Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
ACRP LRD 42ââ 63 E. Conclusions privacy concerns, the agency emphasizes measures to achieve commitment to privacy at the highest level of an organization. While the direct jurisdiction of GDPR over airports and air- The settlement agreement in United States v. Facebook,659 dem- port stakeholders in the United States is limited to a narrow set onstrates the FTCâs focus on governance. The settlement agree- of circumstances, the influence of GDPR is larger. The âBrussels ment requires board-level involvement in the organizationâs pri- Effectâ656 of the GDPR has had significant effect on the develop- vacy activities. At airports looking to engage in data collection ment of U.S. law. Airports that seek to operate in a global eco- and use activities, similar involvement at the highest executive system of travel and commerce need to understand the develop- oversight levels of the organization should be considered. This ments in the EU Attorneys advising airports need to be familiar can be accomplished by executive level involvement in privacy with these international developments to understand potential matters. direct impact on airport data protection and privacy programs as well as the trends in U.S. law that may derive from EU legal a. Development of an Organizational Privacy Officer initiatives. or Similar Position Consideration should be given to the creation of a data pri- XIII. POLICY CONSIDERATIONS AND vacy officer or position. The officer or position would focus on CONTRACTUAL PROVISIONS FOR DATA data collection and use and on administering an organizations COLLECTION AND USAGE privacy program. Such a consideration is particularly important in an organization that is looking to engage in substantial collec- A. Policy Considerations tion and use of data. The role should include such functions as: Airport operators should consider policies that help mitigate interfacing with external privacy authorities to include regula- legal concerns related to data collection. Each use case Âpresents tors and others; ensuring compliance with internal policies and a distinct set of challenges that the airports must mitigate to external privacy and data protection requirements; administer- ensure the value of the data collection outweighs the risks. ing and overseeing planning and implementation of privacy and ÂEffective policies will address the risks posed by collection activ- data protection requirements; and accepting and resolving com- ity. As discussed throughout this guidebook, airport operators plaints regarding improper practices. This position should have must consider individual privacy concerns, notice, interactions some degree of independence in addressing privacy concerns with airlines and tenants, other third parties, and open records and should have the ability to directly address concerns at the requirements. The following policy considerations should assist highest executive levels of the organization. airport operators in addressing these challenges. The existence of data protection officers is commonplace in organizations operating under the GDPR.660 While they are 1. Governance not required in every instance, the GDPR certainly encourages Proper governance structures show a commitment to re- this practice and in certain cases mandate it. The establish- specting principles of data protection and privacy. Governance ment of such a position could certainly be characterized as part structures assist entities in addressing proper data collection and of the mainstream practice for data protection. However, no use practices. The FTC and other regulatory agencies focus on such posiÂtions are required to be established for either Privacy governance and organizational practices and frameworks to ad- Shield661 or APEC-CBPR662 compliance though the functions minister data protection programs and protect privacy.657 These performed by people in such positions are specified as part of efforts must reflect the fact that data protection requires more those agreements. than an identification of principles to be protected, it requires The FTC has begun to include the creation of corporate organizational structures and commitments to ensure that those posiÂtions to ensure data privacy in some of its settlements.663 principles are respected. The NIST Privacy Framework658 iden- The NIST Privacy Framework notes that responsibilities for pri- tifies governance as a critical component of managing privacy vacy can be left to cross-functional team implementation, an ap- risk. To that end organizations should consider some of the proach that was criticized by the FTC. The FTC contends that followÂing concepts in their governance strategy. 2. Executive Level Focus on Privacy The need for executive level commitment to privacy is hard 659 â No. 19-cv-02184-TJK, 2020 U.S. Dist. LEXIS 72162 (D.D.C. Apr. to overstate. In examining the FTCâs latest efforts to address 23, 2020). 660 â (EU) 2016/679. 656 â Anupam Chander, Margot E. Kaminski, & William McGeveran, 661 â Privacy Shield Overview, Privacy Shield Framework, https:// Catalyzing Privacy Law, 2190 Georgetown L. Fac. Publâns & Other www.privacyshield.gov/Program-Overview. Works, 27 (2019), https://scholarship.law.georgetown.edu/Âfacpub/2190. 662 â APEC Cross-Border Privacy Rules System, Cross Border Privacy 657 â See discussion of federal agency actions sections V and IX. Rules System (Nov. 2019), http://cbprs.org/wp-content/uploads/2019/ 658 â NIST Privacy Framework: A Tool for Improving Privacy Through 11/4.-CBPR-Policies-Rules-and-Guidelines-Revised-For-Posting- Enterprise Risk Management, Version 1.1, Nat. Inst. of Standards. & 3-16-updated-1709-2019.pdf. Tech. (Apr.16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST. 663 â See, e.g., U.S. v. Facebook, Inc., No. 19-cv-02184-TJK, 2020 U.S. CSWP.04162018.pdf. Dist. LEXIS 72162 (D.D.C. Apr. 23, 2020).
