle owners (information to be provided in accordance with data protection legislation). This leads to the further questions what happens if the database is incorrect, how would you deal with rental or foreign vehicles and what, ultimately, will be the sanctions if someone refuses to comply? Any scheme is likely to be not dissimilar to the current approach to speeding but this is not necessarily popular with the general public even though it involves clear breach of safety rules, so a scheme seen as principally revenue collecting is likely to be even less popular if a heavy-handed approach is adopted without clearly demonstrated benefits on the upside.

European Commission eSafety initiative

The European Commission has initiated a large number of projects as part of their ‘eSafety’ initiative to increase road safety, several of which involve vehicle telematics. Amongst the Commission’s highest priorities is the implementation of ‘eCall’, an in-vehicle safety system which alerts emergency services when an accident occurs. eCall is able to give the precise location and a description of the vehicle involved and may be activated manually or automatically, following activation of on-board sensors. The call will be received by a public authority or a private call centre operating under the regulation and/or authorisation of a public body. According to the Commission, all new vehicles in the EU will be equipped with this system from September 2010. The UK has not yet signed the eCall Memorandum of Understanding, although the UK is able to receive and handle such ‘E112’ calls alongside its 999 emergency services.

The Commission launched an action plan on Intelligent Transport Systems in December 2008, having held a public consultation workshop in March 2008. The general aims of the plan are to enhance road safety and security, make transport greener and increase the mobility of people and goods. More specifically, the Commission hopes to:

  • determine which applications are mature enough to be deployed Europe-wide in the short- to mid-term; and

  • propose policy measures to accelerate the deployment of other applications, which may include financial support, standardisation, legislation or other ‘soft’ measures.

As part of its proposals for a legal framework for European coordination of Europe-wide deployment of ITS, the Commission has published a Decision (2008/671) on the harmonised use of radio-spectrum in the 5875-5905 MHz frequency band for safety-related applications of ITS. In January 2009 Ofcom announced the final version of the Wireless Telegraphy (Vehicle Based Intelligent Transport Systems) (Exemption) Regulations 2009 (the ITS Regulations). The ITS Regulations enact part of the Commission’s Decision, they exempt the need for licensing safety-related vehicles based applications.

The proposals in the action plan relating to data protection include assessing the security and personal data protection aspects relating to the handling of data in ITS applications and services and proposing measures in compliance with Community legislation. A further proposal relates to addressing the liability issues pertaining to the use of ITS. This is a key concern due to the fact that most ITS applications or services rely on the integration of data from different sources. Clear responsibilities need to be set out for the provision, sharing or re-use of data and components, as well as addressing liability in the case of failure. The Commission is concerned that without this suppliers will be nervous marketing and potential customers will be r reluctant purchasing ITS applications; the fact that current satellite navigation and similar products and services usually draw on a wide range of data suggests that the public is in fact considerably more sanguine even though the strict legal position can at this stage be complex and differs across Europe.


The deployment of vehicle telematics applications will undoubtedly prove controversial, but even if the public debates can be won (or avoided) there are still many data protection issues to resolve. Some of the enforcement issues simply need greater clarity or direction from the Government or EU so that a consistent framework exists. Other areas (such as commercial data exploitation and licensing, and interoperability) present structural legal and contractual challenges that are not insurmountable but that will persist and will need to be considered carefully on a case-by-case basis.