National Academies Press: OpenBook

Legal Implications of Data Collection at Airports (2021)

Chapter: XIII. POLICY CONSIDERATIONS AND CONTRACTUAL PROVISIONS FOR DATA COLLECTION AND USAGE

« Previous: XII. INTERNATIONAL EFFORTS
Page 63
Suggested Citation:"XIII. POLICY CONSIDERATIONS AND CONTRACTUAL PROVISIONS FOR DATA COLLECTION AND USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 63
Page 64
Suggested Citation:"XIII. POLICY CONSIDERATIONS AND CONTRACTUAL PROVISIONS FOR DATA COLLECTION AND USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 64
Page 65
Suggested Citation:"XIII. POLICY CONSIDERATIONS AND CONTRACTUAL PROVISIONS FOR DATA COLLECTION AND USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 65
Page 66
Suggested Citation:"XIII. POLICY CONSIDERATIONS AND CONTRACTUAL PROVISIONS FOR DATA COLLECTION AND USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 66
Page 67
Suggested Citation:"XIII. POLICY CONSIDERATIONS AND CONTRACTUAL PROVISIONS FOR DATA COLLECTION AND USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 67
Page 68
Suggested Citation:"XIII. POLICY CONSIDERATIONS AND CONTRACTUAL PROVISIONS FOR DATA COLLECTION AND USAGE." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 68

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42 63 privacy concerns, the agency emphasizes measures to achieve commitment to privacy at the highest level of an organization. The settlement agreement in United States v. Facebook,659 dem- onstrates the FTC’s focus on governance. The settlement agree- ment requires board-level involvement in the organization’s pri- vacy activities. At airports looking to engage in data collection and use activities, similar involvement at the highest executive oversight levels of the organization should be considered. This can be accomplished by executive level involvement in privacy matters. a. Development of an Organizational Privacy Officer or Similar Position Consideration should be given to the creation of a data pri- vacy officer or position. The officer or position would focus on data collection and use and on administering an organizations privacy program. Such a consideration is particularly important in an organization that is looking to engage in substantial collec- tion and use of data. The role should include such functions as: interfacing with external privacy authorities to include regula- tors and others; ensuring compliance with internal policies and external privacy and data protection requirements; administer- ing and overseeing planning and implementation of privacy and data protection requirements; and accepting and resolving com- plaints regarding improper practices. This position should have some degree of independence in addressing privacy concerns and should have the ability to directly address concerns at the highest executive levels of the organization. The existence of data protection officers is commonplace in organizations operating under the GDPR.660 While they are not required in every instance, the GDPR certainly encourages this practice and in certain cases mandate it. The establish- ment of such a position could certainly be characterized as part of the mainstream practice for data protection. However, no such posi tions are required to be established for either Privacy Shield661 or APEC-CBPR662 compliance though the functions performed by people in such positions are specified as part of those agreements. The FTC has begun to include the creation of corporate posi tions to ensure data privacy in some of its settlements.663 The NIST Privacy Framework notes that responsibilities for pri- vacy can be left to cross-functional team implementation, an ap- proach that was criticized by the FTC. The FTC contends that 659 No. 19-cv-02184-TJK, 2020 U.S. Dist. LEXIS 72162 (D.D.C. Apr. 23, 2020). 660 (EU) 2016/679. 661 Privacy Shield Overview, Privacy Shield Framework, https:// www.privacyshield.gov/Program-Overview. 662 APEC Cross-Border Privacy Rules System, Cross Border Privacy Rules System (Nov. 2019), http://cbprs.org/wp-content/uploads/2019/ 11/4.