64 ââ ACRP LRD 42 designating a specific individual or individuals responsible for The Gatwick website delineates collection practices for differ- that function is critical to success.664 ent areas of data collection using different modalities, i ncluding: b. Adoption of a Comprehensive Privacy Framework ⢠CCTV cameras in and around the area The protection of data and data privacy requires more than a ⢠Wi-Fi at the airport commitment of personnel and resources. There is a real need for ⢠Concessions activity a comprehensive plan. This need is an internationally accepted ⢠Airport website tenet. The GDPR data protection and accountability principles ⢠Digital services outline several areas that must be covered for compliance.665 ⢠Marketing activities Similar protective regimes are suggested by the CCPA.666 The ⢠Customer service/engagement activities requirements imply the need for a robust organizational frame- ⢠Health and safety activities.670 work. The NIST Privacy Framework also offers a thoughtful and comprehensive enterprise approach to establishing a complete The website also includes information on Gatwickâs data program to ensure that privacy is managed. Adopting such a usage and information about individualâs rights under the framework will offer airports a roadmap for achieving the goals Gatwick Privacy Policy.671 As airports look to enhance privacy of their privacy policies and afford real data security. protections to areas of data collection beyond website-related data collection, the Gatwick Privacy Policy is worthy of con- 3. Establishment of a Privacy Policy sideration. Examining some of the privacy policies from other Establishing a data collection and privacy policy is a mea- international airports might also be useful in developing a com- sure that some U.S. airports have taken, primarily around the prehensive privacy policy.672 use and collection of data with airport websites.667 Los Angeles has a separate privacy policy for its website and applications.668 4. Articulation of a Purpose for Data Collection Many airport policies can easily be found through a search of The practice of clearly articulating the purpose673 for data the airportâs website. While those policies deal with some pri- collection is a touchstone for all privacy frameworks and gov- vacy related issues, they are limited in scope. ernance activities. Articulating the purpose of the data collec- Expanding data collection practices requires broader thought tion outlines both the organizational need for the data and the about data protection and privacy, and airports may want to authority of the organization to collect it. Those purposes may consider expanding their policies to cover privacy protections vary and there may be multiple purposes that can relate to indi- for data collected from other sources. Some international air- vidual pieces of data. ports, in their attempts to comply with GDPR requirements, In articulating that purpose, airports need to articulate all have taken such an approach. One example is Gatwick Airport. the uses they plan to make of the data they collect. The state- Gatwick maintains a website that clearly outlines privacy pro- ment of purpose forms the foundation for notice and consent. tection for a range of data collections and use contexts.669 It also provides the benchmark for data subjects to access and participate as they gauge the fidelity of an organizations efforts 664 â Federal Trade Commission Staff Comment on the Preliminary to use data consistent with their stated purpose. A clear articula- Draft for the NIST Privacy Framework: A Tool for Improving Privacy tion of the uses of the data collected and processed is an increas- Through Enterprise Risk Management, F.T.C. (Oct. 24, 2019), at 12-13, ing public expectation. https://www.ftc.gov/news-events/press-releases/2019/10/ftc-staff- offers-comment-nists-proposed-privacy-framework. 