On 6 August 2017, in advance of proposed legislation, the UK government published 8 ‘Key Principles' regarding the cyber security of connected and autonomous vehicles. This is the last of a series of 4 blogs regarding those principles.
Vehicles today have multiple microprocessors and sensors that collect location and driver behaviour data (i.e. routes travelled, speed, collision data, wear and tear on components, fuel efficiency, etcetera). That data can be analysed by smart vehicles in real time, in order that adjustments can be made to improve performance and safety. In addition, the data can be wirelessly recovered by manufacturers or software providers, and could be used to improve infrastructure, traffic flow and methods to reduce driver error.
While incredibly useful in the world of ‘big data', it is important to recognise that the information collected results from monitoring the actions of one or more living individuals. Looking at that data, an organisation could identify how many different users a vehicle has, where they live and work, how they drive, whether they are prone to exceeding speed limits, and even their individual entertainment preferences. An ability to ‘identify' them in this way brings the information collected within the scope of UK data protection legislation.
Key Principle 7 governs the storage and transmission of data amassed by smart and autonomous vehicles: In particular, Key Principle 7.2 requires that “personally identifiable data” is “managed appropriately”, which will necessarily include compliance with applicable data protection law. Collection, storage, processing and use of the data must comply with 8 Data Protection Principles set out in the Data Protection Act (DPA) 1998, and from May 2018 will need to comply with the requirements of the General Data Protection Regulation (GDPR). Organisations need to review their data protection procedures and compliance now, to ensure that they are ready for the upcoming changes.
Key Principle 7.3 requires that “users” must be able to delete “sensitive data” held on systems and connected systems. Unfortunately, no definition of “user” or “sensitive data” is provided in the guidance, nor context to indicate the scope of “connected system[s]”. It could be assumed that the guideline intends to refer to “sensitive personal data”, as defined in the DPA, but that raises the question as to why such a common and well-defined term was not used.
Sensitive personal data under the DPA notably includes data showing the “commission or alleged commission by [the data subject] of any offence”, and such information may continue to be one of the “special categories of personal data” under the UK's implementation of the GDPR. Assuming “user” means driver, does Key Principle 7.3 envisage a means by which a driver (being the data subject) can, at will, delete journey records showing that s/he committed speeding offences? Or only in conformity with DPA request mechanisms? If Key Principle 7.2 necessarily includes compliance with the DPA, Key Principle 7.3 arguably provides some form of additional right on the part of a driver, else it would be extraneous. Clarification from the Department for Transport is needed as to the scope and intentions behind the wording provided.