Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
12 ACRP LRD 42 mation to help their customers better plan their travel. Accurate PPA data would have commercial value for them as well. 1. Inventory and Mapping: a. Systems, products, or services: PPAs have various ap- proaches including LIDAR, Stereo cameras, Wi-Fi, or Bluetooth Low Energy (BLE) (see description below in section d. Data Actions). b. Owners or operators: Vendors often install and op- erate these systems, delivering analytic services, and, upon request, data. Contracts should articulate the airport and vendorâs ownership rights to the data col- lected and analytics produced. c. Individuals or data subjects: The technologies attempt to track airport passengers as the primary data sub- jects. Airports often request that vendors differentiate employees from passengers in the analytics. d. Data actions: Generally, any information that could be characterized as PII is captured and processed at the edge but not collected or retained by the system. Only anonymous data is transmitted to the cloud for added analytics. Wi-Fi and BLE: For example, for a PPA system using Wi-Fi and BLE, a MAC address is sensed and encoded at the edge so that the number registered in the central repository is not identifiable to the original MAC address of the devices being tracked. This task can be done by capturing only the last few digits of a MAC address and/or by hashing the MAC address. Thus, while the system may be capable of collecting potential PII, NO PII data should be collected, main- tained in, or, analyzed by the PPA system. Video Analytics: Similarly, with respect to CCTV based input into a PPA system, raw video data is not retained by the PPA system. Video footage is pro- cessed to locate passengers in space and time and only an icon representing a passenger is maintained in the system. Using one method, PPA has dedicated cameras that capture and process video at the loca- tion of the camera, transmitting only anonymous data (reducing out the video footage). This method does not collect or retain PII as the video footage is never processed to identify anyone from the video footage. Instead, this method strips out the data required for analysis and nothing else is collected or retained in the PPA system. Another approach uses information from existing CCTV systems. Using analytic software, im- ages are taken directly form CCTV cameras or from a video management system. The data is then analyzed and only non-PII data necessary for PPA analysis is extracted. That data is then forwarded for PPA. The raw video may be retained by the general CCTV sur- veillance system, but it is disconnected from the PPA analysis. A. Use Case Domain #1âTechnology ServicesâPPA PPA can be categorized as a surveillance capability, collect- ing data from sensors, sometimes including cameras, to quan- tify passenger space use and model passenger rate of movement from one area of the airport to another. These kinds of capa- bilities allow airports and their partners to plan and reorganize in real time to reduce queue times and redesign staffing and services to meet demand. The data can be provided to third- party service providers which inform passengers and provide enhanced services based on how long it will take to travel from curb or parking through check-in, to screening, to concessions, to holding rooms, to baggage, and so on. This data offers im- portant operational insights for airports as well as commercially valuable information for airport stakeholders like airlines, ten- ants, and concessions. PPA data is of significant commercial value to concession- aires and airports as it can indicate foot traffic rates and dwell times of passengers in relation to shopping and dining locations. For example, PPA data could be correlated with anonymized point of sale data to create per passenger sales ratesâproviding a performance metric that compares similar concessions (i.e., coffee shops) across locations. This information would be im- portant to both the airport and concessionaires in understand- ing the sales performance of their locations. It can be presented with sufficient granularity by time of day, day of week, month of year, so that better decisions can be made to optimize perfor- mance. PPA also allows an airport to understand the value of its real estate in more granular terms of foot trafficâsetting the stage for pricing rental contracts based on foot traffic per stall vs. a more generalized model. PPA also provides insights that support airport operations. Staff levels can be decided more accurately to meet a certain level of service. For example, TSA can understand wait times and make adjustments to meet the screening demand and make adjustments against the regular schedule, as well as seasonal im- plications such as the impacts of cold weather clothes on passen- ger throughput capacity. Cleaning services can understand foot traffic per restroom and organize cleaning based on the level of use. Maintenance services can understand demand for and level of use for escalators, moving walkways, and elevatorsâ prioritizing maintenance and recovery investments accordingly. Accurate PPA data can also contribute significantly to im- proving the passenger journey. Airlines can use PPA data to help understand wait and travel times and make more accurate determinations on how long it will take for a passenger to go from check-in to the gate. This information is critical to helping airlines minimize delays and address missed flights. Similarly, this information can assist travelers and reduce their stress by helping them better understand their ability to catch flights and adjust their travel itineraries if needed. Provided to travel app. developers (e.g., Uber, Lift, Google Maps and/or Waze) insights from PPA can support functionality to help travelers more effec- tively manage their journey from doorstep to gate. Some airport hotels are already equipping their lobbies with this type of infor-
