National Academies Press: OpenBook

Legal Implications of Data Collection at Airports (2021)

Chapter: III. AIRPORT DATA USE CASES

« Previous: II. LITERATURE REVIEW
Page 11
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 11
Page 12
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 12
Page 13
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 13
Page 14
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 14
Page 15
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 15
Page 16
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 16
Page 17
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 17
Page 18
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 18
Page 19
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 19
Page 20
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 20
Page 21
Suggested Citation:"III. AIRPORT DATA USE CASES." National Academies of Sciences, Engineering, and Medicine. 2021. Legal Implications of Data Collection at Airports. Washington, DC: The National Academies Press. doi: 10.17226/26207.
×
Page 21

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42 11 Figure 1 Relationship Between Privacy Risk and Organizational Risk53 Figure 1: Relationship Between Privacy Risk and Organizational Risk53 The analysis below leverages the “Identify” component of the NIST Privacy Framework54 to highlight and discuss common use cases being developed and deployed in the airport environ- ment. Additionally, the discussion demonstrates how to use the framework to assess privacy risk for other techniques of collect- ing and processing privacy data not covered in this paper. The NIST Privacy Framework develops the organizational understanding to manage privacy risk for individuals arising from data processing. The categories and subcategories of analy- sis include: 1. Inventory and Mapping: Defining data processing by sys- tems, products, or services; 2. Business Environment: Airport mission, objectives, stakeholders, and activities are defined and prioritized; this information is used to inform privacy roles, respon- sibilities, and risk management decisions; 3. Risk Assessment: Understand privacy risks to individuals and the organization implementing the use case; and 4. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions.55 After setting the stage for the use case with the NIST Privacy Framework, the case is analyzed applying the FIPPs principles.56 Those nationally and internationally recognized principles in- form information privacy policies both within government and in the private sector.57 These use cases are designed to show the type of analysis necessary to identify legal issues in the application of emerging technology by airport and airport stakeholders. The legal issues require further investigation to complete the analysis as much of them are jurisdiction-specific and target specific technology or operational objectives. 53 Id. at 4 (Figure 3). 54 Id. at 20-21 (Appendix A). 55 Id. 56 See supra footnote 23, (Section II, Literature Review). 57 See, e.g., Privacy Policy Guidance Memorandum, Dep’t of Home- land Sec. (Dec 29, 2008), https://www.dhs.gov/xlibrary/assets/ privacy/ privacy_policyguide_2008-01.pdf (adopting the use of FIPPs by DHS). (1) digital identity; (2) identity management platform; (3) bio- metric ID verification; and (4) a trust framework. IATA and the International Civil Aviation Organization (ICAO) have worked to develop a certification process of electronic passports and digital identities. Implications of AI and video analytics, smartphone apps, IOT, and so on, each have important privacy considerations. In Section III below, we will review the primary use cases per- taining to privacy data used at airports today and present legal considerations. These use cases are meant to be illustrative, but not exhaustive. III. AIRPORT DATA USE CASES Each year, data use cases within airports continue to grow in number and complexity. Technology advancements generate new opportunities to collect data for a variety of commercial, operational, planning, and security purposes. These data col- lection activities and data uses involve a wide range of airport stakeholders and users. They also involve numerous types of collection techniques from information gathered from websites and applications to the sensing of signals from passenger de- vices to the monitoring of movement through CCTV systems. This section will discuss current and emergent airport data use cases to examine data management areas of interest. For this discussion, a variety of use cases were preliminar- ily identified. They can be found in the Appendix. From those, five particular use cases were chosen for more in-depth analysis in this section. Those cases are representative of most airport privacy-data types and circumstances of collection and also present unique legal challenges. They include: • Passenger Pathway Analytics (PPA): video analytics as well as cellphone tracking; • Biometrics: the use of biometrics in support of check-in, screening, arrivals, and boarding; • Automated License Plate Recognition (ALPR): both the administrative purpose of managing an airport’s com- mercial curb as well as law enforcement purposes; • Airport Digital Marketplace: websites, apps, Wi-Fi, and customer relationship management (CRM) systems; and • Health Screening/Checks: thermal imaging for detecting passengers or employees who are exhibiting a fever. The use cases are analyzed within the NIST Privacy Frame- work.52 As Figure 1 shows, the NIST Privacy Framework offers a risk-based approach that relates privacy risk from a data pro- cessing problem to the potential harm and to the organization responsible for implementing and managing the use case. 52 NIST Privacy Framework: A Tool for Improvising Privacy Through Enterprise Risk Management, Nat’l Inst. of Standards & Tech., U.S. Dep’t of Commerce, (Jan. 16, 2020), https://www.nist.gov/system/ files/documents/2020/01/16/NIST%20Privacy%20Framework_ V1.0.pdf.

