Data Protection Commissioner
Data Protection Commissioner

Guidance Note for Data Controllers on Location Data 

For Individuals please see FAQ on Location Data for Individuals here

 

 Location data

 
Does your organisation want to collect or process information about the location of individuals? Read this guide to find out when this is allowed and what your obligations are when collecting or processing location data.
 
Location data relating to individuals is very likely to be able to identify them. Hence it constitutes personal data and unless exemptions apply, the Data Protection Acts 1988 and 2003 (hereinafter called the ‘Data Protection Acts’) apply. It could also constitute sensitive data, and should therefore be handled carefully.
 
Data controllers have a responsibility to minimise the amount of data collected, processed and retained because of risks posed by linked location data.
 
Informed consent is the most appropriate basis for processing personal location data in most cases
 
 
Technologies which enable electronic devices - and therefore the people who use and carry them around - to be easily located have enabled a wide range of services to be offered to the public, from traffic alerts and local weather reports, to services allowing customers to order a taxi to their current location. Organisations may also want to use this type of information to provide location-specific content or advertising, or to monitor the position of company fleet vehicles.
 
However, location data, especially data about the precise pattern of an individual's movements over time, can reveal very intimate details about that person's personal life. This type of data may be valuable to some organisations, as it can allow very specific targeting of services to particular individuals.  However, this also poses serious risks to individual privacy, as well as risks that such data may be used to make decisions which adversely affect the individual to whom it relates.
 
"Location data" has a special meaning for the purposes of the Privacy and Electronic Communications Regulations, which govern location data obtained from mobile phone base stations or other public communication networks.  This is discussed below.
 
 
Before collecting or processing any location data, you should consider whether the Data Protection Acts apply to the data you want to collect.  We have provided an introductory guide to the Data Protection Acts, which you may find useful in making this assessment.  The Data Protection Acts govern the collection and use of "personal data".  This guide discusses how the data protection regime deals with some unusual features of location data which is personal data (or "personal location data"), but it should be read together with our general guidance on data protection, “A Guide for Data Controllers”,  to get a full understanding of your obligations.
 
Additional rules apply for location data obtained from the processing of data in "public communications networks", such as data obtained from mobile phone base stations.  These rules are contained in the European Communities (Electronic Communications
 
Another valuable resource to be considered in relation to the collection of location data is an opinion issued by The Article 29 Working Party in relation to the use of location data in 2011. The Article 29 Working Party is made up of all the EU Data Protection Commissioners. The Working Party is independent and acts in an advisory capacity. It seeks to harmonise the application of data protection rules throughout the EU, and publishes opinions and recommendations on various data protection topics.
 
 
You should treat information about the location of a device which can be tracked or located electronically as "personal data", and comply with the Data Protection Acts in relation to it, if:
 
1. The data relates to a living person (a "data subject"); and
 
2. It is possible to identify the person to whom it relates from the location data itself, or from the location data together with other information which you have or are likely to acquire.
 
Section 1 of the Data Protection Acts defines "personal data" as: 
"data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller"
 
You should read the guidance below together with our general guidance page explaining the concept of personal data.
 
 
Even though you will normally be collecting data about the location of an electronic device, such location data is considered to relate to a living person where it is possible to infer information about a living person from the location of a device.  For example, as was noted by the Article 29 Data Protection Working Party, the location of a smartphone, which would normally be kept close to its user, should always be considered as relating to a living person as its movements are likely to mirror those of its user.  Other devices, such as home WiFi routers, might not follow individuals around all the time, but information about the location of such devices should also be treated as relating to a living person as it points to a physical location where the owner of the router lives or owns property.
 
If you collect location data at a time when a person is using a device, such as data relating to the location of a visitor to your website, or data about the position of a company vehicle while it is in use, such data is personal data as it constitutes information about a person's location at the time the data is collected (the website visitor and the vehicle driver).
 
On the other hand, data about the location of a weather balloon or autonomous vehicle will not normally be considered personal data, if it relates solely to a device the location of which is not linked with that of a person.  Of course, if the autonomous vehicle is carrying a passenger who can be identified, that location data will be personal data relating to the passenger.
 
The granularity and frequency of collected location data may also vary depending on a number of factors, and the need for a particular level of location detail should be taken into account when it is collected. The rules are not hard and fast and will depend on the context and range of data collected or available. In some cases, even a broad indication of location may be enough to accurately identify a person.
 