ACRP LRD 42 13 3. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions. a. Data processing ecosystem parties: Vendor, airport, data subjects, and airport stakeholders. b. Contracts considered: Typically, airports require vendors to comply with all federal, state, and local laws pertaining to PII. c. Interoperability frameworks: Bluetooth hosts Inter- operability Prototype test events often and globally and protocol standardization is well developed.58 d. Data processing ecosystem audits/evaluation: Through transparent testing and experimentation, BLE is well developed as a global technology. 4 FIPPs Analysis: a. Notice and Awareness: Key to the issue of notice is an articulation of the purpose of data collection and the techniques employed in collection. Since the PPA system is designed to operate without the collection and use of PII, that fact should be explained as well. While some PPA systems are designed in a manner similar to general CCTV surveillance systems, or in some cases extract data from those systems, the fun- damental difference is that PII or even potential PII is not collected. Because there is no PII captured in PPAs FIPPs notice requirements are not applicable.59 While some jurisdictions may require notice of general CCTV surveillance, this requirement is not universal, and with respect to systems in public places in most U.S. jurisdictions notice is not provided. This contrasts sharply with international privacy pro- tection regimes like GDPR, which require notice.60 Where notice is not required for general CCTV sur- veillance systems, which contain information that could be translated into PII, it is unlikely that notice would be required for a PPA system, which does not contain PII. If an airport wishes to provide notice, then that is commonly accomplished through signage in the areas where PPA is being employed. Airports may also con- sider providing notice through posting information about the PPA program and data collection on airport websites or other communications channels. Even if not legally required, providing notice can help foster transparency in airport use of data. b. Choice and Consent: Because the PPA system is not collecting PII and notice is not required under a FIPPs 58 Interoperability Is Essential to All Bluetooth Technology Solutions, Bluetooth, https://www.bluetooth.com/specifications/interoperable- prototype-test-events/. 59 Luke Irwin, Does Your Use of CCTV Comply with the GDRP, it governance (Oct. 3, 2019), https://itgovernance.co.uk/blog/does- your-use-of-cctv-comply-with-the-gdpr. 60 See, e.g., id. Light Detection and Ranging (LIDAR): LIDAR is a detection system that works on the principle of radar but uses light from a laser. LIDAR is used for PPA by detecting people in a similar fashion as video, but (un- like video) does not collect features that would make people uniquely identifiable from the raw data. While there are intrinsic privacy benefits to using LIDAR versus Video Analytics and Wi-Fi/BLE, LIDAR is ex- pensive and cannot confirm actual travel times from one area of the airport to another. LIDAR also does not support the CCTV public safety surveillance goals of an airport requiring the ability to identify individuals. e. Purpose of data actions: Data is analyzed in aggregate form to understand trends and not intended to iden- tify individual passengers. It is intended to allow air- port operators and partners to understand travel and processing times, traffic flows, and congestion areas from ticketing, through security, at baggage, and get- ting to and from transportation options. This data can be used purely for operational purposes and/or sold as a commercial product. f. Data elements: Data elements consist of Wi-Fi or BLE (MAC address); LIDAR (point cloud of person); or video cameras (image of person). g. Data processing environment: Normally a three-step process consisting of (1) capturing and (2) process- ing using edge computing techniques, cloud analytics, and API interface with business intelligence for (3) end customer consumption of analytics. 2. Risk Assessment: Understand privacy risks to individuals and the organization implementing the use case. a. Contextual Factors: Normally, PPA is a surveillance capability that senses people in a public space, analyz- ing their movement for aggregate information about flow, dwell times, travel times, and passenger space use demand. b. Analytics evaluated for typical biases: Bias in PPA relates to count and movement accuracy and not to accuracy related to the identity of a data subject. c. Problematic data actions identified: Unique identi- fiers for cellphones as they engage Wi-Fi and BLE can potentially be associated with an individual, and stereo cameras may capture facial images associat- ing an indi vidual with a time and place. Anonymiza- tion techniques can remove the unique identifier for devices and facial features from the process reduc- ing risk. While the system is not designed to collect, maintain, or analyze PII data, that type of data may be momentarily captured at the edge by the sensors and anonymized or discarded. d. Problematic data actions prioritized: Prioritization is dependent on jurisdiction and an airportâs risk profile. The elimination of PII at the edge needs to be assured.