12 ACRP LRD 42 mation to help their customers better plan their travel. Accurate PPA data would have commercial value for them as well. 1. Inventory and Mapping: a. Systems, products, or services: PPAs have various ap- proaches including LIDAR, Stereo cameras, Wi-Fi, or Bluetooth Low Energy (BLE) (see description below in section d. Data Actions). b. Owners or operators: Vendors often install and op- erate these systems, delivering analytic services, and, upon request, data. Contracts should articulate the airport and vendor’s ownership rights to the data col- lected and analytics produced. c. Individuals or data subjects: The technologies attempt to track airport passengers as the primary data sub- jects. Airports often request that vendors differentiate employees from passengers in the analytics. d. Data actions: Generally, any information that could be characterized as PII is captured and processed at the edge but not collected or retained by the system. Only anonymous data is transmitted to the cloud for added analytics. Wi-Fi and BLE: For example, for a PPA system using Wi-Fi and BLE, a MAC address is sensed and encoded at the edge so that the number registered in the central repository is not identifiable to the original MAC address of the devices being tracked. This task can be done by capturing only the last few digits of a MAC address and/or by hashing the MAC address. Thus, while the system may be capable of collecting potential PII, NO PII data should be collected, main- tained in, or, analyzed by the PPA system. Video Analytics: Similarly, with respect to CCTV based input into a PPA system, raw video data is not retained by the PPA system. Video footage is pro- cessed to locate passengers in space and time and only an icon representing a passenger is maintained in the system. Using one method, PPA has dedicated cameras that capture and process video at the loca- tion of the camera, transmitting only anonymous data (reducing out the video footage). This method does not collect or retain PII as the video footage is never processed to identify anyone from the video footage. Instead, this method strips out the data required for analysis and nothing else is collected or retained in the PPA system. Another approach uses information from existing CCTV systems. Using analytic software, im- ages are taken directly form CCTV cameras or from a video management system. The data is then analyzed and only non-PII data necessary for PPA analysis is extracted. That data is then forwarded for PPA. The raw video may be retained by the general CCTV sur- veillance system, but it is disconnected from the PPA analysis. A. Use Case Domain #1—Technology Services–PPA PPA can be categorized as a surveillance capability, collect- ing data from sensors, sometimes including cameras, to quan- tify passenger space use and model passenger rate of movement from one area of the airport to another. These kinds of capa- bilities allow airports and their partners to plan and reorganize in real time to reduce queue times and redesign staffing and services to meet demand. The data can be provided to third- party service providers which inform passengers and provide enhanced services based on how long it will take to travel from curb or parking through check-in, to screening, to concessions, to holding rooms, to baggage, and so on. This data offers im- portant operational insights for airports as well as commercially valuable information for airport stakeholders like airlines, ten- ants, and concessions. PPA data is of significant commercial value to concession- aires and airports as it can indicate foot traffic rates and dwell times of passengers in relation to shopping and dining locations. For example, PPA data could be correlated with anonymized point of sale data to create per passenger sales rates—providing a performance metric that compares similar concessions (i.e., coffee shops) across locations. This information would be im- portant to both the airport and concessionaires in understand- ing the sales performance of their locations. It can be presented with sufficient granularity by time of day, day of week, month of year, so that better decisions can be made to optimize perfor- mance. PPA also allows an airport to understand the value of its real estate in more granular terms of foot traffic—setting the stage for pricing rental contracts based on foot traffic per stall vs. a more generalized model. PPA also provides insights that support airport operations. Staff levels can be decided more accurately to meet a certain level of service. For example, TSA can understand wait times and make adjustments to meet the screening demand and make adjustments against the regular schedule, as well as seasonal im- plications such as the impacts of cold weather clothes on passen- ger throughput capacity. Cleaning services can understand foot traffic per restroom and organize cleaning based on the level of use. Maintenance services can understand demand for and level of use for escalators, moving walkways, and elevators— prioritizing maintenance and recovery investments accordingly. Accurate PPA data can also contribute significantly to im- proving the passenger journey. Airlines can use PPA data to help understand wait and travel times and make more accurate determinations on how long it will take for a passenger to go from check-in to the gate. This information is critical to helping airlines minimize delays and address missed flights. Similarly, this information can assist travelers and reduce their stress by helping them better understand their ability to catch flights and adjust their travel itineraries if needed. Provided to travel app. developers (e.g., Uber, Lift, Google Maps and/or Waze) insights from PPA can support functionality to help travelers more effec- tively manage their journey from doorstep to gate. Some airport hotels are already equipping their lobbies with this type of infor-

ACRP LRD 42 13 3. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions. a. Data processing ecosystem parties: Vendor, airport, data subjects, and airport stakeholders. b. Contracts considered: Typically, airports require vendors to comply with all federal, state, and local laws pertaining to PII. c. Interoperability frameworks: Bluetooth hosts Inter- operability Prototype test events often and globally and protocol standardization is well developed.58 d. Data processing ecosystem audits/evaluation: Through transparent testing and experimentation, BLE is well developed as a global technology. 4 FIPPs Analysis: a. Notice and Awareness: Key to the issue of notice is an articulation of the purpose of data collection and the techniques employed in collection. Since the PPA system is designed to operate without the collection and use of PII, that fact should be explained as well. While some PPA systems are designed in a manner similar to general CCTV surveillance systems, or in some cases extract data from those systems, the fun- damental difference is that PII or even potential PII is not collected. Because there is no PII captured in PPAs FIPPs notice requirements are not applicable.59 While some jurisdictions may require notice of general CCTV surveillance, this requirement is not universal, and with respect to systems in public places in most U.S. jurisdictions notice is not provided. This contrasts sharply with international privacy pro- tection regimes like GDPR, which require notice.60 Where notice is not required for general CCTV sur- veillance systems, which contain information that could be translated into PII, it is unlikely that notice would be required for a PPA system, which does not contain PII. If an airport wishes to provide notice, then that is commonly accomplished through signage in the areas where PPA is being employed. Airports may also con- sider providing notice through posting information about the PPA program and data collection on airport websites or other communications channels. Even if not legally required, providing notice can help foster transparency in airport use of data. b. Choice and Consent: Because the PPA system is not collecting PII and notice is not required under a FIPPs 58 Interoperability Is Essential to All Bluetooth Technology Solutions, Bluetooth, https://www.bluetooth.com/specifications/interoperable- prototype-test-events/. 59 Luke Irwin, Does Your Use of CCTV Comply with the GDRP, it governance (Oct. 3, 2019), https://itgovernance.co.uk/blog/does- your-use-of-cctv-comply-with-the-gdpr. 60 See, e.g., id. Light Detection and Ranging (LIDAR): LIDAR is a detection system that works on the principle of radar but uses light from a laser. LIDAR is used for PPA by detecting people in a similar fashion as video, but (un- like video) does not collect features that would make people uniquely identifiable from the raw data. While there are intrinsic privacy benefits to using LIDAR versus Video Analytics and Wi-Fi/BLE, LIDAR is ex- pensive and cannot confirm actual travel times from one area of the airport to another. LIDAR also does not support the CCTV public safety surveillance goals of an airport requiring the ability to identify individuals. e. Purpose of data actions: Data is analyzed in aggregate form to understand trends and not intended to iden- tify individual passengers. It is intended to allow air- port operators and partners to understand travel and processing times, traffic flows, and congestion areas from ticketing, through security, at baggage, and get- ting to and from transportation options. This data can be used purely for operational purposes and/or sold as a commercial product. f. Data elements: Data elements consist of Wi-Fi or BLE (MAC address); LIDAR (point cloud of person); or video cameras (image of person). g. Data processing environment: Normally a three-step process consisting of (1) capturing and (2) process- ing using edge computing techniques, cloud analytics, and API interface with business intelligence for (3) end customer consumption of analytics. 2. Risk Assessment: Understand privacy risks to individuals and the organization implementing the use case. a. Contextual Factors: Normally, PPA is a surveillance capability that senses people in a public space, analyz- ing their movement for aggregate information about flow, dwell times, travel times, and passenger space use demand. b. Analytics evaluated for typical biases: Bias in PPA relates to count and movement accuracy and not to accuracy related to the identity of a data subject. c. Problematic data actions identified: Unique identi- fiers for cellphones as they engage Wi-Fi and BLE can potentially be associated with an individual, and stereo cameras may capture facial images associat- ing an indi vidual with a time and place. Anonymiza- tion techniques can remove the unique identifier for devices and facial features from the process reduc- ing risk. While the system is not designed to collect, maintain, or analyze PII data, that type of data may be momentarily captured at the edge by the sensors and anonymized or discarded. d. Problematic data actions prioritized: Prioritization is dependent on jurisdiction and an airport’s risk profile. The elimination of PII at the edge needs to be assured.