665 â See discussion of GDPR generally in section VII. 666 â See discussion of the CCPA in section VIII. 667 â See, e.g., Privacy Cookie Policy, S.F. Intâl Airport,â https://www. flysfo.com/privacy-cookie-policy; Privacy Notice, Charlotte Meck- 670 â Id. lenburg Intâl Airport,â https://www.cltairport.com/privacy-notice/; 671 â Id. Legal Privacy Policy, Dallas Fort Worth Intâl Airport, Legal Pri- 672 â See, e.g., Privacy Policy, Munich Airport, https://www.munich- vacy Policy,âhttps://dfwairport.com/legal/index.php; Privacy Policy, airport.com/privacy-policy-376755#26255d8dSingapore; Privacy ÂPolicy, Cincinnati/Northern Kentucky Intâl Airport,âhttps://www. Changi Intâl Airport, https://www.changiairport.com/en/privacy- cvgairport.com/privacy; Privacy Policy, Tampa Intâl Airport,â https:// policy.html; Brussels Airport-Privacy Policy, Brussels Airport, https:// www.tampaairport.com/privacy-policy; Privacy Policy Use Terms and www.brusselsairport.be/en/privacy-policy; Complete Privacy Policy, Disclaimer, Des Moines Intâl Airport,âhttps://www.dsmairport. Toronto Pearson Intâl Airport, https://www.torontopearson.com/ com/about-the-airport/privacy.aspx;â Privacy Policy, Rapid City en/privacy-policy/complete-privacy-policy. Regâl Airport, https://www.rapairport.com/privacy-policy; Privacy 673 â What constitutes an appropriate purpose for data collection is Policy, Palm Beach Intâl Airport, http://www.pbia.org/privacy- not a universally agreed upon concept. For example, the GDPR policy/. addresses and defines legitimate purpose for collection, but no such 668 â LAWA Privacy, L.A. World Airports, https://www.lawa.org/ limitation appears in the CCPA. The only requirement that is that a privacy; Application Privacy Statement, L.A. Intâl Airport, https:// purpose of collection needs to be disclosed to the consumer. See, e.g., www.flylax.com/en/Application-Privacy-Statement. Anupam Chander, Margot E. Kaminski, & William McGeveran, Cata- 669 â Privacy Policy, Gatwick Airport, https://www.gatwickairport. lyzing Privacy Law, Georgetown Law Fac. Publâns & Other Works, com/privacy-policy/. 19-20 (2019), https://scholarship.law.georgetown.edu/facpub/2190.
ACRP LRD 42ââ 65 5. Establishment of Data Minimization Practices vacy risk assessment. At every step from the time data is sought and received, through its use, until its destruction, privacy con- The concept of data minimization adopted by the GDPR siderations must be addressed. The application of PbD princi- flows from the requirement of defining a legitimate purpose ples is extremely useful in that regard.676 for data collection and using that purpose as the central operat- PbD principles suggest a proactive, transparent system that ing provision. Only data necessary to accomplish the legitimate addresses privacy protection as a positive value in meeting orga- purpose should be collected or maintained. Airports should nizational goals and objectives. The system of protection needs focus on narrowing the field of data collected wherever possible to center around individuals ensuring security at every step in and discarding data no longer needed. the lifecycle of data use in the organization from collection to The concept of data minimization is not universally adopted. destruction. PbD imposes a default position in favor of privacy. In contrast to the GDPR the CCPA does not require data minimi- The data subject does not have to take action to protect privacy, zation, only transparency with respect is collected.674 Moreover, a the system provides that protection without the subjectâs action. policy of data minimization may create tension with statutorily IT systems in particular should embrace these concepts. imposed data retention requirements or those imposed by local The application of PbD is referenced in both the GDPR and ordinance. Data retention by government agencies may be com- the NIST Privacy Framework. Both these foundational works pelled even in instances where there is no operational need. recognize the importance of a comprehensive approach to The exercise of data minimization practice can have benefits privacy protection. Weaving privacy protection into the fÂabric