ICO publishes new guidance on Wi-Fi location analytics

16 February 2016

Ruth Boardman, James Mullock

With a growing number of organisations offering free Wi-Fi to customers or installing Wi-Fi networks on their premises for use by employees, the use of data obtained from, or via, Wi-Fi enabled devices to monitor individuals is becoming increasingly common.

An activated Wi-Fi enabled device will continually broadcast 'probe requests' to discover Wi-Fi networks. When a Wi-Fi transmitter is within range of the device, the two will communicate and the MAC address of the device (theoretically, a unique identifier) will form part of these communications. The strength of the signal received by the transmitter can be used to estimate how far away the particular device is situated (which, in turn, can be used to monitor the location and movements of the device). Organisations can use this information to determine, for example, volume of visitors to the premises or how individuals typically move around the premises.

In February, the ICO published guidance for operators of Wi-Fi networks, which contained the following key recommendations for ensuring compliance with the DPA:

  • Conduct a privacy impact assessment ('PIA') to identify and reduce privacy risks.
  • Define purposes to ensure that the reasons behind collection of personal data and the intended processing activities are clear.
  • Notify individuals of the purpose of processing, potential data sharing and the identity of the date controller. The ICO suggests achieving this:
  • via signs installed at the entrance to the area of data collection and reinforced throughout; and
  • on any websites or Wi-Fi sign-up portals.

The ICO also recommends that individuals are made aware that they can control collection of their personal data via, for example, Wi-Fi settings on their device.

  • Remove identifiable elements by, for example, anonymising the MAC address so that individuals cannot be identified, where this would still enable a data controller to achieve the specified purpose of data collection (e.g. where the data controller's intention is to measure the number of visitors to a store, only).
  • Define the bounds of collection to ensure that individuals are provided with information on the data collection before it occurs. Organisations should remember that certain locations may be more sensitive than others (e.g. bathrooms and first aid rooms) and should consider ways of minimising the amount of personal data collected, or degree of intrusion to privacy caused (e.g. by sampling data, or limiting data collection to specific times of day).
  • Define a data retention period to ensure that data are not kept for longer than necessary (in light of the purpose of collection).
  • Establish control mechanisms to provide individuals with a simple and effective way to opt-in or opt-out of data collection.
  • The ICO provides examples of:
  • installing, at the entrance, an instrument which identifies a device's MAC code then offers an opt-in or opt-in to the individual;
  • including URL or QR codes in privacy notices, websites or Wi-Fi sign-up pages (or similar) which direct users to a webpage into which they can enter their MAC address and indicate their opt-in or opt-out preference; and
  • providing regular visitors (e.g. employees) with briefings.
  • Contracting out – where an organisation would like to use a third party to perform Wi-Fi analytics on its behalf, it will need to ensure that the third party also processes the personal data appropriately.

The full ICO guidance is available here.