14 ACRP LRD 42 Figure 2 Notional Biometric Passenger Experience Stakeholder Roles and Responsibilities62 Figure 2: Notional Biometric Passenger Experience Stakeholder Roles and Responsibilities62 In June 2017, Delta Airlines launched a biometrically en- abled self-bag drop at Minneapolis/St. Paul International Airport (MSP).63 In January 2018, Los Angeles Inter- national Airport (LAX) launched biometric e-gates for board- ing flights departing the U.S.64 Both capabilities are provided by third- party vendors and supported by CBP TVS for bio- metric matching. Parallel to CBP’s TVS support services for biometric matching. The CLEAR program,65 which is operated by a private party, is currently operating at several U.S. airports and provides biometric matching services in conjunction with TSA screening operations. Airports and airport stakeholders are exploring ways to incorporate biometric matching services across the passenger pathway. This review addresses the cur- rent federally authorized biometric uses at airports. In all these cases, the biometric matching is performed by third-party software. The hardware that applies that software, check-in kiosks, baggage drops, or eGates, may be provided by airports or airlines, but the matching process and the databases queried for identification are owned by the federal government or federally authorized vendors. 1. Inventory and Mapping: a. Systems, products, and services: Biometric systems leverage fingerprints, iris scans, and/or face geometry to automate identity verification processes in sup- port of self-service check-in, bag drop, screening, and boarding operations. b. Owners or operators: Typically, third-party vendors are contracted to install and operate the system in co- operation with the airport, airlines, or border security or other security services. c. Individuals (or data subjects): Passengers. d. Data actions: For CBP TVS supported systems, the passenger’s photo is taken either by CBP-owned cameras or equipment provided by airlines or the air- 62 Id. at 18. 63 Delta Opens First Biometric Self-Service Bag Drop in U.S., (2020), https://news.delta.com/delta-opens-first-biometric-self-service-bag- drop-us. 64 Successful Biometric E-Gate at LAX Blazes Trail for Commer- cial Aviation, Int’l Airport R. (Jan. 19, 2018), https://www. internationalairportreview.com/news/64154/biometric-e-gate-lax- aviation/. 65 See Clear, https://www.clearme.com/. analysis, consent is not required. Where an airport de- cides to provide notice, PPA collection consent could arguably be implied from a person’s continued use of the facility. c. Access and Participation: PPA systems must be de- signed and operated not to maintain any data pertain- ing to an individual passenger. Identifying data should be removed at the edge or otherwise excluded from analysis with the system storing only anonymized data. Where no PII is being collected and retained, the issue of access is not implicated. Access rights would be limited to ensuring that PII is not being collected or retained. d. Integrity and Security: The major data integrity and security concern would be the removal of PII before data analysis and storage. e. Enforcement and Redress: Audit capabilities and data controls should be established to ensure that the PPA system is operating without the collection or retention of PII. Where there is inconsistency between program requirements and the performance of the airport or a vendor, there needs to be a process to ensure a return to compliance. The notice should outline the process for individuals to raise concerns about system opera- tions that ensure that PII is not being collected. B. Use Case Domain #2—Security and Terminal Operations–Biometrics Starting in 2007, the U.S. began issuing biometric-enabled passports standardized through the ICAO. Through this initia- tive, biometrics has become well-established to support passen- ger screening at CBP checkpoints. Subsequently, private sector companies began operating biometric screening at airports as well. TSA’s 2016 Biometric Roadmap highlights an intent to roll out biometric matching services to support automating iden- tification processes for international and domestic travelers to include check-in, bag drop, checkpoints, and gate operations.61 The TSA provided the schematic depicted in Figure 2 to dem- onstrate how the process would work and the stakeholders in- volved. 61 TSA Biometric Roadmap, For Aviation Security & the Passenger Experience, Trans. Sec. Admin. (Sept. 2018), https://www.tsa.gov/ sites/default/files/tsa_biometrics_roadmap.pdf.

