Feeds

Expert: BA doesn't need permission to google your face

It's all legit, so don't forget to smile for the camera

Choosing a cloud hosting partner with confidence

British Airways (BA) may not need passengers' consent in order to identify them using images available on the internet, an expert has said.

Data protection law specialist Danielle van der Merwe of Pinsent Masons (the law firm behind Out-Law.com), said that the company could argue that it is in its legitimate interests to process online images of passengers that have booked with them.

Last week BA announced plans to engage in more personalised interaction with customers through its 'Know Me' customer service programme. Staff at the airline will use iPads and a special 'app' to search Google Images for a photo of individual passengers to enable them to recognise and greet them at airports. Other information, such as whether passengers have experienced delays on previous flights, will also be available to crew via the devices, according to media reports.

Nick Pickles of privacy watchdog Big Brother Watch said that BA needs passengers' consent to justify them processing their online images, according to a report by London's Evening Standard. However, Van der Merwe said there may be other ways in which the company could justify its activity as being compliant with data protection laws.

"There are a number of routes available under the Data Protection Act that one can take in order to justify the arrangement under the Act, the most appropriate of those would be to notify passengers about the possible processing and asking them for their consent at the time they book a flight," she said. "This can be achieved in the company's terms and conditions which are brought to the attention of a passenger when booking a flight. However, consent can always be withdrawn at a later stage by a passenger and the company needs to have procedures in place to deal with an opt-out by those individuals.

"There are, however, other routes available to BA under the Data Protection Act other than through gaining the passenger's consent. BA could argue that the processing is in its legitimate interests because it wants to offer the best experience to its customers possible," Van der Merwe added.

Under the Data Protection Act (DPA), personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes only.

Organisations must meet at least one of the "legitimising conditions" under the DPA in order to process an individuals' personal data, such as having obtained individuals' consent to do so. Other lawful grounds for processing that do not require consent include where it is necessary for the performance of a contract, necessary in order to protect the "vital interests of the data subject" or where it is necessary "for the administration of justice".

Van der Merwe said that while BA could rely on consent where it had been given, it was unlikely that it could justify its Google Image checks on the other lawful grounds listed, other than if it could claim the processing was in its 'legitimate interests' and not overridden by the rights of passengers.

Under the DPA, organisations can process personal data if it is "necessary for the purposes of the legitimate interests" they are pursuing, as long as that processing is not "unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."

The subjective nature of that provision means BA should hold documentary evidence of its consideration of data protection matters in order to justify its processing activities if required to do so, Van der Merwe added.

"Companies need to be able to show that they are taking the privacy of their customers' personal data seriously and that data protection is something that is considered before a company engages in an activity involving their customers' personal data" she said. "Companies unable to do so are more likely to face enforcement action from the Information Commissioner."

A BA spokesman said that the company complies with the DPA and that it aims to "send 4,500 personal recognition messages a day by the end of the year," according to the Evening Standard report.

"We are entirely compliant with the UK Data Protection Act and would never breach that," the spokesman said. "Know Me is simply another tool to enable us to offer good customer service, similar to the recognition that high street loyalty scheme members expect. The Google Images search app helps our customer service team to recognise high profile travellers such as captains of industry who would be using our First class facilities enabling us to give a more personalised service."

BA: They love a bit of it

Jo Boswell, head of customer analysis at BA, said the personalisation programme was just at the "start" and that it had a "myriad of possibilities for the future." However, Van der Merwe said that it may be harder for the company to justify more intrusive processing activities without passenger consent.

"While some passengers may be delighted at being addressed on personal terms after airline staff have cross-referenced them with available images online, others may be uncomfortable with the idea and consider that their privacy has been invaded and take real offence," she said. "BA could argue that this activity is within their legitimate interests as they are offering customers a better service and therefore making their airline more popular with customers.

"BA would be less likely to be able to justify further personalising its customer service by checking other personal data online, such as that which is available on social network sites. For example, it is likely that the company would need the consent of passengers to look at their activities on Facebook or LinkedIn etc for the purposes of proactively engaging those individuals in conversation about their social or professional interests" van der Merwe said.

Out-Law.com asked BA to explain its future plans for delivering more personalised customer service but the company did not respond to our queries.

The UK's data protection watchdog, the Information Commissioner's Office (ICO), said that BA, among other requirements under the DPA, must make sure that "passengers’ information is stored securely and is not kept for longer than is necessary." It added that "looking after individuals’ data correctly" was not just a legal requirement but that it "plays an important role in maintaining consumer confidence."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?