-CBPR-Policies-Rules-and-Guidelines-Revised-For-Posting- 3-16-updated-1709-2019.pdf. 663 See, e.g., U.S. v. Facebook, Inc., No. 19-cv-02184-TJK, 2020 U.S. Dist. LEXIS 72162 (D.D.C. Apr. 23, 2020). E. Conclusions While the direct jurisdiction of GDPR over airports and air- port stakeholders in the United States is limited to a narrow set of circumstances, the influence of GDPR is larger. The “Brussels Effect”656 of the GDPR has had significant effect on the develop- ment of U.S. law. Airports that seek to operate in a global eco- system of travel and commerce need to understand the develop- ments in the EU Attorneys advising airports need to be familiar with these international developments to understand potential direct impact on airport data protection and privacy programs as well as the trends in U.S. law that may derive from EU legal initiatives. XIII. POLICY CONSIDERATIONS AND CONTRACTUAL PROVISIONS FOR DATA COLLECTION AND USAGE A. Policy Considerations Airport operators should consider policies that help mitigate legal concerns related to data collection. Each use case presents a distinct set of challenges that the airports must mitigate to ensure the value of the data collection outweighs the risks. Effective policies will address the risks posed by collection activ- ity. As discussed throughout this guidebook, airport operators must consider individual privacy concerns, notice, interactions with airlines and tenants, other third parties, and open records requirements. The following policy considerations should assist airport operators in addressing these challenges. 1. Governance Proper governance structures show a commitment to re- specting principles of data protection and privacy. Governance structures assist entities in addressing proper data collection and use practices. The FTC and other regulatory agencies focus on governance and organizational practices and frameworks to ad- minister data protection programs and protect privacy.657 These efforts must reflect the fact that data protection requires more than an identification of principles to be protected, it requires organizational structures and commitments to ensure that those principles are respected. The NIST Privacy Framework658 iden- tifies governance as a critical component of managing privacy risk. To that end organizations should consider some of the follow ing concepts in their governance strategy. 2. Executive Level Focus on Privacy The need for executive level commitment to privacy is hard to overstate. In examining the FTC’s latest efforts to address 656 Anupam Chander, Margot E. Kaminski, & William McGeveran, Catalyzing Privacy Law, 2190 Georgetown L. Fac. Publ’ns & Other Works, 27 (2019), https://scholarship.law.georgetown.edu/ facpub/2190. 657 See discussion of federal agency actions sections V and IX. 658 NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.1, Nat. Inst. of Standards. & Tech. (Apr.16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST. CSWP.04162018.pdf.

64 ACRP LRD 42 The Gatwick website delineates collection practices for differ- ent areas of data collection using different modalities, including: • CCTV cameras in and around the area • Wi-Fi at the airport • Concessions activity • Airport website • Digital services • Marketing activities • Customer service/engagement activities • Health and safety activities.670 The website also includes information on Gatwick’s data usage and information about individual’s rights under the Gatwick Privacy Policy.671 As airports look to enhance privacy protections to areas of data collection beyond website-related data collection, the Gatwick Privacy Policy is worthy of con- sideration. Examining some of the privacy policies from other international airports might also be useful in developing a com- prehensive privacy policy.672 4. Articulation of a Purpose for Data Collection The practice of clearly articulating the purpose673 for data collection is a touchstone for all privacy frameworks and gov- ernance activities. Articulating the purpose of the data collec- tion outlines both the organizational need for the data and the authority of the organization to collect it. Those purposes may vary and there may be multiple purposes that can relate to indi- vidual pieces of data. In articulating that purpose, airports need to articulate all the uses they plan to make of the data they collect. The state- ment of purpose forms the foundation for notice and consent. It also provides the benchmark for data subjects to access and participate as they gauge the fidelity of an organizations efforts to use data consistent with their stated purpose. A clear articula- tion of the uses of the data collected and processed is an increas- ing public expectation. 670 Id. 671 Id. 672 See, e.g., Privacy Policy, Munich Airport, https://www.munich- airport.com/privacy-policy-376755#26255d8dSingapore; Privacy Policy, Changi Int’l Airport, https://www.changiairport.com/en/privacy- policy.html; Brussels Airport-Privacy Policy, Brussels Airport, https:// www.brusselsairport.be/en/privacy-policy; Complete Privacy Policy, Toronto Pearson Int’l Airport, https://www.torontopearson.com/ en/privacy-policy/complete-privacy-policy. 