14 ACRP LRD 42 Figure 2 Notional Biometric Passenger Experience Stakeholder Roles and Responsibilities62 Figure 2: Notional Biometric Passenger Experience Stakeholder Roles and Responsibilities62 In June 2017, Delta Airlines launched a biometrically en- abled self-bag drop at Minneapolis/St. Paul International Airport (MSP).63 In January 2018, Los Angeles Inter- national Airport (LAX) launched biometric e-gates for board- ing flights departing the U.S.64 Both capabilities are provided by third- party vendors and supported by CBP TVS for bio- metric matching. Parallel to CBPâs TVS support services for biometric matching. The CLEAR program,65 which is operated by a private party, is currently operating at several U.S. airports and provides biometric matching services in conjunction with TSA screening operations. Airports and airport stakeholders are exploring ways to incorporate biometric matching services across the passenger pathway. This review addresses the cur- rent federally authorized biometric uses at airports. In all these cases, the biometric matching is performed by third-party software. The hardware that applies that software, check-in kiosks, baggage drops, or eGates, may be provided by airports or airlines, but the matching process and the databases queried for identification are owned by the federal government or federally authorized vendors. 1. Inventory and Mapping: a. Systems, products, and services: Biometric systems leverage fingerprints, iris scans, and/or face geometry to automate identity verification processes in sup- port of self-service check-in, bag drop, screening, and boarding operations. b. Owners or operators: Typically, third-party vendors are contracted to install and operate the system in co- operation with the airport, airlines, or border security or other security services. c. Individuals (or data subjects): Passengers. d. Data actions: For CBP TVS supported systems, the passengerâs photo is taken either by CBP-owned cameras or equipment provided by airlines or the air- 62 Id. at 18. 63 Delta Opens First Biometric Self-Service Bag Drop in U.S., (2020), https://news.delta.com/delta-opens-first-biometric-self-service-bag- drop-us. 64 Successful Biometric E-Gate at LAX Blazes Trail for Commer- cial Aviation, Intâl Airport R. (Jan. 19, 2018), https://www. internationalairportreview.com/news/64154/biometric-e-gate-lax- aviation/. 65 See Clear, https://www.clearme.com/. analysis, consent is not required. Where an airport de- cides to provide notice, PPA collection consent could arguably be implied from a personâs continued use of the facility. c. Access and Participation: PPA systems must be de- signed and operated not to maintain any data pertain- ing to an individual passenger. Identifying data should be removed at the edge or otherwise excluded from analysis with the system storing only anonymized data. Where no PII is being collected and retained, the issue of access is not implicated. Access rights would be limited to ensuring that PII is not being collected or retained. d. Integrity and Security: The major data integrity and security concern would be the removal of PII before data analysis and storage. e. Enforcement and Redress: Audit capabilities and data controls should be established to ensure that the PPA system is operating without the collection or retention of PII. Where there is inconsistency between program requirements and the performance of the airport or a vendor, there needs to be a process to ensure a return to compliance. The notice should outline the process for individuals to raise concerns about system opera- tions that ensure that PII is not being collected. B. Use Case Domain #2âSecurity and Terminal OperationsâBiometrics Starting in 2007, the U.S. began issuing biometric-enabled passports standardized through the ICAO. Through this initia- tive, biometrics has become well-established to support passen- ger screening at CBP checkpoints. Subsequently, private sector companies began operating biometric screening at airports as well. TSAâs 2016 Biometric Roadmap highlights an intent to roll out biometric matching services to support automating iden- tification processes for international and domestic travelers to include check-in, bag drop, checkpoints, and gate operations.61 The TSA provided the schematic depicted in Figure 2 to dem- onstrate how the process would work and the stakeholders in- volved. 61 TSA Biometric Roadmap, For Aviation Security & the Passenger Experience, Trans. Sec. Admin. (Sept. 2018), https://www.tsa.gov/ sites/default/files/tsa_biometrics_roadmap.pdf.
