Transport systems are becoming a focus for concerns about the state’s mishandling of our personal data. Civil servants and politicians perceive significant economic and environmental benefits in implementing technologies that will enable closer control of public transport infrastructure. Such benefits are not so apparent to citizens and consumers, who more immediately see the potential to misappropriate or simply lose collected data.
These technologies, such as the Oyster Card and other local smart cards, also have the potential to function as tools of surveillance. The combination of location, identification and billing data is a particularly dangerous cocktail. For example, road-pricing systems are recognised to carry significant privacy risks – by creating and storing records of where and when vehicles use the road, which are in turn made available to administrative authorities. Yet these risks are not insurmountable.
As demonstrated in 2007 by 1.7m people signing an online petition against road-pricing suggestions, this is sensitive territory. This strength of public feeling stems from both the notion of yet-another stealth tax and the huge value associated with the sense of freedom provided by cars and the open road. Exactly where privacy enters this red-button debate is not always apparent but Government needs to tread carefully and avoid trampling on public expectations of long-held freedoms.
Privacy should be stated as a headline concern in requirements documents when procuring transport systems. These additional cost requirements will increase the cost of the final system in the short-term. But taken across the lifetime of a system, introducing these concerns at a later stage would involve greater additional costs in terms of PR-damage, mistakes and taking remedial action.
The appropriate means to consider these concerns is through a privacy impact assessment (PIA). Although the Department has accepted this recommendation, it has taken too long to finalise these documents. The focus should be on using personal information only with a data subject’s consent, which must be given as part of an informed choice. Additionally, providing users with nuanced control over what information goes where is another prerequisite.
Also, to have a meaningful bearing on the proposed systems, PIAs should call for a ‘default’ setting of anonymous citizen profiling. Rather than presume users of systems will want to share personal information, systems should enable minimal sharing of identifiable data.
This ‘privacy first’ approach is necessary in order to realise the associated benefits. The public has, in general, little confidence in official’s ability to deliver large-scale technology projects and, in particular, supplying a new generation of transport systems. Demonstrating a commitment to privacy concerns and thereby customer service would be a significant step to winning back public trust.
A second default requirement is that data collected and processed for transport purposes shouldn’t be appropriated elsewhere. Blanket access for secondary purposes, for example security concerns, is simple unacceptable and would be fiercely resisted. Of course, warranted access, as required and overseen by the judiciary is a different matter and will be appropriate in particular circumstances.