673 What constitutes an appropriate purpose for data collection is not a universally agreed upon concept. For example, the GDPR addresses and defines legitimate purpose for collection, but no such limitation appears in the CCPA. The only requirement that is that a purpose of collection needs to be disclosed to the consumer. See, e.g., Anupam Chander, Margot E. Kaminski, & William McGeveran, Cata- lyzing Privacy Law, Georgetown Law Fac. Publ’ns & Other Works, 19-20 (2019), https://scholarship.law.georgetown.edu/facpub/2190. designating a specific individual or individuals responsible for that function is critical to success.664 b. Adoption of a Comprehensive Privacy Framework The protection of data and data privacy requires more than a commitment of personnel and resources. There is a real need for a comprehensive plan. This need is an internationally accepted tenet. The GDPR data protection and accountability principles outline several areas that must be covered for compliance.665 Similar protective regimes are suggested by the CCPA.666 The requirements imply the need for a robust organizational frame- work. The NIST Privacy Framework also offers a thoughtful and comprehensive enterprise approach to establishing a complete program to ensure that privacy is managed. Adopting such a framework will offer airports a roadmap for achieving the goals of their privacy policies and afford real data security. 3. Establishment of a Privacy Policy Establishing a data collection and privacy policy is a mea- sure that some U.S. airports have taken, primarily around the use and collection of data with airport websites.667 Los Angeles has a separate privacy policy for its website and applications.668 Many airport policies can easily be found through a search of the airport’s website. While those policies deal with some pri- vacy related issues, they are limited in scope. Expanding data collection practices requires broader thought about data protection and privacy, and airports may want to consider expanding their policies to cover privacy protections for data collected from other sources. Some international air- ports, in their attempts to comply with GDPR requirements, have taken such an approach. One example is Gatwick Airport. Gatwick maintains a website that clearly outlines privacy pro- tection for a range of data collections and use contexts.669 664 Federal Trade Commission Staff Comment on the Preliminary Draft for the NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, F.T.C. (Oct. 24, 2019), at 12-13, https://www.ftc.gov/news-events/press-releases/2019/10/ftc-staff- offers-comment-nists-proposed-privacy-framework. 665 See discussion of GDPR generally in section VII. 666 See discussion of the CCPA in section VIII. 667 See, e.g., Privacy Cookie Policy, S.F. Int’l Airport, https://www. flysfo.com/privacy-cookie-policy; Privacy Notice, Charlotte Meck- lenburg Int’l Airport, https://www.cltairport.com/privacy-notice/; Legal Privacy Policy, Dallas Fort Worth Int’l Airport, Legal Pri- vacy Policy, https://dfwairport.com/legal/index.php; Privacy Policy, Cincinnati/Northern Kentucky Int’l Airport, https://www. cvgairport.com/privacy; Privacy Policy, Tampa Int’l Airport, https:// www.tampaairport.com/privacy-policy; Privacy Policy Use Terms and Disclaimer, Des Moines Int’l Airport, https://www.dsmairport. com/about-the-airport/privacy.aspx; Privacy Policy, Rapid City Reg’l Airport, https://www.rapairport.com/privacy-policy; Privacy Policy, Palm Beach Int’l Airport, http://www.pbia.org/privacy- policy/. 668 LAWA Privacy, L.A. World Airports, https://www.lawa.org/ privacy; Application Privacy Statement, L.A. Int’l Airport, https:// www.flylax.com/en/Application-Privacy-Statement. 669 Privacy Policy, Gatwick Airport, https://www.gatwickairport. com/privacy-policy/.

ACRP LRD 42 65 vacy risk assessment. At every step from the time data is sought and received, through its use, until its destruction, privacy con- siderations must be addressed. The application of PbD princi- ples is extremely useful in that regard.676 PbD principles suggest a proactive, transparent system that addresses privacy protection as a positive value in meeting orga- nizational goals and objectives. The system of protection needs to center around individuals ensuring security at every step in the lifecycle of data use in the organization from collection to destruction. PbD imposes a default position in favor of privacy. The data subject does not have to take action to protect privacy, the system provides that protection without the subject’s action. IT systems in particular should embrace these concepts. The application of PbD is referenced in both the GDPR and the NIST Privacy Framework. Both these foundational works recognize the importance of a comprehensive approach to privacy protection. Weaving privacy protection into the fabric of organizational processes is the hallmark of PbD. This ap- proach includes technical, operational, and administrative considerations. 