ACRP LRD 42 15 biometric data breaches pose a major privacy risk. The concept of a seamless travel experience requires ex- changes of portions of this data between commercial entities and governmental entities with differing inter- ests, rules, and restrictions on handling information. This exacerbates the process of ensuring privacy pro- tections. In processing the biometric data, it is impor- tant that the hardware systems are designed and oper- ated in such a way that no data is collected, retained, or transmitted on the hardware except as specified in program requirements. d. Problematic data actions prioritized: Prioritization depends on jurisdiction and an airport’s risk profile for how an airport is using biometrics. 3. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions. a. Data processing ecosystem parties identified: CBP TVS, hardware and service vendors, airport, biometric data subjects (passengers and employees). b. Contracts considered: Federal regulation governs TSA/CBP use of biometric data. For private operat- ing systems like CLEAR, airports require vendors to comply with all applicable federal, state, and local laws pertaining to biometrics. Use of CLEAR requires amendment to the airport’s federally regulated secu- rity program. c. Interoperability frameworks: The International Stan- dards Organization (ISO) and the American National Standards Institute (ANSI) National Institute for Sci- ence and Technology (NIST) have standards pertain- ing to biometrics and interoperability (ISO/IEC JTC 1/ SC 37,67 ANSI/NIST-ITL Standard.)68 d. Data processing ecosystem audits/evaluation: Through ISO and ANSI/NIST, biometric system audit functions are tested and standardized. 4. FIPPs Analysis: a. Notice and Awareness: Through biometric enroll- ment and subsequent screening/verification, passen- gers should be clearly advised regarding the purposes of the program and the use that will be made of any PII. The notice should explain the rights of access and methods to correct any inaccurate data. The notice should give contact information so that passengers can exercise access and redress their rights. b. Choice and Consent: Passengers and employees pro- vide written consent to biometric enrollment and sub- sequent screening during enrollment. Once an enroll- ment occurs, however, it is unclear with respect to the 67 ISO/IEC JTC 1/SC 37 Biometrics, Int’l Standards Org. (2002), https://www.iso.org/committee/313770.html. 68 ANSI/NIST-ITL Standard, Nat’l Inst. of Sci. & Tech. (Nov. 27, 2019), https://www.nist.gov/programs-projects/ansinist-itl-standard. port. TVS compares the new photo with DHS hold- ings, which include photos previously taken from U.S. passports, visas, or other travel documents. For private sector systems such as CLEAR, a passenger is biometrically enrolled with fingerprint and iris scans in a proprietary system, and verification is performed against these holdings by the company. With respect to processes like check-in, bag drop, and boarding, the processing systems replace human review of identification documents. A biometric char- acteristic, usually facial geometry, serves in lieu of the boarding pass and identification document(s). The CLEAR program is currently used only for identity checks in connection with checkpoint screen- ing under the Registered Traveler Program. The program currently performs this function by using fingerprint-based or retinal biometric processes. This “front of the line” service allows for identity check after a voluntary biometric enrollment and screen- ing process. Passenger identity is checked though bio metric matching at kiosks supervised by CLEAR employees who then escort passengers to the front of TSA lines for security screening.66 e. Purpose of data actions: To automate and enhance the identity verification process for both security and commercial purposes consistent with the facilitation of passenger movement. f. Data elements: Image of face, iris, or fingerprint, which is transformed by proprietary algorithms into a template that is compared and matched against an existing template. g. Data processing environment: An optical sensor or scanner captures an image directly from a passenger at the airport. 2. Risk Assessment: Understand privacy risks to individuals and the organization implementing the use case. a. Contextual Factors: Biometrics is an automated identity verification system used during passenger processing. b. Analytics evaluated for typical biases: While facial image matching is most convenient for passengers, it is still currently controversial as it has shown varying efficacy rates for different ethnicities. Fingerprints and iris scans are generally accepted as more reliable and less controversial but are more expensive and opera- tionally cumbersome. c. Problematic data actions identified: Imposter and spoof attacks are presented when someone compro- mises someone else’s biometric identity. Biometric identities must be stored for comparison reasons, and 66 TSA Precheck vs. CLEAR: Reduce Security Time at Airports, Forbes (Oct. 29, 2018), https://www.forbes.com/sites/forbes-personal- shopper/2019/10/29/tsa-precheck-vs-clear-reduce-security-time-at- airports/#483a5d244bd5.

16 ACRP LRD 42 a database of license plates, which can be compared to other databases containing license plate data. The databases used for comparison can include a variety of government managed ones linked to PII. Government databases could include motor vehicle registration databases, warrant databases, and data- bases of stolen vehicles. Comparison databases can also include independently created databases, like a database of vehicle authorized for entry into certain areas (like commercial vehicles in airport pick-up or drop-off areas) or vehicles entering or leaving a park- ing facility. These records may or may not be con- nected to PII. Comparison databases will likely have restrictions on the use of data for comparison based on the terms under which the databases are created. Information is then provided through a user interface, which indicates the results of the comparison. Law enforcement ALPR systems are linked to criminal justice and governmental records databases or other databases created to monitor specific vehi- cles and their movement. Access management ALPR systems like those used for open toll roads detecting authorized vehicles and tracking and reporting their presence or systems employed in parking facilities can be linked to vehicle information related to revenue collection. These access management systems can also involve the use of transponders that are frequently linked to billing and payment systems. For parking, ALPR is primarily used to track entry and exit from parking structures and potentially to support “find- my-vehicle” services. Access to license palate data col- lections will depend on the identity of the user (gov- ernment or nongovernment) and the nature of the purpose for accessing the data (criminal investigation, revenue collection, traffic planning). b. Owners or operators: Typically, third-party vendors are contracted to install and maintain the system in cooperation with airport police or landside opera- tions. Sometimes those vendors provide operational support. Some systems, particularly law enforcement related ones, may require special certifications for access. c. Individuals or data subjects: Deciding whether there are data subjects besides the vehicles depends on whether a system associates the owner or operators with the vehicle. This association, common in law enforcement use of ALPR, often matches vehicles to registration records. ALPR as a stand-alone capability is designed to recognize and record license plate in- formation and does not necessarily need to associate that information to an individual. For example, some ALPR systems in parking systems simply compare the license plate number of a vehicle seeking to leave the garage with a database of vehicle plate numbers entering. The system does not check the identity of ability of individuals to withdraw. While withdrawal may be permitted from active participation in the privately operated programs, the ability to withdraw information from governmental databases would likely be limited. The scope of the consent should be explained at the time of enrollment. c. Access and Participation: Biometric program partici- pants must be able to examine the records maintained about themselves and understand the uses that have been made of that data. While access to some data in the possession of governmental entities like CBP and TSA may be limited for security reasons, data subjects have a right to access biometric information about themselves. There also needs to be processes to cor- rect inaccurate data, and those processes need to be made available to data subjects. d. Integrity and Security: CBP TVS has established data integrity and security protocols. For private parties such as Clear, best practices in data security must be assured through contracting as well as through audits. e. Enforcement and Redress: The agreement that estab- lishes these programs should ensure audits are con- ducted to establish compliance with program require- ments. There also needs to be a process established to provide for redress in the event of noncompliance. Given the sensitivity of data gathered in biometric data bases, remedies for data breach should be a strong consideration. C. Use Case Domain #3—Landside Operations– Automated License Plate Recognition (ALPR) ALPR, also known as Automated Number Plate Recogni- tion (ANPR), is currently employed at many airports to manage vehicle access and/or for various law enforcement or govern- ment administrative purposes. For access management, ALPR is used to track vehicles and, in some instances, work in support of billing for programs like commercial vehicle use of airport drop-off or pick-up (DO/PU) zones as well as for parking lot management. With respect to law enforcement, ALPR is used for traffic enforcement and for other investigative functions such as detecting stolen vehicles or vehicles associated with persons wanted on warrants. Administrative uses of ALPR data include gaining insights into traffic patterns for traffic manage- ment purposes. In some jurisdictions, ALPR is used in conjunc- tion with revenue collection efforts like booting vehicles for out- standing tickets. These uses of ALPR for law enforcement, traffic management, and commercial activity are consistent with uses that occur outside the airport environment. 1. Inventory and Mapping: a. Systems, products, and services: ALPR systems or services are provided by companies that usually spe- cialize in specific operational areas. The systems in- clude cameras capable of capturing license plate data. Software then interprets those video images to create

