In a previous article, we reviewed real-life DPIA examples related to AI and machine learning. Today, it’s turn of individual legal rights. Moreover when you are about to manipulate sensitive data which can affect the individual rights.
Monitoring the public opens up concerns about how to protect an individual’s identity and privacy. This is why DPIAs are usually needed for monitoring that is done for reasons outside of identifying law infractions (e.g., a shopkeeper wouldn’t need to complete a DPIA for placing a security camera near the checkout counter).
Whenever tracking or monitoring occurs outside of a necessity to provide a product or service, the controller would need to both clarify their purpose and reduce the impact on the data subjects. For instance, if a city is offering discounted bicycle rentals but its officials are also planning to track the biker’s route from pick-up to drop-off.
Employers might monitor everything from an employee’s search history to their emails to their access card use. They have a right to do this, but there are limits to what they can do. For instance, if an employee occasionally discussed family plans on group chat, the employer doesn’t necessarily have the right to intrude into the conversation or reprimand the employee because of it.
Mobile apps collect a good deal of data from users, especially those that track location data or medical information. For example, a smartwatch that monitors a person’s heart rate, sleeping habits, and steps will need to assess the ramifications of collecting this information.
From border guards to firemen and women, there needs to be protections in place for those who keep the peace. For instance, police officers routinely use body and dash cams to capture the conflict as it unfolds. All public figures need to be aware of their position and how footage can help or harm the individuals involved.
From roadblocks to weather to pedestrians to traffic patterns, the computer systems within vehicles are designed to adapt to new environments. If a vehicle uses semi-autonomous driving software, such as blind-spot monitoring or automatic emergency braking, a DPIA can help control for the information collected and processed.
The European Economic and Social Committee on Radio Frequency Identification has expressed the official opinion that a DPIA should be used to control for situations where RFID tags are or might be used. So if a 5,000-person conference used RFID tags to streamline registration, the report would help ensure that all information is appropriately collected and stored.
This situation applies to both healthcare organizations as well as consumer services, such as gyms or fitness clubs. So if a well-known chain wanted its personal trainers to begin recommending personal fitness goals based on their current health, the larger organization would need to mitigate against potential misuse or breach of the data.
Much like price setting based on purchase history, a DPIA can be used for controllers trying to establish habits based on personal purchases. This is most commonly seen with loyalty programs that will automate regular offers based on the individual’s likes and dislikes.
The relationship between the person being processed and the person completing the processing must be considered when determining the risk levels for the data subjects. If there’s a dependency, it can create an imbalance that will ultimately compromise the accuracy or relevance of the data.
Some controllers will grade their data subjects based on a variety of factors, such as gender or age. So if a temp company was trying to match their candidates with employers, they might only show information that matches the client’s preferences. This power needs to be taken into account when collecting the details from workers to ensure fairness to all.
While whistle-blowers are typically promised anonymity, it’s not always possible to guarantee true anonymity in certain cases. For instance, a supervisor or manager may recognize an employee’s voice if they hear and process the complaint. If the company has a vested interest in staying out of the public eye, it’s easy to see why and how the data could be compromised.
How data is collected, shared, and accessed is an ongoing problem that will continue to be answered differently by different people. Whenever there is data sharing and transmission outside the EU, it helps for everyone to be on the same page. A DPIA can help work out any kinks and establish a specific protocol for any sharing.
Schools and universities that collaborate together will need to agree on how to share and process data. We see this most often occur with student exchange programs. Because the schools will be expected to review and make decisions based on various criteria, a DPIA can determine the terms of the exchange and how each party is meant to keep the student’s information private.
Corporations set up all over the world will have their own quirks when it comes to HR. However, to facilitate employee transfers and promotions, each HR department should have a way to get the information it needs. For instance, an American bank branch requesting written recommendations of a manager from a branch in the UK.
With so much of our lives being stored on the public cloud, the need for proper data maintenance and security has never been more important. Any organization storing data in a public cloud in a different country should have a DPIA to ensure that there’s a valid recovery system in place in case of a breach.
Special categories under the GDPR include racial origin, convictions, health data, genetic information, and political beliefs. In general, the collection of this sensitive data is more likely to be heavily scrutinized if it’s ever called into question. It’s up to to the controller to show that they not only plan to protect their subjects’ privacy but also that the data collection is in the subjects’ best interests.
Biometric data has become more and more common to limit people’s access. So if a bank required the individual’s fingerprints in order to make a cash withdrawal, they might need a DPIA to control for the collection and use of fingerprint images.
Political parties, candidates, and state authorities might process a variety of personal data to better communicate with those who are interested in certain causes. So if an environmental organization uses party affiliation and personal data to determine who to ask for donations, they might be expected to complete an assessment report.
Utility meters, GPS devices, itemized bills: these can all contain clues and insights into an individual’s lifestyle. For instance, a hacker could learn a lot from a geo-tracking app, including a person’s work schedule and personal routines. Organizations that process data directly related to private habits will need to consider the ways in which this affects the individual in both the short- and long-term.
Technology today is devoted to far more than just work-related business. Portals and applications designed for private use or life-logging need to be just as cautious about keeping certain information from the wrong eyes. So if a person uses the Notes app on their phone to keep their to-do list or personal health goals, this is considered special category information.
Through all these real-life examples, we are trying to point out the situations where you might need to run a DPIA. Of course, you may encounter other situations such as artificial intelligence and machine learning.