8. Establishment of Measures to Ensure Compliance While PbD seeks to shift focus on privacy away from what was seen as reactive and traditional compliance-oriented mind- set, ensuring compliance remains a necessary function. The development of any well-functioning system must include measures to ensure that internal processes are being followed. A system of evaluative processes can ensure that the organiza- tion is operating consistent with its legitimate privacy goals and directives. Audits, both internal and external, as well as internal com- pliance reporting systems, provide useful measures to achieve a compliance posture that is more proactive in nature. In sev- eral of its settlements, the FTC has sought and received com- mitments for enhancing audit and reporting in their settlement orders.677 These measures help to ensure the type of organiza- tional accountability raised by the GDPR and NIST Privacy Framework. 9. Establishment of Measures to Ensure Data Security In an era of growing cybersecurity threats, the importance of data security is hard to overstate. Both the GDPR and NIST Privacy Framework stress the importance of appropriate secu- rity measures. Designing those measures and ensuring their ap- plication is of critical importance. In response to court criticism concerning the vagueness of remedial orders, the FTC has developed a more detail-oriented approach to outlining requirements for data security. A careful review of the FTC approach offers airports insights into data security measure design that meets acceptable standards. The FTC’s new approach includes requirements for “comprehensive, 676 See discussion of PbD principles in section II. 677 See, e.g., U.S. v. Facebook, Inc., No. 19-2184 (TJK), 2020 U.S. Dist. LEXIS 72162 (D.C.C. Apr. 23, 2020). 5. Establishment of Data Minimization Practices The concept of data minimization adopted by the GDPR flows from the requirement of defining a legitimate purpose for data collection and using that purpose as the central operat- ing provision. Only data necessary to accomplish the legitimate purpose should be collected or maintained. Airports should focus on narrowing the field of data collected wherever possible and discarding data no longer needed. The concept of data minimization is not universally adopted. In contrast to the GDPR the CCPA does not require data minimi- zation, only transparency with respect is collected.674 Moreover, a policy of data minimization may create tension with statutorily imposed data retention requirements or those imposed by local ordinance. Data retention by government agencies may be com- pelled even in instances where there is no operational need. The exercise of data minimization practice can have benefits beyond privacy protection. Because these practices minimize the amount of data on hand, there is a reduction on the admin- istrative burden producing its information in response to public requests. There is also a reduction in storage and a reduced risk of breach. Airports should strongly consider these factors when making decisions to engage in data collection. 6. Establishment of Process to Assess Privacy Risk GDPR Data Protection Impact Assessments offer a path forward to the assessment of privacy risk.675 The NIST Privacy Framework suggests similar risk evaluative processes. Risk as- sessments should be conducted before data is collected and should be updated as the system operates. Assessing the neces- sity and proportionality of the data collection effort constitute two key issues in the risk assessment process. Looking at the sensitivity of the data collected is also important. The more sen- sitive the information the more circumspect an airport should be in collecting it and the grater the efforts that should be ex- tended to ensure that it is securely maintained. As an example, financial or health-related information is extremely sensitive and therefore should receive special considerations. Airports must assess data usage with the understanding that while collecting data may be useful and profitable, misuse or loss of personal data not only poses risk to the data subject, but also to the organization collecting, processing, and using it. The loss or misuse of data can result in lost customers, damage to an organization’s brand, financial penalties, and possible civil and even criminal liability. 7. Establishment of Process to Develop and Implement Privacy Protection Airports should consider employing a comprehensive ap- proach to privacy protection across the enterprise. Such an ap- proach requires an understanding of the circumstances under which data is collected and used, and consistency with the pri- 674 Id. pp. 21-22. 675 While these assessments can be mandatory in certain circum- stances under the GDPR, it is not a requirement under the CCPA. Id. at 21.