ACRP LRD 42 17 ticularly those used in revenue collection, generally have their own terms of use. b. Analytics evaluated for typical biases: ALPR can potentially misidentify the letters or numbers in the license plate. c. Problematic data actions identified: Misidentification could potentially erroneously record one vehicle as being present when it is not. Another potential error is the failure to correctly identify the vehicle that was present. Collection of data over time can allow for determination of patterns of vehicle use in the area covered by the ALPR. Problems may also occur if data bases for comparison are improperly accessed. d. Problematic data actions prioritized: Prioritization depends on jurisdiction and an airport’s risk profile in accordance with how ALPR is being used. 3. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions. a. Data processing ecosystem parties identified: ALPR is operated on airport property. Airport and ALPR sys- tem vendors are primary operating parties; end users may include law enforcement, landside operation per- sonnel, revenue personnel. Owners and operators of motor vehicles and particularly public, private, and commercial vehicles are the data subjects. Those sys- tems may compare data with other databases, which will have differing policies for use and access. b. Contracts considered: Vendor contracts can be direct procurement where the airport owns and operates the system directly, or a build-operate-transfer contract where the vendor operates the system on behalf of the airport. Most law enforcement-based ALPR systems will require operation by law enforcement or law en- forcement certified personnel. c. Interoperability frameworks: An examination of rel- evant standards organizations such as ISO and NIST revealed no set interoperability framework for ALPR. However, in most countries, there are standards and guidance set at the national or sub-national level. The UK National ANPR Standards69 is a good example of a national standard. The International Association of Chiefs of Police has promulgated operational guid- ance for ALPR use.70 Use of ALPR in the United States is generally governed by legislation and guidance set at the state level. The National Conference for State Legislatures is a good source for a survey of state-level 69 National ANPR Standards for Policing and Law Enforcement, Ver- sion 2.0, U.K. Home Office, (Sept. 2020), https://assets.publishing. service.gov.uk/government/uploads/system/uploads/attachment_data/ file/913987/NASPLE_Version_2.0_September_2020.pdf. 70 David J. Roberts & Megan Casanova, Automated License Plate Recognition Systems, Policy and Operational; Guidance for Law Enforce- ment, U.S. Dep’t of Justice (2012), https://www.ncjrs.gov/pdffiles1/nij/ grants/239604.pdf. the owner or the driver, it simply ensures the parking charges are consistent with the duration of the vehi- cles entering and exiting the parking garage. Similarly, analytic use of ALPR for functions of vehicle count- ing or tracking dwell times does not require use of PII asso ciated with the vehicle. d. Data actions: Two primary methods are used to initi- ate the capture of license plate data. Some systems use video analytics and others use a trigger device with a still image. The video analytics approach is trending as it requires less equipment and provides additional insights. Video analytics algorithms identify license plates in a video stream and capture an image from that video stream. With a trigger device method, a ve- hicle is detected, and an image is captured of the rear and front of the vehicle. The captured license plate data is then compared to other databases for differing purposes (law enforcement, revenue collection, etc.). e. Purpose of data actions: The purpose is primarily vehicle identification through license plate capture. However, more advanced systems can capture vehicle color, type, make, model, etc. f. Data elements: Image of vehicle with derived descrip- tive text (license plate number, plus vehicle color, type, make, model, etc.). The data elements of the systems used for comparison vary based on the parameters estab lished for that data’s collection. g. Data processing environment: Airports typically col- lect ALPR data along or above public roadways or at entry/exit from the parking structures. The data can also be captured using mobile readers, which are sometimes used in parking facilities to monitor usage. That data can be stored and processed on premises in databases owned by the vendor or the airport, or/and it could be stored and processed through third-party cloud services such as Amazon Web Services, Google Cloud, or Microsoft Azure. 2. Risk Assessment: Understand privacy risks to individuals and the organization implementing the use case. a. Contextual Factors: Video footage and images cap- tured from the public roadway can potentially reveal (from the raw footage) vehicle passenger passengers and drivers. ALPR systems do not normally include any features that automatically identifies a driver or passengers from the raw footage. The metadata from the systems can capture information like date, time, and location of the vehicle. The databases against which captured license plate data is compared may have PII. The use of those databases should be ex- amined to determine whether a particular use of the data base is proper. For example, databases with war- rant information can only be accessed by law enforce- ment personnel and only in the context of criminal investigations. Independently created databases, par-

