Privacy in Smart Buildings : the uncomfortable subject
With the rising wave of real estate tech innovation, (Proptech) and the Internet of Things (IoT), the way we live and interact with our environment in areas as diverse as our home, transport, office buildings and even our health, is changing. In smart building environments, the information gathered about the building and its occupants contribute to the development of services that aim at improving energy savings, comfort, productivity, social interaction, security, etc. However, these services need to collect and share information about the building's inhabitants and their activities, leading to privacy risks.
Where were you at 6 pm ?
In a Smart Building, it is very easy to know someone’s whereabouts just by following the occupancy beacons tracking data. The algorithm associated with the Enlighted sensors, for example,trace the activity of people moving or sitting, analyses and summarises occupancy density and movement at all times.
What about the monitoring cameras that using the appropriate AI algorithm computes the space between people and check that employees are maintaining their distance (like Amazon uses in its warehouses)? And the ones that take people temperature as they walk in the building ?
This might be considered sensitive information.
On the other hand, social distancing and deep cleaning can be ensured by knowing the same information and this can keep you safe.
Occupation and health tracking can be invasive and poses significant concern about the collection of personal data. While employees need to be reassured about the risk of contamination in the workplace, will they in return feel under surveillance ? Building owners and employers must balance health-safety with privacy at a time where a flow of Proptech startups rush to sell their innovation with little regard for employees rights and well-being.
How to get the balance right
Developing both consumer- and utility-driven mechanisms to preserve sensor-data privacy is possible. There are various techniques, such as the data encryption utility at the sensor itself, which could allow only certain analytic functions to be performed but prevent raw sensor data from individuals being revealed.
Appropriate policies must be set to help building owners and operators manage both privacy concerns and cyber risks. To protect privacy and to prevent unauthorised disclosure of sensitive information, strong authentication and Identity management solutions need to be systematically integrated into the smart building management processes so that only authorized parties have access to the data.
Companies must invest in audit and compliance processes
People must be aware and fully informed of all the data that is collected from them, how it is being used and what measures are in place to safeguard it. They must have the right to decide which they allow and which they do not. Trust is the key to for getting employees back to the office.
What does the European law say ?
The European General Data Protection Regulation (“GDPR”) implemented in 2018 addresses the challenges raised by the European Data Protection Directive (DP Directive). Summarized below the key points of the law.
- Responsibility for compliance
A data controller is any organization that decides which personal data is collected and for which purpose, within an establishment in the EU. A data controller has to comply with the laws implementing the DP Directive. An organization that is processing personal data on behalf of a data controller has no direct obligations to comply with the DP Directive unless it collects and uses the data for its own purposes or combines it with information obtained from elsewhere.
In a smart building context where there are many stakeholders (development, operation, maintenance and use), it is therefore important to identify who could potentially be collecting and using personal data and assign responsibility properly so that there is no loophole.
- Get user consent
Individuals from which data is collected must be told how their data is used and must have the ability to give a meaningful consent. It is all the more important as, in a smart building context, data can be shared in multiple ways leading to potentially intrusive profile analysis and de-anonymization of data.
- Keep data to a minimum
So many information can be collected in a smart building, but not so many is really useful or practically used for its original purpose, because the skill to analyze it Is missing or because it is very tempting to capture information for future or interesting purposes that are out of the current scope.
In addition to having to ensure that it is all processed in a compliant way, collecting a large volume of data leads to higher maintenance and security costs.
So organizations should always consider what should be collected from a legal perspective.
- Security
Of course best practices must be implemented when dealing with personal data, but not only from a technical perspective but also from a managerial one. Indeed, any person involved in handling personal data must be trained to issues and management of security breaches to minimize impacts in case of problem.
As much as we are excited about the opportunities for using data to make buildings healthier, more efficient, responsive, and improving our working environment, we are also mindful of the challenges that it brings, including concerns about the increasing prominence of data-driven systems in our lives, potentially in conflict with our privacy, and the way we interact in public and private spaces.
Add comment