ACRP LRD 42 15 biometric data breaches pose a major privacy risk. The concept of a seamless travel experience requires ex- changes of portions of this data between commercial entities and governmental entities with differing inter- ests, rules, and restrictions on handling information. This exacerbates the process of ensuring privacy pro- tections. In processing the biometric data, it is impor- tant that the hardware systems are designed and oper- ated in such a way that no data is collected, retained, or transmitted on the hardware except as specified in program requirements. d. Problematic data actions prioritized: Prioritization depends on jurisdiction and an airportâs risk profile for how an airport is using biometrics. 3. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions. a. Data processing ecosystem parties identified: CBP TVS, hardware and service vendors, airport, biometric data subjects (passengers and employees). b. Contracts considered: Federal regulation governs TSA/CBP use of biometric data. For private operat- ing systems like CLEAR, airports require vendors to comply with all applicable federal, state, and local laws pertaining to biometrics. Use of CLEAR requires amendment to the airportâs federally regulated secu- rity program. c. Interoperability frameworks: The International Stan- dards Organization (ISO) and the American National Standards Institute (ANSI) National Institute for Sci- ence and Technology (NIST) have standards pertain- ing to biometrics and interoperability (ISO/IEC JTC 1/ SC 37,67 ANSI/NIST-ITL Standard.)68 d. Data processing ecosystem audits/evaluation: Through ISO and ANSI/NIST, biometric system audit functions are tested and standardized. 4. FIPPs Analysis: a. Notice and Awareness: Through biometric enroll- ment and subsequent screening/verification, passen- gers should be clearly advised regarding the purposes of the program and the use that will be made of any PII. The notice should explain the rights of access and methods to correct any inaccurate data. The notice should give contact information so that passengers can exercise access and redress their rights. b. Choice and Consent: Passengers and employees pro- vide written consent to biometric enrollment and sub- sequent screening during enrollment. Once an enroll- ment occurs, however, it is unclear with respect to the 67 ISO/IEC JTC 1/SC 37 Biometrics, Intâl Standards Org. (2002), https://www.iso.org/committee/313770.html. 68 ANSI/NIST-ITL Standard, Natâl Inst. of Sci. & Tech. (Nov. 27, 2019), https://www.nist.gov/programs-projects/ansinist-itl-standard. port. TVS compares the new photo with DHS hold- ings, which include photos previously taken from U.S. passports, visas, or other travel documents. For private sector systems such as CLEAR, a passenger is biometrically enrolled with fingerprint and iris scans in a proprietary system, and verification is performed against these holdings by the company. With respect to processes like check-in, bag drop, and boarding, the processing systems replace human review of identification documents. A biometric char- acteristic, usually facial geometry, serves in lieu of the boarding pass and identification document(s). The CLEAR program is currently used only for identity checks in connection with checkpoint screen- ing under the Registered Traveler Program. The program currently performs this function by using fingerprint-based or retinal biometric processes. This âfront of the lineâ service allows for identity check after a voluntary biometric enrollment and screen- ing process. Passenger identity is checked though bio metric matching at kiosks supervised by CLEAR employees who then escort passengers to the front of TSA lines for security screening.66 e. Purpose of data actions: To automate and enhance the identity verification process for both security and commercial purposes consistent with the facilitation of passenger movement. f. Data elements: Image of face, iris, or fingerprint, which is transformed by proprietary algorithms into a template that is compared and matched against an existing template. g. Data processing environment: An optical sensor or scanner captures an image directly from a passenger at the airport. 2. Risk Assessment: Understand privacy risks to individuals and the organization implementing the use case. a. Contextual Factors: Biometrics is an automated identity verification system used during passenger processing. b. Analytics evaluated for typical biases: While facial image matching is most convenient for passengers, it is still currently controversial as it has shown varying efficacy rates for different ethnicities. Fingerprints and iris scans are generally accepted as more reliable and less controversial but are more expensive and opera- tionally cumbersome. c. Problematic data actions identified: Imposter and spoof attacks are presented when someone compro- mises someone elseâs biometric identity. Biometric identities must be stored for comparison reasons, and 66 TSA Precheck vs. CLEAR: Reduce Security Time at Airports, Forbes (Oct. 29, 2018), https://www.forbes.com/sites/forbes-personal- shopper/2019/10/29/tsa-precheck-vs-clear-reduce-security-time-at- airports/#483a5d244bd5.