18 ACRP LRD 42 system that is used to assess charges or impose penal- ties. For ALPR in support of policing operations, ac- cess rights may be more limited. Certainly, however, if the law enforcement use of ALPR results in an adverse action, the data subject should have the right to ac- cess the data. Data subjects need to be able to ensure that airports and/or their contractors are engaged in data retention and use practices consistent with stated purposes tracking the notice and consent mandates. Accordingly, information on records retained con- cerning the vehicle and use made of the data needs to be available to the data subject. d. Integrity and Security: ALPR systems can be stand- alone edge computing capabilities, networked and databased, or serviced by cloud IT providers. Each arrangement should follow industry best practices for physical and data security. e. Enforcement and Redress: Audit capabilities and rights should be implemented by airports and incor- porated in contracts with vendors requiring verifica- tion that agreed data capabilities and processes are realized. Processes need to be established to correct inaccurate information in databases. Individuals need to be provided notice with respect to those processes. This is true irrespective of the use of the data (e.g., a law enforcement database like a hot list or a commer- cial one for billing). D. Use Case Domain #4—Airport Digital Landscape (Websites, Mobile Apps, e-Commerce, Wi-Fi and CRM) With the advent of online e-commerce and smartphone apps, airports like most of the economy are adjusting service of- ferings to meet trends in customer engagement and to enhance the passenger experience with digital interfaces. Tailoring and personalizing information according to the profile and context of the passenger requires uniquely identifying the passenger. In airports, the primary methods of doing so are through a web interface, a smartphone app, or a Wi-Fi access point. These three points of engagement can be served by the same back-end CRM system, or they can be managed separately, as is often the case. CRM is used to collect, manage, and protect customer in- formation according to industry standards and best practices. CRM systems can be used to personalize services such as smart parking and loyalty programs that offer discounts or other perks for regular customers.72 For example, several airports already offer some form of loyalty programs. These programs offer dis- counts and rewards to members for a range of airport related services, like shopping, dining, Wi-Fi, access to lounges, and 72 See, e.g., Geoff Whitmore, Should You Join An Airport Rewards Program?, Forbes (Apr. 5, 2019) https://www.forbes.com/sites/ geoffwhitmore/2019/04/05/should-you-join-an-airport-rewards- program/#282d341b1286; Ramsey Qubein, Why You Should Join an Airport Loyalty Program, Afar (Nov. 15, 2017) https://www.afar.com/ magazine/why-you-should-join-an-airport-loyalty-program. legislation.71 Governmental standards generally apply to law enforcement use of ALPR and not commercial use. d. Data processing ecosystem audits/evaluation: Audit and evaluation for ALPR is oriented at the same juris dictional levels as standards and regulations are developed. 4. FIPPs Analysis: a. Notice and Awareness: Notice requirements for ALPR vary greatly. The use of ALPR for police requirements generally does not have any notice requirement. How- ever, utilization is quite limited. If an airport decides to use ALPR for commercial purposes (like monitor- ing commercial vehicles for revenue and traffic con- trol purposes) then information about the parameters of the program should be specified in the registration process for the vehicles being monitored. This speci- fication could be in a government database for com- mercial vehicles registered in the jurisdiction, like a city revenue department where taxi or commercial transport licenses are issued, or in an airport specific database instances where commercial vehicles are required to register to enter airport property. Where the use of ALPR is for traffic planning purposes, the license plate data could be anonymized or not re- tained. In no event would traffic planning use for that data require linkage to PII. Notice of ALPR monitor- ing could be provided by signage and/or posted on the airport website with an explanation of how it is used. Local state laws or ordinances need to be consulted to determine if such notice is required. b. Choice and Consent: Depending on the nature of the use case and the notice provided, consent require- ments will also vary. Generally, the consent for law enforcement to use ALPR is derived from the general legal requirements for vehicle licensure. The specific terms of the ALPR use for other than law enforcement should be specified in the registration process. Use of that data should be strictly limited to the specified terms. If, for example, the airport is creating a data- base to assess charges to commercial vehicles entering the airport, then the airport must ensure that owners or operators identified are consenting to that use of data. Airport use of that data should be limited to the terms of consent. c. Access and Participation: ALPR systems typically allow operators to segregate data by data subject. Ac- cordingly, owners and operators whose vehicles are being captured by ALPR systems should have the right to access that data. This is particularly so for any 71 Pam Greenberg, Automated License Plate Readers, Nat’l Conf. of State Legis. (Feb. 2015), https://www.ncsl.org/research/ telecommunications-and-information-technology/automated-license- plate-readers.aspx.

ACRP LRD 42 19 f. Data elements: User profile information to include name, email, login credentials, address, credit card in- formation, and/or location data. g. Data processing environment: Website, mobile apps, and Wi-Fi login all operate in connection to devices owned or operated by the data subject. 2. Risk Assessment: Understand privacy risks to individuals and the organization implementing the use case. a. Contextual Factors: Cookies and mobile apps typically store the privacy data on the data subject’s device. However, if an organization is collecting information from a user to be stored in a CRM system, then this data will be collected and stored either by a vendor on behalf of an airport or by the airport itself. b. Analytics evaluated for typical biases: The data pre- sented by the user can be text based and could be in- correctly entered. c. Problematic data actions identified: Identity com- promise is a persistent challenge for cookies and any software that hosts identity or credential informa- tion. Additionally, erroneous identity information could be presented by the data subject who seeks to be misidentified. d. Problematic data actions prioritized: Prioritization depends on jurisdiction and an airport’s risk profile in accordance with how cookies and LBS is being used. 3. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions. a. Data processing ecosystem parties identified: Website, Mobile App, Wi-Fi, and CRM vendors, airport, and data subjects (passengers and employees). b. Contracts considered: Often third-party vendors develop and operate airport websites and apps. Pro- visions to safeguard user privacy data should con- sider such evolving national and international legal developments,73 and any other appropriate legislation. c. Interoperability frameworks: Cookies and other web- site and app support techniques have standard norms and interoperability language dependent on the native format of the website or app in consideration. d. Data processing ecosystem audits/evaluation: Website cookies and mobile app compliance is well developed and there are even automated third-party audit capa- bilities now on the market.74 73 Amanda R. Lawrence, Sasha Leonhardt, & Magda Gathani, Insight: Website Cookies and Privacy-CDPR CCPA and Evolving Stan- dards for Online Consent, Bloomberg Law (Nov. 14, 2019), https:// news.bloomberglaw.com/privacy-and-data-security/insight-website- cookies-and-privacy-gdpr-ccpa-and-evolving-standards-for-online- consent. 74 See, e.g., Cookiebot, https://www.cookiebot.com/en/?gclid= CjwKCAjw9vn4BRBaEiwAh0muDIralzbl6eccJrsGf3xM5kXd- FlQ6q8DEAVHi2Uj5kzbp_eRMhqe1VxoCiD4QAvD_BwE. parking. These programs are sometimes offered by the airport themselves or are offered in conjunction with airlines or other entities. For websites, mobile apps, e-commerce and/or Wi-Fi ac- cess, “cookies” and other similar app features support person- alization of experience. Cookies are a small piece of encrypted software, that a user downloads onto their device that collects and stores certain kinds of data. Cookies enable smoother, more efficient internet use, by storing a user’s site-specific information and preferences such as theme, language setting, privacy pref- erences, and even user IDs and passwords. Performing these tasks ensures that a user does not need to reset these features each time they visit a new page or leave and return to the site or app. On e-commerce sites, cookies also store your shopping cart contents, payment information, and even quick checkout op- tions (including delivery addresses). Some cookies can be used to track the user across multiple web sites (tracking cookies), enabling, for example, advertisements for a product the user has recently viewed on a totally different site. Cookies can be used by the website operator (first-party cookies) or may also be installed by other parties providing ser- vices to the website or app (third-party cookies). Cookie data can also be sold to or otherwise be used by third parties. Under- standing why cookies are being used and by whom is important. Additionally, some websites and mobile apps tap into GPS locations or IP addresses to learn the user’s current location to present the user with information tailored for their current loca- tion. Using location to customize the user experience is com- monly known as Location-Based Services (LBS). A good exam- ple of this is an app with a terminal map that uses an individual’s current location to show where the person is and provide direc- tions to nearby shopping options. In any of these methods of collecting and using a user’s PII, a privacy notice and consent process should be presented to the user prior to downloading cookies or accessing other PII held on a user’s device. These notice and consent processes are normally presented to the user in a header or footer banner, a corner box, or a persistent pop-up. 1. Inventory and Mapping: a. Systems/products/services: Websites, Mobile Apps, Wi-Fi Login. b. Owners or operators: Typically, third-party vendors are contracted to install and operate the system in cooperation with the airport, airlines, and/or conces- sionaires. c. Individuals (or data subjects): Passengers and airport employees. d. Data actions: Data subject downloads cookies or ac- cepts the terms and conditions of app usage, which allows the website, mobile app, or Wi-Fi service to ac- cess and store data entered by the data subject directly or collected from the device (i.e., GPS information). e. Purpose of data actions: To smooth and enable per- sonalization of information and experience.

