Feeds

Expert: BA doesn't need permission to google your face

It's all legit, so don't forget to smile for the camera

SANS - Survey on application security programs

British Airways (BA) may not need passengers' consent in order to identify them using images available on the internet, an expert has said.

Data protection law specialist Danielle van der Merwe of Pinsent Masons (the law firm behind Out-Law.com), said that the company could argue that it is in its legitimate interests to process online images of passengers that have booked with them.

Last week BA announced plans to engage in more personalised interaction with customers through its 'Know Me' customer service programme. Staff at the airline will use iPads and a special 'app' to search Google Images for a photo of individual passengers to enable them to recognise and greet them at airports. Other information, such as whether passengers have experienced delays on previous flights, will also be available to crew via the devices, according to media reports.

Nick Pickles of privacy watchdog Big Brother Watch said that BA needs passengers' consent to justify them processing their online images, according to a report by London's Evening Standard. However, Van der Merwe said there may be other ways in which the company could justify its activity as being compliant with data protection laws.

"There are a number of routes available under the Data Protection Act that one can take in order to justify the arrangement under the Act, the most appropriate of those would be to notify passengers about the possible processing and asking them for their consent at the time they book a flight," she said. "This can be achieved in the company's terms and conditions which are brought to the attention of a passenger when booking a flight. However, consent can always be withdrawn at a later stage by a passenger and the company needs to have procedures in place to deal with an opt-out by those individuals.

"There are, however, other routes available to BA under the Data Protection Act other than through gaining the passenger's consent. BA could argue that the processing is in its legitimate interests because it wants to offer the best experience to its customers possible," Van der Merwe added.

Under the Data Protection Act (DPA), personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes only.

Organisations must meet at least one of the "legitimising conditions" under the DPA in order to process an individuals' personal data, such as having obtained individuals' consent to do so. Other lawful grounds for processing that do not require consent include where it is necessary for the performance of a contract, necessary in order to protect the "vital interests of the data subject" or where it is necessary "for the administration of justice".

Van der Merwe said that while BA could rely on consent where it had been given, it was unlikely that it could justify its Google Image checks on the other lawful grounds listed, other than if it could claim the processing was in its 'legitimate interests' and not overridden by the rights of passengers.

Under the DPA, organisations can process personal data if it is "necessary for the purposes of the legitimate interests" they are pursuing, as long as that processing is not "unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."

The subjective nature of that provision means BA should hold documentary evidence of its consideration of data protection matters in order to justify its processing activities if required to do so, Van der Merwe added.

"Companies need to be able to show that they are taking the privacy of their customers' personal data seriously and that data protection is something that is considered before a company engages in an activity involving their customers' personal data" she said. "Companies unable to do so are more likely to face enforcement action from the Information Commissioner."

A BA spokesman said that the company complies with the DPA and that it aims to "send 4,500 personal recognition messages a day by the end of the year," according to the Evening Standard report.

"We are entirely compliant with the UK Data Protection Act and would never breach that," the spokesman said. "Know Me is simply another tool to enable us to offer good customer service, similar to the recognition that high street loyalty scheme members expect. The Google Images search app helps our customer service team to recognise high profile travellers such as captains of industry who would be using our First class facilities enabling us to give a more personalised service."

BA: They love a bit of it

Jo Boswell, head of customer analysis at BA, said the personalisation programme was just at the "start" and that it had a "myriad of possibilities for the future." However, Van der Merwe said that it may be harder for the company to justify more intrusive processing activities without passenger consent.

"While some passengers may be delighted at being addressed on personal terms after airline staff have cross-referenced them with available images online, others may be uncomfortable with the idea and consider that their privacy has been invaded and take real offence," she said. "BA could argue that this activity is within their legitimate interests as they are offering customers a better service and therefore making their airline more popular with customers.

"BA would be less likely to be able to justify further personalising its customer service by checking other personal data online, such as that which is available on social network sites. For example, it is likely that the company would need the consent of passengers to look at their activities on Facebook or LinkedIn etc for the purposes of proactively engaging those individuals in conversation about their social or professional interests" van der Merwe said.

Out-Law.com asked BA to explain its future plans for delivering more personalised customer service but the company did not respond to our queries.

The UK's data protection watchdog, the Information Commissioner's Office (ICO), said that BA, among other requirements under the DPA, must make sure that "passengers’ information is stored securely and is not kept for longer than is necessary." It added that "looking after individuals’ data correctly" was not just a legal requirement but that it "plays an important role in maintaining consumer confidence."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.