16 ACRP LRD 42 a database of license plates, which can be compared to other databases containing license plate data. The databases used for comparison can include a variety of government managed ones linked to PII. Government databases could include motor vehicle registration databases, warrant databases, and data- bases of stolen vehicles. Comparison databases can also include independently created databases, like a database of vehicle authorized for entry into certain areas (like commercial vehicles in airport pick-up or drop-off areas) or vehicles entering or leaving a park- ing facility. These records may or may not be con- nected to PII. Comparison databases will likely have restrictions on the use of data for comparison based on the terms under which the databases are created. Information is then provided through a user interface, which indicates the results of the comparison. Law enforcement ALPR systems are linked to criminal justice and governmental records databases or other databases created to monitor specific vehi- cles and their movement. Access management ALPR systems like those used for open toll roads detecting authorized vehicles and tracking and reporting their presence or systems employed in parking facilities can be linked to vehicle information related to revenue collection. These access management systems can also involve the use of transponders that are frequently linked to billing and payment systems. For parking, ALPR is primarily used to track entry and exit from parking structures and potentially to support âfind- my-vehicleâ services. Access to license palate data col- lections will depend on the identity of the user (gov- ernment or nongovernment) and the nature of the purpose for accessing the data (criminal investigation, revenue collection, traffic planning). b. Owners or operators: Typically, third-party vendors are contracted to install and maintain the system in cooperation with airport police or landside opera- tions. Sometimes those vendors provide operational support. Some systems, particularly law enforcement related ones, may require special certifications for access. c. Individuals or data subjects: Deciding whether there are data subjects besides the vehicles depends on whether a system associates the owner or operators with the vehicle. This association, common in law enforcement use of ALPR, often matches vehicles to registration records. ALPR as a stand-alone capability is designed to recognize and record license plate in- formation and does not necessarily need to associate that information to an individual. For example, some ALPR systems in parking systems simply compare the license plate number of a vehicle seeking to leave the garage with a database of vehicle plate numbers entering. The system does not check the identity of ability of individuals to withdraw. While withdrawal may be permitted from active participation in the privately operated programs, the ability to withdraw information from governmental databases would likely be limited. The scope of the consent should be explained at the time of enrollment. c. Access and Participation: Biometric program partici- pants must be able to examine the records maintained about themselves and understand the uses that have been made of that data. While access to some data in the possession of governmental entities like CBP and TSA may be limited for security reasons, data subjects have a right to access biometric information about themselves. There also needs to be processes to cor- rect inaccurate data, and those processes need to be made available to data subjects. d. Integrity and Security: CBP TVS has established data integrity and security protocols. For private parties such as Clear, best practices in data security must be assured through contracting as well as through audits. e. Enforcement and Redress: The agreement that estab- lishes these programs should ensure audits are con- ducted to establish compliance with program require- ments. There also needs to be a process established to provide for redress in the event of noncompliance. Given the sensitivity of data gathered in biometric data bases, remedies for data breach should be a strong consideration. C. Use Case Domain #3âLandside Operationsâ Automated License Plate Recognition (ALPR) ALPR, also known as Automated Number Plate Recogni- tion (ANPR), is currently employed at many airports to manage vehicle access and/or for various law enforcement or govern- ment administrative purposes. For access management, ALPR is used to track vehicles and, in some instances, work in support of billing for programs like commercial vehicle use of airport drop-off or pick-up (DO/PU) zones as well as for parking lot management. With respect to law enforcement, ALPR is used for traffic enforcement and for other investigative functions such as detecting stolen vehicles or vehicles associated with persons wanted on warrants. Administrative uses of ALPR data include gaining insights into traffic patterns for traffic manage- ment purposes. In some jurisdictions, ALPR is used in conjunc- tion with revenue collection efforts like booting vehicles for out- standing tickets. These uses of ALPR for law enforcement, traffic management, and commercial activity are consistent with uses that occur outside the airport environment. 1. Inventory and Mapping: a. Systems, products, and services: ALPR systems or services are provided by companies that usually spe- cialize in specific operational areas. The systems in- clude cameras capable of capturing license plate data. Software then interprets those video images to create