66 ACRP LRD 42 acerbated by the use of emerging analytic tools like AI and ML that enhance the ability to individuate information. b. Questions Around Area Surveillance Systems The growing use of area surveillance tools like CCTV, par- ticularly by airports as governmental entities, raises questions not easily dealt with by existing law. Even the expanded cover- age offered by a statute like the CCPA, which focuses on con- sumer transactions, is of limited use. The expansive privacy law developed by the FTC is similarly unavailing. The sources of law that do touch on the use of technologies are state and federal constitutional provisions and some discrete statutes and local ordinances concerning surveillance and privacy protections. Whether data being collected is used for security or law enforce- ment purposes, or for commercial or administrative ones, the landscape of those laws needs to be understood and addressed. The use of area surveillance tools can be easily misunder- stood and miscast as an Orwellian experience of a surveillance state. While any civil liability would likely be limited, the brand damage and undermining of customer confidence could be sig- nificant. The application of emerging analytic technologies like facial recognition or ALPR, adds further controversy to the use of information form these data sources. Careful consideration should be given as to how an airport uses these tools. Decisions about that use should be transparent and well publicized. c. Newer Data Subject Centric Concepts The regime of substantive data protection suggested by the GDPR and the CCPA, while not necessarily controlling, should at least be considered by airports and airport stakeholders as they formulate substantive privacy protections. These concepts extend beyond the FIPPs requirements. d. Opt-Out The concept of opt-out is present in both the GDPR and CCPA. In offering individuals this alternative, an airport or air- port stakeholder would be extending customers the opportunity to limit or restrict the use of their data. In the case of the CCPA, that restriction would be limited to sale of the data. The GDPR offers opt outs for a more extensive number of uses. e. Nondiscrimination Related to the issue of opt-out is the concept of non- discrimination. The concept prohibits the practice of denying services to people who exercise their right to opt-out. f. Data Portability The concept of data portability augments the FIPPs concept of access by allowing individual data subjects to request data maintained by an organization in a portable and usable format. This right found in both the CCPA and GDPR is thought to enhance competition among data service providers. The imple- mentation of this requirement will require the development of infrastructure to respond to requests from data subjects. process-based data security program[s]”678 Those programs in- clude provisions for “yearly employee training, access controls, monitoring systems for data security incidents, patch manage- ment systems, and encryption.”679 In addition to the NIST Privacy Framework, NIST has authored some additional publications that may be helpful to airports in addressing security requirements. These publications provide a framework for assessing and evaluating security risk680 and technical support for the development of information secu- rity templates.681Adopting measures suggested by organizations like NIST will likely assist in defending the efficacy of data secu- rity measures. Failure to maintain proper data security exposes entities to civil liability, potential fines and penalties, and repu- tational damage. 10. Substantive Measures for Privacy Protection In addition to process related issues for privacy protection, airports and airport stakeholders engaging in data collection and processing need to ensure that policies and procedures are addressing substantive concerns. Those substantive concerns are more heightened in some of the international privacy re- gimes. The bare minimum requirements for those in the United States are included in the FIPPs. a. FIPPs Compliance The FIPPs remain the central focus for U.S. enforcement activities.682 Understanding and addressing FIPPs in system design and operation will assist airports in developing systems that comply with currently accepted approaches for privacy protection. The application of FIPPs should certainly serve as a baseline for commercial oriented data collection and processing practices. The application of FIPPs becomes more difficult with respect to collection and use of data from sources outside of traditional consumer-oriented transactions like website or application usage. The application of concepts like notice, consent, and ac- cess is challenging when dealing with data gathered from area surveillance tools like CCTV. Privacy challenges are further ex- 678 See Andrew Smith, “New and Improved FTC Data Security Orders: Better Guidance for Companies, Better Protection for Consum- ers,” FTC Official Website, (2020) accessed at https://www.ftc.gov/ news-events/blogs/business-blog/2020/01/new-improved-ftc-data- security-orders-better-guidance (the Statement includes links to seven orders issued in 2019 utilizing the new format). 679 Id. 680 Risk Management Framework for Information Systems and Orga- nizations, Nat’l Inst. of Standards & Tech. (Dec. 2018), https:// nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2. pdf (this version of the Special Publication supersedes two previous drafts of this Special Report the original issued in 2004 and Revision 1 issued in 2010). 681 Guide for Developing Security Plans for Federal Information Sys- tems, Nat’l Inst. of Standards & Tech. (Feb. 2006), app. A at 27, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800- 18r1.pdf. 682 See the discussion of FIPPs in section II.