At the same time, an app that collects location data to the maximum possible accuracy may not require it if all that is needed to be known to provide its service is which postal district the person is in. Likewise, collecting location data every five seconds may not be required or be of any relevance to the app if all it is interested in is the fact that an individual on foot has entered a general area of interest.
 
It is important therefore to also consider which form and context of location data that is gathered, be it GPS, WiFi base station and power signal data, telephone mast or base station position, map coordinate, townland name, IP address or any other description or metadata that may reveal that location.
 
 
Clearly the data subject will be identifiable if location data about that person is linked to the individual's name, phone number, e-mail address or a unique number, assigned for example, to a particular customer, employee or student.  However, because of the intimate nature of location data, identification and singling-out of an individual will often be calculable in the absence of such information. So, even if you never intend to link the location data you are collecting to a particular person, it will likely amount to personal data despite not naming the individual in question.
 
If linked location data reveals a person's movements over a period of time, (even if this period is relatively short) that behaviour alone will often be enough to identify the data subject, for example by identifying their home address or place of work based on their daily routine.
 
The Data Protection Acts lay down certain requirements which must be adhered to in relation to the collection, processing and storage of personal information.  In particular, Section 2(1)(c) of the Acts preclude the excessive collection or processing of data.  In this regard you should take careful steps to prevent identification of the data subject if this is not needed for the purpose the location data is gathered.  In most cases, you should treat location data as personal data anyway, because of the difficulties in ensuring that location data has been effectively anonymised, as outlined below.
 
You should be particularly careful about location data which is linked to information such as a Media Access Control (MAC) address, as this can tie the location data to a particular electronic device.  In such cases, it may be possible for someone to link the MAC address back to an individual by connecting the ownership of the device to the individual.  However, even if there is no traceable link between an individual and a device, the pattern of movements of the individual alone will often make it possible to identify the data subject.  Likewise, if you store location data about an individual which is linked together under a random unique identifier, the pattern of movements may enable the data subject to be identified or singled out, even without any information other than location data, and such data should be considered personal data.

"A Media Access Control (or "MAC") address is a unique number assigned to electronic devices which are capable of connecting to the internet or another network. The MAC address of a device is assigned when the device is made and cannot normally be changed, so it represents a permanent identifier of the device."
 
Location data which cannot be linked to a living person is not governed by the Data Protection Acts.  In principle it is permissible to collect aggregated or anonymised location data for statistical or service monitoring purposes, and to use such data outside of the Data Protection regime.  For example, a website operator may want to collect figures about the numbers of website visitors from particular cities or countries, or a company might want to maintain anonymised location data for company vehicles to optimise delivery routes.  If you want to collect aggregated or anonymised data, extreme care should be taken that the technical processes used to aggregate or anonymise data are effective to prevent the data subjects from being identified.  The Article 29 Working Party has published an opinion on techniques for the anonymisation of data, which you should consult before collecting anonymised data.
 
The process of making data anonymous is itself considered to be "processing" data, so if you want to anonymise personal data to bring it outside of the scope of the Data Protection Acts, you must do so fairly, in accordance with the Data Protection Acts.  The conditions for fair processing of personal data are considered below in relation to location data, and in separate general guidance we have prepared, which you should consult prior to any such processing.
 
 
Certain categories of "sensitive personal data" are given special protection under the Data Protection Acts. These include information about the religious or political beliefs of a data subject, their physical or mental health, or their sexuality. Sensitive personal data can only be processed when Section 2 and 2A of the Acts are complied with and also when one of the conditions in Section 2B(1)(b) is met. To find out more about what kinds of data are protected by these special provisions, see our general guidance note for data controllers, which includes a discussion of sensitive personal data.  This page will give some additional guidance on issues which arise specifically in relation to location data and should be read together with the general guidance page.
 
Location data may be "sensitive personal data" if it is possible to discover any of the defined sensitive traits about the data subject from the data.  For example, if a person is shown to attend at a place of worship, or to make repeat visits to a hospital, this might give away information about their religious faith or health.  Such data can be gathered inadvertently, and it is almost inevitable that sensitive personal data about a data subject will be gathered if a data subject's location data is gathered on an ongoing basis over a long period of time. You should seek to minimise the amount of personal location data gathered about a data subject to reduce the risk of sensitive personal data being gathered, and if personal location data has to be retained over a long period of time, you should avoid linking together personal location data relating to an individual if this is possible having regard to the purpose for which it is retained.
 