18 ACRP LRD 42 system that is used to assess charges or impose penal- ties. For ALPR in support of policing operations, ac- cess rights may be more limited. Certainly, however, if the law enforcement use of ALPR results in an adverse action, the data subject should have the right to ac- cess the data. Data subjects need to be able to ensure that airports and/or their contractors are engaged in data retention and use practices consistent with stated purposes tracking the notice and consent mandates. Accordingly, information on records retained con- cerning the vehicle and use made of the data needs to be available to the data subject. d. Integrity and Security: ALPR systems can be stand- alone edge computing capabilities, networked and databased, or serviced by cloud IT providers. Each arrangement should follow industry best practices for physical and data security. e. Enforcement and Redress: Audit capabilities and rights should be implemented by airports and incor- porated in contracts with vendors requiring verifica- tion that agreed data capabilities and processes are realized. Processes need to be established to correct inaccurate information in databases. Individuals need to be provided notice with respect to those processes. This is true irrespective of the use of the data (e.g., a law enforcement database like a hot list or a commer- cial one for billing). D. Use Case Domain #4âAirport Digital Landscape (Websites, Mobile Apps, e-Commerce, Wi-Fi and CRM) With the advent of online e-commerce and smartphone apps, airports like most of the economy are adjusting service of- ferings to meet trends in customer engagement and to enhance the passenger experience with digital interfaces. Tailoring and personalizing information according to the profile and context of the passenger requires uniquely identifying the passenger. In airports, the primary methods of doing so are through a web interface, a smartphone app, or a Wi-Fi access point. These three points of engagement can be served by the same back-end CRM system, or they can be managed separately, as is often the case. CRM is used to collect, manage, and protect customer in- formation according to industry standards and best practices. CRM systems can be used to personalize services such as smart parking and loyalty programs that offer discounts or other perks for regular customers.72 For example, several airports already offer some form of loyalty programs. These programs offer dis- counts and rewards to members for a range of airport related services, like shopping, dining, Wi-Fi, access to lounges, and 72 See, e.g., Geoff Whitmore, Should You Join An Airport Rewards Program?, Forbes (Apr. 5, 2019) https://www.forbes.com/sites/ geoffwhitmore/2019/04/05/should-you-join-an-airport-rewards- program/#282d341b1286; Ramsey Qubein, Why You Should Join an Airport Loyalty Program, Afar (Nov. 15, 2017) https://www.afar.com/ magazine/why-you-should-join-an-airport-loyalty-program. legislation.71 Governmental standards generally apply to law enforcement use of ALPR and not commercial use. d. Data processing ecosystem audits/evaluation: Audit and evaluation for ALPR is oriented at the same juris dictional levels as standards and regulations are developed. 4. FIPPs Analysis: a. Notice and Awareness: Notice requirements for ALPR vary greatly. The use of ALPR for police requirements generally does not have any notice requirement. How- ever, utilization is quite limited. If an airport decides to use ALPR for commercial purposes (like monitor- ing commercial vehicles for revenue and traffic con- trol purposes) then information about the parameters of the program should be specified in the registration process for the vehicles being monitored. This speci- fication could be in a government database for com- mercial vehicles registered in the jurisdiction, like a city revenue department where taxi or commercial transport licenses are issued, or in an airport specific database instances where commercial vehicles are required to register to enter airport property. Where the use of ALPR is for traffic planning purposes, the license plate data could be anonymized or not re- tained. In no event would traffic planning use for that data require linkage to PII. Notice of ALPR monitor- ing could be provided by signage and/or posted on the airport website with an explanation of how it is used. Local state laws or ordinances need to be consulted to determine if such notice is required. b. Choice and Consent: Depending on the nature of the use case and the notice provided, consent require- ments will also vary. Generally, the consent for law enforcement to use ALPR is derived from the general legal requirements for vehicle licensure. The specific terms of the ALPR use for other than law enforcement should be specified in the registration process. Use of that data should be strictly limited to the specified terms. If, for example, the airport is creating a data- base to assess charges to commercial vehicles entering the airport, then the airport must ensure that owners or operators identified are consenting to that use of data. Airport use of that data should be limited to the terms of consent. c. Access and Participation: ALPR systems typically allow operators to segregate data by data subject. Ac- cordingly, owners and operators whose vehicles are being captured by ALPR systems should have the right to access that data. This is particularly so for any 71 Pam Greenberg, Automated License Plate Readers, Natâl Conf. of State Legis. (Feb. 2015), https://www.ncsl.org/research/ telecommunications-and-information-technology/automated-license- plate-readers.aspx.
