What is the Internet of Things (IoTs) and what’s its implications for Sports Organisations? (Blog 3)
11 July 2023 | Written by Andy Nutting
Read the final blog from our latest series, written by Andy Nutting, Information Governance Manager at Veritau.
What are the privacy concerns?
So, I’ve recently talked about the Internet of Things (IoTs), what it is, how it works, provided some examples and looked at its use in the sports industry.
In this article, I’m looking at some of the privacy concerns with IoTs because, like with most new technologies, IoTs collect vast quantities of granular data about individuals’ daily habits and activities.
IoT devices can be used by various organisations and entities to obtain access to people’s homes and bodies while potentially decreasing anonymity.
An article by UNESCO last year suggested that this could lead to corporate colonisation and surveillance which limits an individual’s ability to determine what happens to their information, resulting in a decreased ability to shield themselves, their emotions, and their daily activities from various actors.
The IoT may also worsen pre-existing level of unequal access to privacy and security and enable discrimination and negatively impact the opportunities that individuals receive. Particularly susceptible to this would be marginalised groups who historically are vulnerable to data discrimination despite existing laws.
The passive nature of many IoT devices can often make it difficult to be informed that your personal data is being collected. The ubiquitous nature of IoT devices, and their ability to blend into the background introduce new challenges and greatly exacerbate existing privacy concerns when compared to traditional technology applications.
Some of these challenges include people’s lack of awareness of the data practices IoT devices and their manufacturers, due to the larger amount of data involved in potentially complex ecosystems of devices, as well as unobtrusive methods of data collection.
The accumulation of large amounts of data enables the inference of sensitive information unbeknownst to users.
Furthermore, IoT devices can be used by multiple users in environments containing multiple other people, increasing the complexity of privacy needs and access controls.
IoT devices offer limited controls for users to arrange the privacy themselves and their information. Many scenarios and domains involve bystanders, who currently have no ability to control devices whatsoever.
What to do?
The ICO produced a report in December 2022 called the Tech Horizon report. The aim of this report was to set out the #ico’s views on emerging technologies to support innovation and prevent harms.
It looks at the implications of some of the most significant technological developments for privacy in the next two to five years, including IoTs.
The report identifies many of the issues I’ve reported about but also highlights next generation IoT setups that will be more integrated within spaces and better at talking to each other, such as:
- Improved network infrastructure, such as the rollout of 5G.
- More advanced machine learning.
- In the longer term, edge computing, that offers opportunities for more responsive IoT devices capable of faster, more efficient, more powerful processing.
The ICO recommends organisations should consider additional steps to take now to implement privacy-positive innovation, including:
- Prioritise efforts to enhance security of IoT devices, for example by implementing default security standards outline in the Product Security and Telecommunications Infrastructure Act 2022 and considering the European Telecommunications Standards Institute’s IoT security standard
- Ensure high standards of privacy by design, with user-centred design of connected devices.
- Continue to explore approaches to transparency and data minimisation in smart spaces.
- Remain alert to the potential benefits that edge computing in smart spaces offer and be aware of the unique privacy and security challenges.
The ICO is intending to develop guidance on the data protection aspects of IoT devices, but until that time, you will need to consider the privacy issues connected to any IoT devices you deploy.
One good move might be to develop your own risk assessment for privacy and data security for the implementation of IoT devices. This would entail one for the third party whose device is being installed and one for your organisation.
Remember that you are still responsible for providing people with meaningful transparency and control of their personal information being processed via IoTs devices you install.
Obtain an understanding of the data flows via the IoTs and how this might affect the privacy of your staff, customers, clients, and contractors.
I’ve talked about the volume of data often surreptitiously processed by IoTs devices, which provides concerns about excessive collection or repurposing of personal information. Therefore, you need to think about providing adequate safeguards or transparency to individuals as there is potential for smart space information to be used for secondary purposes.
There is no doubt that IoTs promise numerous benefits both at consumer level and a business level. The evolution of highly intelligent AI and the rise of super-fast telecommunication technologies like 5G are spearheading the already exponential growth of IoT.
As the IoT’s begin to handle critical infrastructure organisations cannot afford to take a backseat in terms of privacy and security.
Back in 2014 the ICO produced a response to Ofcom’s consultation ‘Promoting investment and innovation in the Internet of Things’, in which they said that the IoTs raises difficult questions concerning the scope of data protection law.
Whist it was generally accepted that information about a ‘personal’ electronic device, like a smart phone, collects and processes information about its user, for example location data, the application of data protection law was less certain in the case of less ‘personal’ devices such as a domestic washing machine or a TV set that all member of a household use anonymously.
By 2016, however, and the publication of the GPEN Sweep report, advice had moved onto encouraging organisations to improve their practice by ensuring users are able to understand how their data is treated through improved privacy notices, and undertaking risk assessment to understand how personal data is collected, used, disclosed and stored.
In two years it had become more apparent more an more devices were connected to the internet and able to collect more identifiable personal information.
Fast forward to the present and a new generation of IoTs are becoming ubiquitous in the workplace, on the street and in town centres, on public transport, and in public buildings. At the same time IoT vendors generally provide little transparency about the personal data processed and this opacity in data processing is raising real concerns
The ICO has committed to producing guidance on IoTs, but in the meantime, and in the absence of anything more definitive, consider undertaking a data privacy risk assessment before deploying or installing IoTs devices. Consider all the usual deliberations within your organisation’s current data protection framework and request similar assurances from the third party providing your IoTs device.
Ensure you talk to and work with your IT staff to understand what IoT devices are already in play within your organisation and what are planned. Learn the reason for their implementation and what data they’re collecting, and if you have to retrofit privacy considerations, do so.
If you’d like support managing your organisation’s data, our team can help.
You can keep up to date with Andy’s blogs on his LinkedIn profile.