beyond privacy protection. Because these practices minimize of organizational processes is the hallmark of PbD. This ap- the amount of data on hand, there is a reduction on the admin- proach includes technical, operational, and administrative istrative burden producing its information in response to public Âconsiderations. requests. There is also a reduction in storage and a reduced risk of breach. Airports should strongly consider these factors when 8. Establishment of Measures to Ensure Compliance making decisions to engage in data collection. While PbD seeks to shift focus on privacy away from what 6. Establishment of Process to Assess Privacy Risk was seen as reactive and traditional compliance-oriented mind- set, ensuring compliance remains a necessary function. The GDPR Data Protection Impact Assessments offer a path development of any well-functioning system must include forward to the assessment of privacy risk.675 The NIST Privacy measures to ensure that internal processes are being followed. Framework suggests similar risk evaluative processes. Risk as- A system of evaluative processes can ensure that the organiza- sessments should be conducted before data is collected and tion is operating consistent with its legitimate privacy goals and should be updated as the system operates. Assessing the neces- directives. sity and proportionality of the data collection effort constitute Audits, both internal and external, as well as internal com- two key issues in the risk assessment process. Looking at the pliance reporting systems, provide useful measures to achieve sensitivity of the data collected is also important. The more sen- a compliance posture that is more proactive in nature. In sev- sitive the information the more circumspect an airport should eral of its settlements, the FTC has sought and received com- be in collecting it and the grater the efforts that should be ex- mitments for enhancing audit and reporting in their settlement tended to ensure that it is securely maintained. As an example, orders.677 These measures help to ensure the type of organiza- financial or health-related information is extremely sensitive tional accountability raised by the GDPR and NIST Privacy and therefore should receive special considerations. Framework. Airports must assess data usage with the understanding that while collecting data may be useful and profitable, misuse or 9. Establishment of Measures to Ensure Data Security loss of personal data not only poses risk to the data subject, but In an era of growing cybersecurity threats, the importance also to the organization collecting, processing, and using it. The of data security is hard to overstate. Both the GDPR and NIST loss or misuse of data can result in lost customers, damage to an Privacy Framework stress the importance of appropriate secu- organizationâs brand, financial penalties, and possible civil and rity measures. Designing those measures and ensuring their ap- even criminal liability. plication is of critical importance. 7. Establishment of Process to Develop and Implement In response to court criticism concerning the vagueness of Privacy Protection remedial orders, the FTC has developed a more detail-oriented approach to outlining requirements for data security. A careful Airports should consider employing a comprehensive ap- review of the FTC approach offers airports insights into data proach to privacy protection across the enterprise. Such an ap- security measure design that meets acceptable standards. The proach requires an understanding of the circumstances under FTCâs new approach includes requirements for âcomprehensive, which data is collected and used, and consistency with the pri- 674 â Id. pp. 21-22. 675 â While these assessments can be mandatory in certain circum- 676 â See discussion of PbD principles in section II. stances under the GDPR, it is not a requirement under the CCPA. Id. 677 â See, e.g., U.S. v. Facebook, Inc., No. 19-2184 (TJK), 2020 U.S. at 21. Dist. LEXIS 72162 (D.C.C. Apr. 23, 2020).