The degree of accuracy of location data which is gathered has a strong bearing on the risk of inadvertently collecting sensitive personal data.  If location data relates only to the city or country that a person is in, it is far less likely to reveal sensitive personal data than data about their precise location.  You should consider whether it is possible to reduce the accuracy of any location data which you want to collect, to minimise the amount of personal data collected and the risks of a data breach.
 
In addition to complying with the normal rules of data protection, discussed below, an organisation may only process location data which is sensitive personal data if Section 2 and 2A of the Acts are complied with and also when one of the conditions in Section 2B(1)(b) of the Data Protection Acts is met. That is to say, explicit consent is required in these cases. Our guidance note on sensitive personal data discusses these conditions in detail, and you should consult it if you think you may be collecting sensitive personal data.
The rules of data protection
 
If you intend to obtain, keep or process personal location data, you must comply with the data protection rules when doing so.  To find out what your obligations are under the Data Protection Acts, see our guidance note on the data protection rules.  This page will give some additional guidance on issues which arise specifically in relation to location data and should be read together with our general guidance page.
 
Section 2 of the Data Protection Acts requires data controllers to obtain any personal data fairly.  We have prepared a general guidance page on the obligations of data controllers when collecting personal data, which you should consult before collecting or processing location data which is personal data. Additionally, you should consult our guidance on the processing and sharing of personal data.  This section provides some additional guidance on this topic of particular relevance to the collection of location data.
 
Modern technologies such as GPS location and WiFi tracking have made it technically possible to collect very accurate location data about an individual without the individual being aware of this.  This can occur because the data subject /individual was never told that their data would be collected, because they were told, but have forgotten, or because it is not clear to the data subject when or how location data is actually being collected.
 
If you intend to collect personal location data, you must first ensure that you have a legal basis for so doing. Then you have a duty to ensure that the data subjects/individuals re informed  in advance that their location data will be collected and are given the opportunity to opt in or opt out
 
You must also make it clear when location data is actually being collected, or in other words, that the location service is "on" and being monitored.  A distinction can be drawn between the collection of location data on a once-off basis (or each time a service is specifically requested by a user) and ongoing collection. The Article 29 Working Group has emphasised the need for information about ongoing collection of location data to be available on an ongoing basis. This should include periodic reminders that location data is being collected and ideally a recognisable and visible indication whenever data collection is occurring.
 
As the uses to which location data can be put are constantly evolving, it is important for you to make it very clear to users whose data is being collected exactly what purposes the location data is being collected for. Section 2(1)(c)(i) of the Acts require that data "shall have been obtained for one or more specified, explicit and legitimate purposes". Section 2(1)(c)(ii) then states that this data "shall not be further processed in a manner incompatible with that purpose or those purposes". This requires that you should also seek the consent of data subjects about any change or new or additional purposes for which personal location data will be processed and ensure you still have a legal basis for further processing.
 
It is the data subject rather than the owner of a device who has to be informed about data collection. This is relevant where the device used to collect data is owned by someone other than the data subject. This might occur if an employer owns a smartphone provided to an employee, or if a person visits a website which collects location data from a public computer. In these cases, it is the employee and the website visitor who are the data subjects.
 
Information about the purposes for collecting location data, the identity of the "data controller" and about anyone the data will be shared with should be provided to the data subject, no matter how the location data is collected. For example, a business using the WiFi network to track customer movements around its premises might display prominent signs informing anyone whose personal data might be captured of the data collection, or only collect location data where the user of a device has logged on to the network and the logon process includes information about the information collection.
 
 
You may only process personal location data where one of the conditions laid out in section 2A of the Data Protection Acts is met. These conditions are discussed in detail in our guidance document on processing and sharing of personal data. Before collecting or processing location data which is personal data, you should consult that guidance page. This section provides some additional guidance on the use of "consent" and "legitimate interests" as grounds for processing personal location data.
 
Consent
Section 2A(1)(a) of the Data Protection Acts provides that consent is a valid ground for processing personal data. Where there is a risk that you will be processing an individual's sensitive personal data, section 2B(1)(b)(i) of the Data Protection Acts require that any consent be explicitly given. The Article 29 Working Party has indicated that because patterns of location data from smart mobile devices are likely to reveal not only the identity but also potentially intimate details about the private life of their user, the main condition which should be relied upon for processing such data is the prior informed consent of the user.
 