ACRP LRD 42 67 that vendors may seek to use that data or derive analytics for their own purposes. There may also be third-party systems or tools used by airports or vendors. Those third-party data collec- tion practices also need to be understood and addressed. Con- tractual language must firmly establish the parameters for data ownership as well as ownership of any analytics drawn from that data. Ownership should address rights associated with the use and sale of the data, including use by or sale to third parties. 2. Limitation on Data Access and Use Airports will have various reasons to limit access to and uses of data. Reasons for data access and use limitations may involve privacy interests, business considerations, or security concerns among other considerations. Similar to data ownership, the original intent of the data collection and purpose will determine the extent to which data can be shared. As discussed, in Section III, PPA vendors have differing business models. Most vendors are scoped to operate a system in support of airport needs. Some define a broader scope of service to the airport or provide anonymized data and refined analytics to airport partners such as airlines, concession- aires, or third parties such as hotels, transport providers, and mobile app companies. Airports must consider how broadly they want to share the data or derived analytics. If airports seek to preserve or protect data as a commercial product, then they need to understand how that can be accomplished consistent with freedom of information and state and local record reten- tion requirements.683 It is important here to clearly define the protected informa- tion and understand the metrics collected and analytics used to develop key performance indicators (KPIs) that may be of concern. Contractual language that limits data use should state that the data use and access is limited to purposes specified in the agreement. Similarly, the language should limit distribu- tion, sharing, and repurposing of the data. If the data can be broken apart into different KPIs or used for different purposes the airport should say what specific metrics of the data that a vendor can use or grant access to. Where an airport agrees that a vendor can repurpose or sell data to third parties, they should consider language that specify the purpose of the use and period the vendor can keep the data before deleting it.684 Like repurposing, reverse engineering and re-engineering present issues for privacy and commercial interests of data. A vendor could potentially re-engineer data points to avoid data re-sale limitations. Airports should include language in con- tracts that prevent companies from using reverse engineering techniques with stored data. Similarly, an airport may include language in its contract that restricts the sale of data in a form where a buyer could use reverse engineering techniques. 683 See Section X Interplay of Privacy and Open Government Records. 684 See The Eighth Data Protection Principle and International Data Transfers, United Kingdom, Info. Commissioners Office, https:// ico.org.uk/media/for-organisations/documents/1566/international_ transfers_legal_guidance.pdf. g. Right to Erasure and Right to be Forgotten The right to erasure is granted under the CCPA. This right allows individuals to choose to have the data collected about them deleted form the records of the entity they provided the information. The right does not extend to any third-party who may have received the information. More extensive is the right to be forgotten granted by the GDPR. That right permits an indi vidual to require any holder of the data to erase it under certain circumstances. Airports attempting to square these concepts with govern- ment record keeping requirements under state laws would likely have a difficult time. Absent express statutory expungement procedures, government entities are generally not at liberty to erase documents that constitute governmental records. Addi- tionally, first amendment protections may preclude any attempt to command nongovernmental parties to erase records. h. Protection of Anonymity With the growth of increasing robust surveillance systems in the United States, there is a growing concern over the ability to remain anonymous in public spaces. In the EU where privacy is viewed as a fundamental right, the ability to capture and use images that have not been anonymized is much more limited. The same is true in Canada. As airports seek to use CCTV, par- ticularly in conjunction with analytic technologies, they should consider anonymizing data where possible. i. Automated Processing Limitations A growing area of concern is the expanded use of automated processing and particularly the application of AI to data. This is particularly so where the use of the automated processing can lead to an adverse consequence for the data subject. The GDPR places limits on automated processing and requires notice of its occurrence and provides for the ability to have decisions made using the automated process redone by human actors. These are measures airports may wish to consider in the event they apply automated processing to their data. B. Contractual Issues Data collection and usage present multiple issues for airport operators to consider when contracting with vendors, airlines, tenants, and other third parties for data collection services, sharing agreements, or other types of relationships. Airports must consider issues of data ownership, use, access, storage, dis- semination, destruction, and jurisdiction. Airports’ contractual strategies on these issues will vary based on the airports’ posi- tion in the transaction and their governance structures, strate- gic plans, commercial data intentions, risk assessments, techni- cal and analytical capabilities, and the price they are willing to pay for the data. This section will address contractual consider- ations for airport operators. 1. Data Ownership Airports may maintain ownership rights for the data or allow the vendor to own and resell the data. It is not uncommon