66 ââ ACRP LRD 42 process-based data security program[s]â678 Those programs in- acerbated by the use of emerging analytic tools like AI and ML clude provisions for âyearly employee training, access controls, that enhance the ability to individuate information. monitoring systems for data security incidents, patch manage- b. Questions Around Area Surveillance Systems ment systems, and encryption.â679 In addition to the NIST Privacy Framework, NIST has The growing use of area surveillance tools like CCTV, par- Âauthored some additional publications that may be helpful to ticularly by airports as governmental entities, raises questions airports in addressing security requirements. These publications not easily dealt with by existing law. Even the expanded cover- provide a framework for assessing and evaluating security risk680 age offered by a statute like the CCPA, which focuses on con- and technical support for the development of information secu- sumer transactions, is of limited use. The expansive privacy law rity templates.681Adopting measures suggested by organizations developed by the FTC is similarly unavailing. The sources of law like NIST will likely assist in defending the efficacy of data secu- that do touch on the use of technologies are state and federal rity measures. Failure to maintain proper data security exposes constitutional provisions and some discrete statutes and local entities to civil liability, potential fines and penalties, and repu- ordinances concerning surveillance and privacy protections. tational damage. Whether data being collected is used for security or law enforce- ment purposes, or for commercial or administrative ones, the 10. Substantive Measures for Privacy Protection landscape of those laws needs to be understood and addressed. In addition to process related issues for privacy protection, The use of area surveillance tools can be easily misunder- airports and airport stakeholders engaging in data collection stood and miscast as an Orwellian experience of a surveillance and processing need to ensure that policies and procedures are state. While any civil liability would likely be limited, the brand addressing substantive concerns. Those substantive concerns damage and undermining of customer confidence could be sig- are more heightened in some of the international privacy re- nificant. The application of emerging analytic technologies like gimes. The bare minimum requirements for those in the United facial recognition or ALPR, adds further controversy to the use States are included in the FIPPs. of information form these data sources. Careful consideration should be given as to how an airport uses these tools. Decisions a. FIPPs Compliance about that use should be transparent and well publicized. The FIPPs remain the central focus for U.S. enforcement c. Newer Data Subject Centric Concepts activities.682 Understanding and addressing FIPPs in system design and operation will assist airports in developing systems The regime of substantive data protection suggested by the that comply with currently accepted approaches for privacy GDPR and the CCPA, while not necessarily controlling, should protection. The application of FIPPs should certainly serve as a at least be considered by airports and airport stakeholders as baseline for commercial oriented data collection and processing they formulate substantive privacy protections. These concepts practices. extend beyond the FIPPs requirements. The application of FIPPs becomes more difficult with respect d. Opt-Out to collection and use of data from sources outside of traditional The concept of opt-out is present in both the GDPR and consumer-oriented transactions like website or application CCPA. In offering individuals this alternative, an airport or air- usage. The application of concepts like notice, consent, and ac- port stakeholder would be extending customers the opportunity cess is challenging when dealing with data gathered from area to limit or restrict the use of their data. In the case of the CCPA, surveillance tools like CCTV. Privacy challenges are further ex- that restriction would be limited to sale of the data. The GDPR offers opt outs for a more extensive number of uses. 678 â See Andrew Smith, âNew and Improved FTC Data Security e. Nondiscrimination Orders: Better Guidance for Companies, Better Protection for Consum- Related to the issue of opt-out is the concept of non ers,â FTC Official Website, (2020) accessed at https://www.ftc.gov/ discrimination. The concept prohibits the practice of denying news-events/blogs/business-blog/2020/01/new-improved-ftc-data- services to people who exercise their right to opt-out. security-orders-better-guidance (the Statement includes links to seven orders issued in 2019 utilizing the new format). f. Data Portability 679 â Id. The concept of data portability augments the FIPPs concept 680 â Risk Management Framework for Information Systems and Orga- nizations, Natâl Inst. of Standards & Tech. (Dec. 2018), https:// of access by allowing individual data subjects to request data nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2. maintained by an organization in a portable and usable format. pdfâ (this version of the Special Publication supersedes two previous This right found in both the CCPA and GDPR is thought to drafts of this Special Report the original issued in 2004 and Revision 1 enhance competition among data service providers. The imple- issued in 2010). mentation of this requirement will require the development of 681 â Guide for Developing Security Plans for Federal Information Sys- infrastructure to respond to requests from data subjects. tems, Natâl Inst. of Standards & Tech. (Feb. 2006), app. A at 27, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 18r1.pdf. 682 â See the discussion of FIPPs in section II.