20 ACRP LRD 42 E. Use Case Domain #5—Health Checks– Temperature Screening Responding to the threat of the COVID-19 pandemic, many U.S. airports are investigating the use of health-related tech- nologies to mitigate some of the risk of communicable diseases. One such measure is the use of temperature screening to de- tect fever, a symptom of COVID-19. Such screening has previ- ously been employed at airports outside the United States, on other occasions. Temperature screening was used in 2003 for the Severe Acute Respiratory Syndrome (SARS) epidemic75 and again in 2014 for the Ebola outbreak.76 This use case was chosen as it addresses medically sensitive information, and the privacy and legal parameters on this kind of data are of special consideration. It is currently an open question as to whether the airport, airlines, or federal government are best situated to undertake this data collection,77 though some U.S. airports are already piloting technology to do so.78 This case study exam- ines a video/ thermal imaging-based screening process, though there are other models for screening available using handheld or kiosk based thermal screening technologies.79 Additionally, as health screening technologies refine, airports, airlines and even some airport concessionaires are developing and implementing programs for airport-based COVID-19 testing for travelers80 as 75 Clorth-Chuan Tan, SARS in Singapore-Key Lessons form and Epi- demic, 35 Annals Acad. of Med. 345 (May 2006) http://annals.edu.sg/ pdf/35VolNo5200606/V35N5p345.pdf. 76 Jonathan M Read, et al., Effectiveness if Screening for Ebola at Air- ports, 385 The Lancet 23 (Jan. 3, 2015), https://www.thelancet.com/ journals/lancet/article/PIIS0140-6736(14)61894-8/fulltext. 77 Runway to Recovery: The United States Framework for Airlines and Airports to Mitigate Public Health Risks of Coronavirus, U.S. Dep’ts of Transp., Homeland Sec., & Health & Human Servs. (July 2020), https://www.transportation.gov/sites/dot.gov/files/2020- 07/Runway_to_Recovery_07022020.pdf; see, Steve Dickson, FAA Administrator “Letter to Captain Joseph G. De Porte, President, Air- lines Pilot Association, International”, (Apr. 14, 2020) (Declining to exercise FAA preemption authority for aviation safety with respect to health screening for COVID-19), http://www.alpa.org/-/media/ ALPA/Files/pdfs/news-events/letters/041420-faa-dickson-reply- covid-19.pdf. 78 Hannah Sampson, LAX is Testing Fever-Detecting Cameras as Passengers Depart and Arrive, L.A. Times (June 23, 2020), https://www. washingtonpost.com/travel/2020/06/22/lax-is-testing-fever-detecting- cameras-passengers-depart-arrive/. 79 See e.g., Hugo Martin, Airports are Testing Thermal Cameras and Other Technology to Screen Travelers for COVID-19, L.A. Times (May 13, 2020), https://www.latimes.com/business/story/2020-05-13/ airports-test-technology-screen-covid-19. 80 COVID-19 Testing for Air Travel, Int’l Air Travelers Assoc. (June 16, 2019), https://www.airlines.iata.org/news/covid-19-testing- for-air-travel. See also Michelle Baran, These U.S. and International Air- ports Have COVID-19 Testing Facilities, AFAR (Nov. 5, 2020), https:// www.afar.com/magazine/these-us-airports-to-have-covid-19-testing (documenting COVID-19 testing being conducted at the John F. Kennedy International Airport, LaGuardia Airport, Newark Interna- tional Airport, Dallas Fort Worth International Airport, Boston Logan International Airport, Tampa International Airport, and San Francisco International Airport). 4. FIPPs Analysis: a. Notice and Awareness: Notice can appear in several forms depending on jurisdictional requirements for specificity and consent requirements. Sometimes it may simply appear in the text of a privacy policy. In those cases, it is generally assumed that acceptance of cookies is implied by continued use of the website or application. Notice may also appear through banners or pop-ups. This presentation of notice is growing in acceptance and is particularly appropriate where an action to accept cookie use is sought. Some jurisdic- tions require the scope of notice to indicate the type of information sought, the purpose of collection, and the duration. These notices should apply to third-party cookie use. Notice should also address any disclosure requirements under applicable open records laws. b. Choice and Consent: Consent can be achieved in three ways. First, some systems simply provide written notice of the policy imply consent to the announced cookie polices from continued use. Second, the grow- ing use of banners and pop-ups requires users to in- dicate a consent to cookie policies before proceeding. Those systems can provide for an opt-in or opt-out election. Third, in some jurisdictions, the use of pre- checked boxes with respect to acceptance of cookie policies can raise questions with respect to consent. c. Access and Participation: Websites and apps often allow users to proceed with limited functionality use for those who opt-out of using cookies, LBS, or other personalization techniques. Denial of access for fail- ure to accept cookies may raise issues as to whether consent is fully voluntary. With respect to participa- tion, the data subject needs to be provided with in- formation on where to obtain information on what information has been collected and to raise concerns. Withdrawal and consent may warrant their own spe- cific procedures. d. Integrity and Security: Cookie, LBS, and other app personalization techniques have well-developed stan- dards of security. Organizations using these tools need to ensure that privacy and data security stan- dards are met. Detailed provisions need to be made to address potential data breaches of sensitive financial information. e. Enforcement and Redress: Audit capabilities and rights are typically used by airports in contracts with vendors requiring verification that agreed data capa- bilities and processes are realized. Procedures should be in place to address concerns of data subjects with respect to any claims of misuse of data. Both federal and state requirements also need to be considered and accounted for with respect to potential data breach occurrences, particularly ones involving sensitive PII like financial information.

