On May 21, 2020 the Privacy Protection Authority (the “PPA”) published draft privacy protection guidelines for transportation entities in the digital age for public comment.
In the draft, the PPA recognizes the growing use of “smart transportation”, which is based on the use of big data. Said data includes users’ private information.
The use of smart transportation creates a tension between the private user, constantly exposed to monitoring and the entity providing and monitoring the transportation service. The PPA is concerned with user privacy, as their personal data can be used as auxiliary information to create profiles, analyze preference, and so forth.
This given, the PPA puts emphasis on the need for smart transportation entities to comply with privacy protection rules, including:
- to use data only for the purpose for which it was collected;
- to grant the data subject the right to access their personal data ;
- to ensure confidentiality of the data;
- when contacting users via direct mail, to ensure compliance with the Privacy Protection Law;
- to protect the databases of transportation entities, define the level of security applicable to each of the databases, and comply with the Privacy Protection Regulations.
The PPA further recommends that transportation entities operate in accordance with the principles set out below when implementing new technologies:
- Appoint a “Policy Implementation Director” – a senior officer of the transportation entity who is charged with establishing an overall policy on the use of data and who will be responsible for the practical implementation of the policy.
- Privacy Impact Assessment – analyze the impact of the proposed technology on privacy, identify all privacy risks and examine alternatives. The PPA lists a series of guiding questions to help assess risk and identify challenges and obstacles that arise from the use of technology.
- Transparency – the entity must take appropriate measures to provide transparent, intelligible and easily accessible information on the data types collected; the purposes of collecting data; the measures taken to secure the data; security risks; to whom the personal data will be disclosed.
- Privacy by design – implement privacy protection principles in the early developmental stages. In the draft, the PPA offers several measures to minimize privacy risks from an early stage.
- Tenders and contracts – the PPA advises special attention be paid to aspects of privacy and data security in tenders and contracts involving the implementation of transportation technologies.
The draft is open for public comment until June 14th, 2020. Comments should be sent to the email address: email@example.com.
We are at your service for any questions on this matter, including the submission of comments to the draft.