ACRP LRD 42ââ 67 g. Right to Erasure and Right to be Forgotten that vendors may seek to use that data or derive analytics for their own purposes. There may also be third-party systems or The right to erasure is granted under the CCPA. This right tools used by airports or vendors. Those third-party data collec- allows individuals to choose to have the data collected about tion practices also need to be understood and addressed. Con- them deleted form the records of the entity they provided the tractual language must firmly establish the parameters for data information. The right does not extend to any third-party who ownership as well as ownership of any analytics drawn from that may have received the information. More extensive is the right data. Ownership should address rights associated with the use to be forgotten granted by the GDPR. That right permits an and sale of the data, including use by or sale to third parties. indiÂvidual to require any holder of the data to erase it under certain circumstances. 2. Limitation on Data Access and Use Airports attempting to square these concepts with govern- Airports will have various reasons to limit access to and uses ment record keeping requirements under state laws would likely of data. Reasons for data access and use limitations may involve have a difficult time. Absent express statutory expungement privacy interests, business considerations, or security concerns procedures, government entities are generally not at liberty to among other considerations. erase documents that constitute governmental records. Addi- Similar to data ownership, the original intent of the data tionally, first amendment protections may preclude any attempt collection and purpose will determine the extent to which data to command nongovernmental parties to erase records. can be shared. As discussed, in Section III, PPA vendors have h. Protection of Anonymity differing business models. Most vendors are scoped to operate With the growth of increasing robust surveillance systems in a system in support of airport needs. Some define a broader the United States, there is a growing concern over the ability to scope of service to the airport or provide anonymized data and remain anonymous in public spaces. In the EU where privacy refined analytics to airport partners such as airlines, concession- is viewed as a fundamental right, the ability to capture and use aires, or third parties such as hotels, transport providers, and images that have not been anonymized is much more limited. mobile app companies. Airports must consider how broadly The same is true in Canada. As airports seek to use CCTV, par- they want to share the data or derived analytics. If airports seek ticularly in conjunction with analytic technologies, they should to preserve or protect data as a commercial product, then they consider anonymizing data where possible. need to understand how that can be accomplished consistent with freedom of information and state and local record reten- i. Automated Processing Limitations tion Ârequirements.683 A growing area of concern is the expanded use of automated It is important here to clearly define the protected informa- processing and particularly the application of AI to data. This is tion and understand the metrics collected and analytics used particularly so where the use of the automated processing can to develop key performance indicators (KPIs) that may be of lead to an adverse consequence for the data subject. The GDPR concern. Contractual language that limits data use should state places limits on automated processing and requires notice of its that the data use and access is limited to purposes specified in occurrence and provides for the ability to have decisions made the agreement. Similarly, the language should limit distribu- using the automated process redone by human actors. These are tion, sharing, and repurposing of the data. If the data can be measures airports may wish to consider in the event they apply broken apart into different KPIs or used for different purposes automated processing to their data. the airport should say what specific metrics of the data that a vendor can use or grant access to. Where an airport agrees that B. Contractual Issues a vendor can repurpose or sell data to third parties, they should consider language that specify the purpose of the use and period Data collection and usage present multiple issues for airport the v endor can keep the data before deleting it.684 operators to consider when contracting with vendors, airlines, Like repurposing, reverse engineering and re-engineering tenants, and other third parties for data collection services, present issues for privacy and commercial interests of data. A sharing agreements, or other types of relationships. Airports vendor could potentially re-engineer data points to avoid data must consider issues of data ownership, use, access, storage, dis- re-sale limitations. Airports should include language in con- semination, destruction, and jurisdiction. Airportsâ contractual tracts that prevent companies from using reverse engineering strategies on these issues will vary based on the airportsâ posi- techniques with stored data. Similarly, an airport may include tion in the transaction and their governance structures, strate- language in its contract that restricts the sale of data in a form gic plans, commercial data intentions, risk assessments, techni- where a buyer could use reverse engineering techniques. cal and analytical capabilities, and the price they are willing to pay for the data. This section will address contractual consider- ations for airport operators. 683 â See Section X Interplay of Privacy and Open Government Records. 1. Data Ownership 684 â See The Eighth Data Protection Principle and International Data Airports may maintain ownership rights for the data or Transfers, United Kingdom, Info. Commissioners Office, https:// allow the vendor to own and resell the data. It is not uncommon ico.org.uk/media/for-organisations/documents/1566/international_ transfers_legal_guidance.pdf.