ACRP LRD 42 19 f. Data elements: User profile information to include name, email, login credentials, address, credit card in- formation, and/or location data. g. Data processing environment: Website, mobile apps, and Wi-Fi login all operate in connection to devices owned or operated by the data subject. 2. Risk Assessment: Understand privacy risks to individuals and the organization implementing the use case. a. Contextual Factors: Cookies and mobile apps typically store the privacy data on the data subjectâs device. However, if an organization is collecting information from a user to be stored in a CRM system, then this data will be collected and stored either by a vendor on behalf of an airport or by the airport itself. b. Analytics evaluated for typical biases: The data pre- sented by the user can be text based and could be in- correctly entered. c. Problematic data actions identified: Identity com- promise is a persistent challenge for cookies and any software that hosts identity or credential informa- tion. Additionally, erroneous identity information could be presented by the data subject who seeks to be misidentified. d. Problematic data actions prioritized: Prioritization depends on jurisdiction and an airportâs risk profile in accordance with how cookies and LBS is being used. 3. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions. a. Data processing ecosystem parties identified: Website, Mobile App, Wi-Fi, and CRM vendors, airport, and data subjects (passengers and employees). b. Contracts considered: Often third-party vendors develop and operate airport websites and apps. Pro- visions to safeguard user privacy data should con- sider such evolving national and international legal developments,73 and any other appropriate legislation. c. Interoperability frameworks: Cookies and other web- site and app support techniques have standard norms and interoperability language dependent on the native format of the website or app in consideration. d. Data processing ecosystem audits/evaluation: Website cookies and mobile app compliance is well developed and there are even automated third-party audit capa- bilities now on the market.74 73 Amanda R. Lawrence, Sasha Leonhardt, & Magda Gathani, Insight: Website Cookies and Privacy-CDPR CCPA and Evolving Stan- dards for Online Consent, Bloomberg Law (Nov. 14, 2019), https:// news.bloomberglaw.com/privacy-and-data-security/insight-website- cookies-and-privacy-gdpr-ccpa-and-evolving-standards-for-online- consent. 74 See, e.g., Cookiebot, https://www.cookiebot.com/en/?gclid= CjwKCAjw9vn4BRBaEiwAh0muDIralzbl6eccJrsGf3xM5kXd- FlQ6q8DEAVHi2Uj5kzbp_eRMhqe1VxoCiD4QAvD_BwE. parking. These programs are sometimes offered by the airport themselves or are offered in conjunction with airlines or other entities. For websites, mobile apps, e-commerce and/or Wi-Fi ac- cess, âcookiesâ and other similar app features support person- alization of experience. Cookies are a small piece of encrypted software, that a user downloads onto their device that collects and stores certain kinds of data. Cookies enable smoother, more efficient internet use, by storing a userâs site-specific information and preferences such as theme, language setting, privacy pref- erences, and even user IDs and passwords. Performing these tasks ensures that a user does not need to reset these features each time they visit a new page or leave and return to the site or app. On e-commerce sites, cookies also store your shopping cart contents, payment information, and even quick checkout op- tions (including delivery addresses). Some cookies can be used to track the user across multiple web sites (tracking cookies), enabling, for example, advertisements for a product the user has recently viewed on a totally different site. Cookies can be used by the website operator (first-party cookies) or may also be installed by other parties providing ser- vices to the website or app (third-party cookies). Cookie data can also be sold to or otherwise be used by third parties. Under- standing why cookies are being used and by whom is important. Additionally, some websites and mobile apps tap into GPS locations or IP addresses to learn the userâs current location to present the user with information tailored for their current loca- tion. Using location to customize the user experience is com- monly known as Location-Based Services (LBS). A good exam- ple of this is an app with a terminal map that uses an individualâs current location to show where the person is and provide direc- tions to nearby shopping options. In any of these methods of collecting and using a userâs PII, a privacy notice and consent process should be presented to the user prior to downloading cookies or accessing other PII held on a userâs device. These notice and consent processes are normally presented to the user in a header or footer banner, a corner box, or a persistent pop-up. 1. Inventory and Mapping: a. Systems/products/services: Websites, Mobile Apps, Wi-Fi Login. b. Owners or operators: Typically, third-party vendors are contracted to install and operate the system in cooperation with the airport, airlines, and/or conces- sionaires. c. Individuals (or data subjects): Passengers and airport employees. d. Data actions: Data subject downloads cookies or ac- cepts the terms and conditions of app usage, which allows the website, mobile app, or Wi-Fi service to ac- cess and store data entered by the data subject directly or collected from the device (i.e., GPS information). e. Purpose of data actions: To smooth and enable per- sonalization of information and experience.