ACRP LRD 42 21 exposure to heat outside, and the variance of tem- perature at the point of screening. Techniques, such as targeting the temperature at the tear-duct of the subject, have provided improvements in performance. However, most processes require a secondary screen- ing to determine temperature more accurately and to request additional health information from the data subject. c. Problematic data actions identified: Understanding the collection risks highlighted in the “Contextual Factors” section above is important to understand- ing how a system should be designed and managed. Asso ciating a data subject to his or her screening re- port, storing, and potentially leaking this information. Response actions of personnel with respect to indi- viduals identified with elevated temperatures. d. Problematic data actions prioritized: Prioritization depends on jurisdiction and an airport’s risk profile. 3. Data Processing Ecosystem Risk Management: Airport priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions. a. Data processing ecosystem parties identified: Airport, hardware and service vendors, airport, and health checks data subjects (passengers and employees). b. Contracts considered: If a third-party vendor installs and operates the temperature screening capability, air- ports must ensure contracts require vendors to com- ply with all federal, state, and local laws pertaining to health information. c. Interoperability frameworks: The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) include national stan- dards for the privacy of protected health information, the security of electronic protected health informa- tion, and breach notification to consumers. d. Data processing ecosystem audits/evaluation: HITECH also requires HHS to perform periodic audits of covered entity and business associate com- pliance with HIPAA Privacy, Security, and Breach Notifica tion Rules. HHS Office for Civil Rights (OCR) enforces these rules, and in 2011, OCR established a pilot audit program to assess the controls and process- es covered entities have implemented to comply with them. 4. FIPPs Analysis: a. Notice/Awareness: As with other video systems, notice of health screening can be achieved through the posit- ing of signage in the area where this screening occurs and/or by screening personnel operating the process. Unlike general CCTV surveillance, health screen- ing use of this technology seems reasonably likely to capture PII, given the fact individuals can and likely well as plans to screen airport employees .81The rapid growth in COVID-19 testing programs at airports is a stark example of the ability of technology and data solutions to quickly adapt and deploy to address airport-related concerns. In the face of the growing range of differing technologies to collect health data at airports caused by the COVID-19 pandemic, the legal and regulatory systems are moving to address developing con- cerns. Balancing the need to collect traveler health data with the need to protect privacy and ensure the security of that sensitive data, the legal environment is quickly evolving. This presents significant challenges for airport operators and stakeholders. and stakeholders. 1. Inventory and Mapping: a. Systems/products/services: Visible video, thermal im- aging camera, and AI. b. Owners or operators: Typically, third-party vendors are contracted to install and operate the system in cooperation with the airport, airlines, and/or border security services. c. Individuals (or data subjects): Passengers and employees. d. Data actions: Temperature screening often uses a vis- ible camera with AI to recognize a person, as well as a thermal imaging camera to measure temperature pixel by pixel. e. Purpose of data actions: To enhance processing pas- sengers with additional health checking capabilities. To prevent febrile passengers from traveling with other passengers. To help restore confidence in the safety of air travel f. Data elements: Visible video footage, thermal imaging footage, and assessment report. g. Data processing environment: Typically, in a con- trolled space at the entrance to a terminal, at check-in, or at TSA screening checkpoint areas. 2. Risk Assessment: Understand privacy risks to individuals and the organization implementing the use case. a. Contextual Factors: Processing is normally done at the camera level and in the cloud. AI recognition and tem- perature measurement algorithms assess core body temperature. Audible and visual alarms are raised if any subject exhibits a core body temperature above the fever threshold. Additional health checks are con- ducted if a passenger exhibits a fever temperature. It is not necessary that the identity of the data subject is linked to the health check’s assessment report, though the visible image captured would show his or her face. b. Analytics evaluated for typical biases: Temperature can be impacted by the data subject’s level of activity, 81 SFO is First U.S. Airport to Launch Rapid COVID Testing for Air- port Employees, S.F. Airport (Aug. 24, 2020), https://www.flysfo.com/ media/press-releases/sfo-first-us-airport-launch-rapid-covid-testing- airport-employees.

Next: IV. DEVELOPMENTS IN FEDERAL CONSTITUTIONAL PROTECTIONS »
Legal Implications of Data Collection at Airports Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

As technology evolves, airports and their partners collect more data from passengers, employees, tenants, concessionaires, airlines, and others. This data is used in many ways, including for facility management, security, ground transportation, marketing, understanding passenger preferences, and enhancing the travel experience.

The TRB Airport Cooperative Research Program's ACRP Legal Research Digest 42: Legal Implications of Data Collection at Airports provides a survey of applicable law; considerations for the collection and safekeeping of data; and a review of the issues that arise related to data collection among airports, their tenants, and other users. It also offers an understanding of the expansion in law around data collection and use.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!