68 ââ ACRP LRD 42 Further, an airport should consider contractual language hazards, protection from unauthorized access to the data, data requiring the airportâs approval before a contract grants access, disposal practices, and subcontractor responsibilities.686 shares, or repurposes data. This language can specify that re- Airports may also require a vendor to comply with NISTâs quests be made in writing to specific airport officials. Special Publication 800-53.687 Airports can define the impact level, high, medium, low, that they want vendors to employ. 3. Commercial Value Airports may choose to audit vendor information security Airports looking to maximize the commercial value of data practices or require vendors to audit their own practices or collected within their airport may use intellectual property hire a third party to audit their practices. Contractual language principals to protect their data. Los Angeles World Airports should establish the airportsâ authorities to audit information (LAWA) has defined through contractual agreements that all security practices or specify the vendorsâ responsibilities to con- data collected at the airport is the property of the City of Los duct audits. This language should also include remediation re- Angeles.685 Therefore, a vendor cannot use or monetize the data sponsibilities vendors will have upon completion of the audits. without LAWAâs consent. LAWA leverages this strategy to con- trol the data and maximize their commercial opportunities in 6. Data Confidentiality the data created at their airport. An airport may have various interests in maintaining the confidentiality of data collected. Contractual language to pro- 4. Defining Collectible Data Elements tect confidentiality should define the protected information Information that an airport will consider important to pro- and require measures to protect the dataâs integrity, prevent un tect will change with every data collection use case, technology authorized access or disclosure of the information, and prevent used, and data collection specifications set. Airports should actions that could result in harm of the data subject. define parameters for data collection and identify what data collected constitutes protected information. Airports must con- 7. Data Access sider how these restrictions may limit their potential uses of the Many data collection activities at airports will be subject to data and ability to change data collection metrics or alter data freedom of information laws.688. Contractual language should analytics. specify the vendorâs responsibility regarding the data collection Defining collectible data elements is a technology and op- and their responsibilities to provide data upon request. Addi- eration specific task. Technologies will collect different forms tionally, the contract should specify any exemptions that apply. of data and each deployment will require area specific modi- Vendors may encounter instances where they are compelled fications to meet operational objectives. Therefore, an airport by law or regulation to disclose data containing potentially pro- will need to use caution when defining data elements that a tected information. Contractual language should specify proce- deployment can measure to properly limit collection activities. dures the vendor should undertake before disclosing the data. But these limitations should not prevent a technologyâs ability Airports may require written notice of the data disclosure re- to meet operational objectives. Similarly, data definitions may quest and appropriate time before the disclosure for the airports vary within a technology itself based on the technical specifica- to seek appropriate remedial action or to decide what informa- tions of the data collection. Airports should consult a technical tion can be disclosed. expert to ensure the language achieves the data protection and With respect to the collection of data, from individuals or in operational objectives. the context of data sharing agreements, airports, as public enti- ties covered by open records laws or regulations, need to pro- 5. Information Security vide notice that information collected needs to be disseminated. Airports should consider including language in data col- Schemas for data collection and sharing need to align with pub- lection contracts beyond general safekeeping statements. The lic record requirements to ensure that information can be col- language should include specific measures that address their lected consistent with those laws and any representations made Âsecurity concerns. Concerns may include data retention, pre- to preserve private or confidential information. vention of loss, and deletion of protected information. The contract should define what the airport considers protected 8. Data Sanitization and Disposal information to consist of in each data collection example. The Deployments will need to periodically sanitize and dispose contract can also spell out specific measures that a contractor of data. Airports should consider the application of their own must implement in a security program. These elements may in- policies and procedures and require compliance as appropriate clude protections from security and data integrity threats and for data collection activities. Airports can also consider requir- 686 â This information was taken from unpublished documents uti- lized by a category X airport. In accordance with National Academy of Sciences policies, this information is cited without attribution. 685 â This information was provided in an unpublished interview with 687 â Security and Privacy Controls for Federal Information Systems a city corporation counsel providing services to a category X airport. In and Organizations, Rev. 4. Natâl Inst. of Standards & Tech. (Jan. accordance with National Academy of Sciences policies, these remarks 2015). are cited without attribution. 688 â See discussion of these laws in section X.
