Feeds

Expert: BA doesn't need permission to google your face

It's all legit, so don't forget to smile for the camera

High performance access to file storage

British Airways (BA) may not need passengers' consent in order to identify them using images available on the internet, an expert has said.

Data protection law specialist Danielle van der Merwe of Pinsent Masons (the law firm behind Out-Law.com), said that the company could argue that it is in its legitimate interests to process online images of passengers that have booked with them.

Last week BA announced plans to engage in more personalised interaction with customers through its 'Know Me' customer service programme. Staff at the airline will use iPads and a special 'app' to search Google Images for a photo of individual passengers to enable them to recognise and greet them at airports. Other information, such as whether passengers have experienced delays on previous flights, will also be available to crew via the devices, according to media reports.

Nick Pickles of privacy watchdog Big Brother Watch said that BA needs passengers' consent to justify them processing their online images, according to a report by London's Evening Standard. However, Van der Merwe said there may be other ways in which the company could justify its activity as being compliant with data protection laws.

"There are a number of routes available under the Data Protection Act that one can take in order to justify the arrangement under the Act, the most appropriate of those would be to notify passengers about the possible processing and asking them for their consent at the time they book a flight," she said. "This can be achieved in the company's terms and conditions which are brought to the attention of a passenger when booking a flight. However, consent can always be withdrawn at a later stage by a passenger and the company needs to have procedures in place to deal with an opt-out by those individuals.

"There are, however, other routes available to BA under the Data Protection Act other than through gaining the passenger's consent. BA could argue that the processing is in its legitimate interests because it wants to offer the best experience to its customers possible," Van der Merwe added.

Under the Data Protection Act (DPA), personal data must be processed fairly and lawfully and for specific, explicit and legitimate purposes only.

Organisations must meet at least one of the "legitimising conditions" under the DPA in order to process an individuals' personal data, such as having obtained individuals' consent to do so. Other lawful grounds for processing that do not require consent include where it is necessary for the performance of a contract, necessary in order to protect the "vital interests of the data subject" or where it is necessary "for the administration of justice".

Van der Merwe said that while BA could rely on consent where it had been given, it was unlikely that it could justify its Google Image checks on the other lawful grounds listed, other than if it could claim the processing was in its 'legitimate interests' and not overridden by the rights of passengers.

Under the DPA, organisations can process personal data if it is "necessary for the purposes of the legitimate interests" they are pursuing, as long as that processing is not "unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."

The subjective nature of that provision means BA should hold documentary evidence of its consideration of data protection matters in order to justify its processing activities if required to do so, Van der Merwe added.

"Companies need to be able to show that they are taking the privacy of their customers' personal data seriously and that data protection is something that is considered before a company engages in an activity involving their customers' personal data" she said. "Companies unable to do so are more likely to face enforcement action from the Information Commissioner."

A BA spokesman said that the company complies with the DPA and that it aims to "send 4,500 personal recognition messages a day by the end of the year," according to the Evening Standard report.

"We are entirely compliant with the UK Data Protection Act and would never breach that," the spokesman said. "Know Me is simply another tool to enable us to offer good customer service, similar to the recognition that high street loyalty scheme members expect. The Google Images search app helps our customer service team to recognise high profile travellers such as captains of industry who would be using our First class facilities enabling us to give a more personalised service."

BA: They love a bit of it

Jo Boswell, head of customer analysis at BA, said the personalisation programme was just at the "start" and that it had a "myriad of possibilities for the future." However, Van der Merwe said that it may be harder for the company to justify more intrusive processing activities without passenger consent.

"While some passengers may be delighted at being addressed on personal terms after airline staff have cross-referenced them with available images online, others may be uncomfortable with the idea and consider that their privacy has been invaded and take real offence," she said. "BA could argue that this activity is within their legitimate interests as they are offering customers a better service and therefore making their airline more popular with customers.

"BA would be less likely to be able to justify further personalising its customer service by checking other personal data online, such as that which is available on social network sites. For example, it is likely that the company would need the consent of passengers to look at their activities on Facebook or LinkedIn etc for the purposes of proactively engaging those individuals in conversation about their social or professional interests" van der Merwe said.

Out-Law.com asked BA to explain its future plans for delivering more personalised customer service but the company did not respond to our queries.

The UK's data protection watchdog, the Information Commissioner's Office (ICO), said that BA, among other requirements under the DPA, must make sure that "passengers’ information is stored securely and is not kept for longer than is necessary." It added that "looking after individuals’ data correctly" was not just a legal requirement but that it "plays an important role in maintaining consumer confidence."

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.