ACRP LRD 42 21 exposure to heat outside, and the variance of tem- perature at the point of screening. Techniques, such as targeting the temperature at the tear-duct of the subject, have provided improvements in performance. However, most processes require a secondary screen- ing to determine temperature more accurately and to request additional health information from the data subject. c. Problematic data actions identified: Understanding the collection risks highlighted in the âContextual Factorsâ section above is important to understand- ing how a system should be designed and managed. Asso ciating a data subject to his or her screening re- port, storing, and potentially leaking this information. Response actions of personnel with respect to indi- viduals identified with elevated temperatures. d. Problematic data actions prioritized: Prioritization depends on jurisdiction and an airportâs risk profile. 3. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions. a. Data processing ecosystem parties identified: Airport, hardware and service vendors, airport, and health checks data subjects (passengers and employees). b. Contracts considered: If a third-party vendor installs and operates the temperature screening capability, air- ports must ensure contracts require vendors to com- ply with all federal, state, and local laws pertaining to health information. c. Interoperability frameworks: The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) include national stan- dards for the privacy of protected health information, the security of electronic protected health informa- tion, and breach notification to consumers. d. Data processing ecosystem audits/evaluation: HITECH also requires HHS to perform periodic audits of covered entity and business associate com- pliance with HIPAA Privacy, Security, and Breach Notifica tion Rules. HHS Office for Civil Rights (OCR) enforces these rules, and in 2011, OCR established a pilot audit program to assess the controls and process- es covered entities have implemented to comply with them. 4. FIPPs Analysis: a. Notice/Awareness: As with other video systems, notice of health screening can be achieved through the posit- ing of signage in the area where this screening occurs and/or by screening personnel operating the process. Unlike general CCTV surveillance, health screen- ing use of this technology seems reasonably likely to capture PII, given the fact individuals can and likely well as plans to screen airport employees .81The rapid growth in COVID-19 testing programs at airports is a stark example of the ability of technology and data solutions to quickly adapt and deploy to address airport-related concerns. In the face of the growing range of differing technologies to collect health data at airports caused by the COVID-19 pandemic, the legal and regulatory systems are moving to address developing con- cerns. Balancing the need to collect traveler health data with the need to protect privacy and ensure the security of that sensitive data, the legal environment is quickly evolving. This presents significant challenges for airport operators and stakeholders. and stakeholders. 1. Inventory and Mapping: a. Systems/products/services: Visible video, thermal im- aging camera, and AI. b. Owners or operators: Typically, third-party vendors are contracted to install and operate the system in cooperation with the airport, airlines, and/or border security services. c. Individuals (or data subjects): Passengers and employees. d. Data actions: Temperature screening often uses a vis- ible camera with AI to recognize a person, as well as a thermal imaging camera to measure temperature pixel by pixel. e. Purpose of data actions: To enhance processing pas- sengers with additional health checking capabilities. To prevent febrile passengers from traveling with other passengers. To help restore confidence in the safety of air travel f. Data elements: Visible video footage, thermal imaging footage, and assessment report. g. Data processing environment: Typically, in a con- trolled space at the entrance to a terminal, at check-in, or at TSA screening checkpoint areas. 2. Risk Assessment: Understand privacy risks to individuals and the organization implementing the use case. a. Contextual Factors: Processing is normally done at the camera level and in the cloud. AI recognition and tem- perature measurement algorithms assess core body temperature. Audible and visual alarms are raised if any subject exhibits a core body temperature above the fever threshold. Additional health checks are con- ducted if a passenger exhibits a fever temperature. It is not necessary that the identity of the data subject is linked to the health checkâs assessment report, though the visible image captured would show his or her face. b. Analytics evaluated for typical biases: Temperature can be impacted by the data subjectâs level of activity, 81 SFO is First U.S. Airport to Launch Rapid COVID Testing for Air- port Employees, S.F. Airport (Aug. 24, 2020), https://www.flysfo.com/ media/press-releases/sfo-first-us-airport-launch-rapid-covid-testing- airport-employees.