As it is the user of the device, rather than its owner, who is the data subject, data controllers should be careful to ensure that it is the user who gives their consent. It is more likely to be the case that if consent is given from the device itself, that reminders that the location service is active are sent to the device, and that it is possible to withdraw consent easily, using the device itself that it will be be the data subject providing this consent.
 
The Article 29 Working Party has also indicated its view that such consent cannot be given as part of the general terms and conditions of a service, and that it must be possible to opt out of the processing of location data, and to do so in the future. You should draw particular attention to the fact that location data will be processed when seeking consent, especially where it may not be obvious to a data subject that location data is being processed, or that it is being processed for a particular purpose.
 
Processing required to protect legitimate interests
 
The Data Protection Acts allow for the processing of data in order to protect the legitimate interests of the data controller or a third party, but only if such processing does not amount to an unwarranted infringement of the fundamental rights of the data subject. Deciding whether the "legitimate interests" ground provides a valid basis for processing data involves conducting a balancing exercise to examine the competing interests of the data controller (or third party) and the data subject. This has to be done on a case by case basis. You should consult our guidance page on processing personal data to determine whether you can rely on this ground for processing personal data in a particular case. The guidance provided in this page relating to location data should be read together with that general guidance document.
 
Section 2A(1)(d) of the Data Protection Act 1988 permits the processing of personal data where:
 "the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject."
 
This ground is particularly relevant for the collection of personal location data relating to employees of the data controller. The Article 29 Working Party has noted that where an employer seeks consent from their employee and there is a real or potential prejudice to the employee that would arise from withholding consent, that consent is not valid, as it is not freely given. Legitimate interests which an employer may seek to protect by processing location data relating to employees include improving the efficiency of processes (e.g. monitoring the movement of company vehicles to improve the efficiency of delivery routes) or for the physical security of personnel or property (e.g., a cash-in transit van might be monitored to prevent theft). In each case a balancing exercise must be carried out to determine the appropriateness of the data processing, having regard to the effect of such processing on the interests or fundamental rights of the data subject.
 
It is vitally important when relying on the legitimate interests of the data controller or a third person, to process data, that the data be processed only for the purpose of protecting that legitimate interest. For example, data which was obtained for the purposes of improving the efficiency of delivery route planning should not be used to monitor the driving style of employees. The Article 29 Working Party Opinion on this matter may be helpful to you. Personal data processing based on legitimate interests of course should be accompanied by appropriate safeguards such as notification and deletion or anonymisation at the boundaries of collection if no future use of the data is required or legally grounded.
 
The use of location tracking systems in general can give rise to data protection issues if not deployed in a manner that takes account of the legitimate privacy expectations of individuals. The legitimate interests of the employer to process personal data that is necessary for the normal development of the employment relationship and the business operation justify certain limitations to the privacy of individuals at the workplace. However, these interests cannot take precedence over the principles of data protection, including the requirement for transparency, fair and lawful processing of data and the need to ensure that any encroachment on an employee’s privacy is fair and proportionate. Our guidance on data protection in the workplace and the Article 29 Working Party Opinion on the processing on personal data in the employment context should be helpful in this regard.
 
Staff must be informed of the existence of a location tracking scheme and how it operates as well as being clearly informed of all the purposes for which the personal data will be used.
 
Case Study 13 from our 2010 Annual Report (p.75-76) deals with GPS in vehicles, however the same principles apply.
 
 
Section 2(1)(c)(iv) of the Data Protection Acts requires that data controllers not retain personal data for any longer than is necessary for the purposes for which it was collected, or for any further permitted purpose. The obligations on data controllers relating to the retention of personal data are discussed in detail in this guidance document on storage and management of personal data prepared by the Department of Finance. You should consult this guidance documnent to find out more about when you must delete personal data. This section provides some additional guidance on this topic of particular relevance to the retention and deletion of location data.
 
Timely deletion of unnecessary personal data is especially important in the context of location data. As noted above, the pattern of a person's movements over time can reveal intimate details of their life, and the more location data that is available or linked together, the more likely it is that sensitive personal data will be revealed. Accordingly, data controllers should avoid retaining location data which is personal unless absolutely necessary. In some cases it may be appropriate to immediately delete location data once it has been processed to “check if you were nearby”.
 