68 ACRP LRD 42 hazards, protection from unauthorized access to the data, data disposal practices, and subcontractor responsibilities.686 Airports may also require a vendor to comply with NIST’s Special Publication 800-53.687 Airports can define the impact level, high, medium, low, that they want vendors to employ. Airports may choose to audit vendor information security practices or require vendors to audit their own practices or hire a third party to audit their practices. Contractual language should establish the airports’ authorities to audit information security practices or specify the vendors’ responsibilities to con- duct audits. This language should also include remediation re- sponsibilities vendors will have upon completion of the audits. 6. Data Confidentiality An airport may have various interests in maintaining the confidentiality of data collected. Contractual language to pro- tect confidentiality should define the protected information and require measures to protect the data’s integrity, prevent un- authorized access or disclosure of the information, and prevent actions that could result in harm of the data subject. 7. Data Access Many data collection activities at airports will be subject to freedom of information laws.688. Contractual language should specify the vendor’s responsibility regarding the data collection and their responsibilities to provide data upon request. Addi- tionally, the contract should specify any exemptions that apply. Vendors may encounter instances where they are compelled by law or regulation to disclose data containing potentially pro- tected information. Contractual language should specify proce- dures the vendor should undertake before disclosing the data. Airports may require written notice of the data disclosure re- quest and appropriate time before the disclosure for the airports to seek appropriate remedial action or to decide what informa- tion can be disclosed. With respect to the collection of data, from individuals or in the context of data sharing agreements, airports, as public enti- ties covered by open records laws or regulations, need to pro- vide notice that information collected needs to be disseminated. Schemas for data collection and sharing need to align with pub- lic record requirements to ensure that information can be col- lected consistent with those laws and any representations made to preserve private or confidential information. 8. Data Sanitization and Disposal Deployments will need to periodically sanitize and dispose of data. Airports should consider the application of their own policies and procedures and require compliance as appropriate for data collection activities. Airports can also consider requir- 686 This information was taken from unpublished documents uti- lized by a category X airport. In accordance with National Academy of Sciences policies, this information is cited without attribution. 687 Security and Privacy Controls for Federal Information Systems and Organizations, Rev. 4. Nat’l Inst. of Standards & Tech. (Jan. 2015). 688 See discussion of these laws in section X. Further, an airport should consider contractual language requiring the airport’s approval before a contract grants access, shares, or repurposes data. This language can specify that re- quests be made in writing to specific airport officials. 3. Commercial Value Airports looking to maximize the commercial value of data collected within their airport may use intellectual property principals to protect their data. Los Angeles World Airports (LAWA) has defined through contractual agreements that all data collected at the airport is the property of the City of Los Angeles.685 Therefore, a vendor cannot use or monetize the data without LAWA’s consent. LAWA leverages this strategy to con- trol the data and maximize their commercial opportunities in the data created at their airport. 4. Defining Collectible Data Elements Information that an airport will consider important to pro- tect will change with every data collection use case, technology used, and data collection specifications set. Airports should define parameters for data collection and identify what data collected constitutes protected information. Airports must con- sider how these restrictions may limit their potential uses of the data and ability to change data collection metrics or alter data analytics. Defining collectible data elements is a technology and op- eration specific task. Technologies will collect different forms of data and each deployment will require area specific modi- fications to meet operational objectives. Therefore, an airport will need to use caution when defining data elements that a deployment can measure to properly limit collection activities. But these limitations should not prevent a technology’s ability to meet operational objectives. Similarly, data definitions may vary within a technology itself based on the technical specifica- tions of the data collection. Airports should consult a technical expert to ensure the language achieves the data protection and operational objectives. 5. Information Security Airports should consider including language in data col- lection contracts beyond general safekeeping statements. The language should include specific measures that address their security concerns. Concerns may include data retention, pre- vention of loss, and deletion of protected information. The contract should define what the airport considers protected information to consist of in each data collection example. The contract can also spell out specific measures that a contractor must implement in a security program. These elements may in- clude protections from security and data integrity threats and 685 This information was provided in an unpublished interview with a city corporation counsel providing services to a category X airport. In accordance with National Academy of Sciences policies, these remarks are cited without attribution.

Next: XIV. RESOURCE GUIDE »
Legal Implications of Data Collection at Airports Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

As technology evolves, airports and their partners collect more data from passengers, employees, tenants, concessionaires, airlines, and others. This data is used in many ways, including for facility management, security, ground transportation, marketing, understanding passenger preferences, and enhancing the travel experience.

The TRB Airport Cooperative Research Program's ACRP Legal Research Digest 42: Legal Implications of Data Collection at Airports provides a survey of applicable law; considerations for the collection and safekeeping of data; and a review of the issues that arise related to data collection among airports, their tenants, and other users. It also offers an understanding of the expansion in law around data collection and use.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!