Shared spaces and privacy intrusion: what you need to know
In the shared space sector, be it property guardianship, co-living or co-working, greater surveillance and real-time information sharing is likely to become the “new normal” as we learn to co-exist with Covid-19. This is the price of doing business in the shared space sector.
The UK Government’s recent U-turn to belatedly join forces with Google and Apple to create a UK contact tracing app is not the only Whitehall tech initiative aimed at easing lockdown restrictions while maintaining public safety. We also understand progress is being made with another app targeted specifically at the real estate sector.
The app will essentially function as a daily “building health index”, which will provide users (like residents or employees) information like air quality; number of building occupants compared to restricted maximum occupancy; busy areas of the building and reports of how well social distancing is being observed. If the building, or a particular section of the building, shows a low health rating, then users can take evasive action accordingly.
This is in addition to implementing other risk-mitigating technology, such as contactless sensors instead of buttons and switches (for example, for lights, lifts and plugs) and temperature check / fever screening cameras.
Clearly, much of the technology being used depends on the collecting and use of information. A significant amount of that information will be personal data. It is not possible to implement these measures effectively and sustainably without considering the impact of the GDPR and other data privacy law (which still applies as normal, as confirmed by both the Government and the ICO).
If you operate in the shared space sector, these issues are likely to affect your business. There are a number of key requirements to consider:
- Transparency: your privacy notices should be updated to explain your measures and their impact on individuals’ privacy;
- Documentary compliance: at least one documentary privacy-specific risk assessment is required;
- Software/hardware providers: will likely be considered processors under the GDPR, meaning strict contractual terms are required;
- Surveillance technology: the ICO has specific rules about the use of CCTV and similar technology; and
- Information management and sharing: organisational protocols should be put in place to ensure that only the minimum amount of personal data is used and that it is only shared and accessed on a strict “need to know” basis.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: firstname.lastname@example.org