Buildings are evolving rapidly to capture the data of their occupants. Hannah Crowther sets out the law governing its use.
So-called “smart buildings” are allowing an unprecedented insight into the way that buildings are used by their occupants. No longer limited to people counters and grainy CCTV, new interconnected technology allows buildings to capture detailed information at a granular level, using – among other things – cameras and motion, pressure and heat sensors to create rich data sets. This information can be further combined with, for example, individual employee passes to allow for an almost complete picture of an individual’s working day.
Owners, developers, occupiers and lenders are keen to capture the value of this data so as to improve the efficiency of their assets, boost the productivity of employees working in them and better understand their customers. Many are investing in rapidly evolving sensor technology and data analytics.
However, the interest in the power of data is leading the real estate industry into a regulatory landscape that is unfamiliar and on the edge of significant change.
Data protection legislation
In May 2018, the current UK Data Protection Act 1998 will be replaced by a new EU-wide General Data Protection Regulation (which the UK government has confirmed will be implemented as planned, despite the Brexit vote). The new “GDPR” maintains the same concepts and principles as the 1998 Act, but adds various new obligations as well as a much more stringent enforcement regime (see box).
The 1998 Act and the GDPR impose obligations on the collection and use of personal data to ensure that this is done fairly and in a manner which does not unduly prejudice the individuals whom the data is about. It also grants rights to those individuals, for example, to access information held about themselves and, in some cases, to object to its use.
The concept of “personal data” is very broad, and constitutes any information about an identified or identifiable individual. As well as any information linked to a name, e-mail address, employee ID, photo or unique job title, it will also include information that is less immediately “identified” but could be if it is collected over a sustained period and/or combined with other data sets.
Take, for example, a system installed in a building that monitors the occupation of desks, by way of a pressure sensor, in order to improve space utilisation.
On its own, the data produced by that sensor may not allow the occupant of the desk to be identified. However, if the desk being monitored will be occupied only by certain employees within a certain department that contains a limited number of employees, then the combination of the sensor data and the department/employment structure of the business could make that individual identifiable. Consequently, the sensor information would likely qualify as personal data, and potentially reveal information about that employee’s working hours or even productivity.
Myth busting
It is a common myth of data protection law that collecting and using personal data always requires consent. In fact, consent is only relevant where the individual has a genuine choice as to whether their personal data will be collected. In the case of a smart building, the individuals have no real choice: if they want to enter the building, they have to accept that they will be monitored.
Instead, the most important obligation is transparency. Organisations have an obligation to inform individuals what data they are collecting about them, how it will be used, and for what purpose. Individuals should also be told who their data may be shared with. For example, they should be informed if an owner of a building shares the data with tenants or other third parties.
Those collecting personal data within a building should therefore think about how to inform those who they are monitoring – and who will be responsible for doing this. This could include staff outreach, notices or even leaflets, to ensure everyone using the building understands what data is being collected and how it will be used.
“Purpose limitation” is another key aspect of data protection for businesses to be aware of in this space. Data protection law provides that personal data should be collected for a specified purpose, and should not be used for further purposes which are incompatible
with this.
By way of example, this means that if an employer collects data for the purpose of understanding its working space, it should not then subsequently start using that data to monitor its employees’ working hours – or at least not without informing the employees in advance and considering the privacy impact.
Safeguarding and mitigation
From a practical perspective, the most useful step for a business thinking seriously about collecting or exploiting “building data” would be to complete a data protection impact assessment. This is a formal process by the business considering the privacy risks associated with its plans, and any safeguards which can be put in place to mitigate those risks. Under the GDPR, it will become mandatory to conduct an impact assessment of this sort prior to any large-scale monitoring or other processing considered “high risk”.
Smart buildings present exciting possibilities for both owners and occupiers. To make the most of these opportunities, however, those collecting and using the data should be aware of their legal obligations and those rights of the individuals concerned.
The General Data Protection Regulation
The GDPR represents the biggest overhaul of data protection law across the EU and the UK in 20 years. Although it preserves the same concepts and principles as the current law, the obligations are more prescriptive and the potential penalties are far greater. A few of the key changes are:
- an obligation to conduct “data protection impact assessments” for high-risk processing activities – the new principle of “privacy by design” also means businesses must factor data protection and privacy into any system build from the outset;
- new rights for individuals, including rights to have personal data erased, the right to object to their personal data being used for certain purposes, and a right of “data portability”;
- a new “accountability” principle, meaning that organisations must be able to demonstrate to the regulator (the UK Information Commissioner) how they comply with data protection law; and
- a significant increase in fines, from the current maximum of £500,000 to €20m or 4% of global turnover.
Hannah Crowther is an associate at Bristows LLP