Organisations may wish to retain anonymised location data over a long period to improve processes, or to monitor trends over time. As noted above, the Data Protection Acts do not apply to location data which cannot be linked to a living individual, including to location data which has been appropriately and effectively anonymised. However, organisations seeking to retain anonymised location data should take special steps to reduce the likelihood of data subjects being identifiable from such data. The Article 29 Working Party has stated that data controllers must take extreme care to avoid making such data indirectly identifiable. This is especially applicable to location data. The Working Party recommends that location data relating to a mobile device not be linked together with the same random unique device identifier (or "UDID") for periods of greater than 24 hours, and that no UDID should be linkable to a previous or future UDID, or to any fixed identifier for the relevant device.
 
 
Data subjects have certain rights under the Data Protection Acts. Under Section 3 an individual has the right to find out what information an organisation holds about them. Section 4 provides a right to individuals to request access to personal information held about them by an organisation.  This right is intended to give the data subject control over how personal data about him or her is being used, to ensure it is accurate, or at the very least to ensure that data subjects have an awareness of the purpose and the context in which their personal information is being processed. In this way, an individual is in a position to ensure that his/her personal data is being fairly processed in accordance with the Acts. Section 6 provides the right to request to have a data controller correct any factually incorrect personal information or delete any personal data that is no longer required. The obligations on data controllers in responding to requests under those sections are discussed in detail in our guidance documents on responding to access requests and storage and management of personal data. You should consult these guidance pages to find out more about dealing with these requests
 
When responding to subject access requests, section 4 requires that personal data be provided to the data subject "in intelligible form". When providing location data, this may mean plotting the location data on a map or providing an address corresponding to the location. Providing numerical co-ordinates alone is not sufficient to satisfy the "intelligible form" requirement.
 
 
Special data protection rules apply to the protection of personal data by data controllers in the electronic communications sector. These are in addition to the general obligations that apply to all data controllers under the Data Protection Acts. Obligations also arise for entities acting on behalf of data controllers under contract in this sector. In data protection terms these entities are referred to as data processors.
 
Where location data is processed in connection with the provision of publicly available electronic communications services in public communications networks, it is also governed by the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, (the "Privacy and Electronic Communications Regulations").
 
 
Location data is defined or the purposes of the Privacy and Electronic Communications Regulations as:
 
"any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service;"
 
This means information which is collected by a public communications network or service about where a user’s phone or other device is located. Most commonly, this is relevant where the location of a mobile phone is indicated by data relating to the base stations to which the device connects.
 
Data generated by a data subject's device, such as GPS and WiFi location data, which is then transmitted over a public communications network to a data processor, is not normally governed by the Privacy and Electronic Communications Regulations, because the location data is not generated from data processed in an electronic communications service. Similarly, location data generated by a local WiFi network, for example by examining the connections of devices to an organisation's WiFi network, is also outside of the scope of the Regulations, unless the WiFi network itself is operated by the operator of a public communications network.
 
However, if you want to collect information about the location of an individual partly based on "location data" within the meaning of the SI, and partly based on other sources, you will need to comply with the Regulations in relation to any location data governed by the Regulations, in addition to complying with the Data Protection Acts.
 
 
Under regulation 9 of the Privacy and Electronic Communications Regulations, you may only process location data (other than "traffic data") within the meaning of the Regulations if it has been made anonymous, or for the provision of a "value added service" where you have obtained specific prior consent. Such data can only be processed for the duration necessary for the provision of the value added service.
 
“value added service” means any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof.
 
Consent has the same meaning as consent under the Data Protection Acts, so you should consult the guidance provided above, and our general guidance on consent under the Data Protection Acts if you want to rely on consent to process location data for the purposes of providing a value added service.
 
You must also give comprehensive information to users and subscribers before obtaining consent. This information must include details of the type of location data that will be processed, the purposes and duration of processing and whether the data will be passed to any third party for the purpose of providing the value added service.
 
Users may withdraw their consent to the processing of their location data at any time, and you must inform users of how to withdraw their consent. You must also give users the option to temporarily withdraw consent to the processing of location data for each connection to the public communications network or for each transmission of a communication. This must be available through a simple and cost free mechanism.
 
Article 29 Data protection Working Party Opinions:
 
Opinion 5/2005 on the use of location data with a view to providing value-added services
Opinion 13/2011 on Geolocation services on smart mobile devices
Opinion 15/2011 on the definition of consent
Opinion 05/2014 on Anonymisation Techniques