|On April 29, the Agency for Access to Public Information (the "AAIP") issued a statement through its website informing how personal data should be treated for the use of geolocation tools, especially before the health emergency caused by Coronavirus (COVID-19)
In this sense, the AAIP communicates that Law No. 25,326 on the Protection of Personal Data ("LPDP") and Convention 108 for the Protection of Persons with respect to Automated Processing of Personal Data, approved in our country by the Law No. 27,483, does not prohibit the monitoring of the location of people, but the data treatment measures that are implemented must be carried out respecting the human right to privacy of people.
In this sense, the AAIP indicates the fundamental principles of the current regulation on data protection that apply to the use of geolocation and tracking tools, whether these tools are used by the public sector, the private sector or both. in collaboration:
Point 1. All information referring to the location of a person and / or their movements constitutes personal data, protected under the LPDP. In order to collect and further process this category of information, it is necessary that the person in charge protect himself in one of the legal bases contemplated in Article 5 of the LPDP. The collection of location data may be carried out when:
- The owner of the data has given his free, express and informed consent. Consent may be obtained through acceptance of terms and conditions in an application or web platform.
- Data is obtained from sources of unrestricted public access.
- They are collected for the exercise of functions proper to the powers of the State or by virtue of a legal obligation.
- They derive from a contractual, scientific or professional relationship of the data owner and are necessary for its development or compliance.
Point 2. Location data is defined as information collected by a network or service about where the user's phone or other device is or was located. For example, it would be possible to track the location of a mobile phone from the data collected by base stations on a mobile phone network.
Point 3. Location data can be inferred by GPS (global positioning system), cell towers (mobile phone operators), Wi-Fi networks, bluetooth or a combination of signals.
Point 4. These data may be held by:
- Telecommunications service providers (they provide a central service to have a connection).
- Internet service providers.
- Value-added services, such as applications downloaded by the user, who consents to the processing of traffic data or location data.
Point 5. The state organisms will be authorized to carry out the monitoring as long as they do it within the scope of their specific competence. Said competence must be interpreted strictly and not broadly. When they do not have this authorization, monitoring must be based on another alternative legal basis, such as consent.
Point 6. For the transfer of data referring to the location of a person and / or their movements between public bodies, the consent of the owner of the data is not required to the extent that the transferor has obtained the data in the exercise of their functions , the assignee uses the data intended for a purpose that is within the framework of its competence and, finally, the data involved are adequate and do not exceed the limit of what is necessary in relation to this latter purpose (Criterion 5 of Resolution N 4/2019 of the AAIP).
Point 7. Those responsible for the processing of personal data may carry out monitoring activities if the data is dissociated, in which case the LPDP is not applicable because the dissociated data is not personal data. The location data will be considered dissociated when the procedure that must be applied to achieve identification with a person requires the application of disproportionate or unviable measures or deadlines (Criterion 3 of Resolution No. 4/2019 of the AAIP).
Point 8. When monitoring is authorized by the consent of the data owner, the person responsible for the processing of personal data must give the owner the opportunity to revoke it at any time.
Point 9. To monitor or follow the geolocation of a person, those responsible for the processing of personal data must at all times respect the principle of data quality, provided for in Article 4 of the LPDP. This implies that:
- The personal data collected for the purposes of its treatment must be true, adequate, pertinent and not excessive in relation to the scope and purpose for which it was obtained. In the specific case of geolocation monitoring or tracking, this should be limited to purposes associated with mitigating the effects of the COVID-19 coronavirus and should not arbitrarily interfere with the privacy of the person being monitored.
- The data collection cannot be done by unfair, fraudulent means or contrary to the provisions of the LPDP. Monitoring should be done in the open, informing the population.
- The data subject to monitoring cannot be used for purposes other than or incompatible with those that motivated its collection. Monitoring cannot be extended to other purposes that are not related to mitigating the effects of the coronavirus COVID-19.
- The data must be accurate and updated if necessary. It is essential that the tool is accurate and that it does not give rise to errors that could generate a negative effect or harm a right of the owner of the data.
- The data that is totally or partially inaccurate, or that is incomplete, must be deleted and replaced, or in its case completed, by the person in charge of the file or database when the inaccuracy or incomplete nature of the information is known. try.
- The data must be stored in a way that allows the exercise of the rights of access, rectification and deletion of personal data contemplated in Articles 14 and 16 of the LPDP.
- The data must be destroyed when they are no longer necessary or relevant to the purposes for which they were collected. When monitoring has been revoked by the data owner or when its purpose has been fulfilled, for example, because the coronavirus COVID-19 pandemic has concluded, the data should be deleted. The storage must allow the personal data to be identifiable to facilitate its subsequent deletion.
Point 10. The person responsible must also comply with the principle of information provided in Article 6 of the LPDP. This means that you must clarify how and why you track people, where the information is stored, with whom that data is shared, the consequences of the treatment and the possibility that the owner of the data has to exercise access rights, rectification or deletion.
Point 11. Likewise, the data must be stored so that the principles of security and confidentiality provided in Articles 9 and 10 of the LPLD are complied with. For these purposes, it is recommended to adopt the security measures recommended in Resolution No. 47/2018 of the AAIP.
Point 12. Given that monitoring the location and / or movements of a person has the potential to affect both the privacy and other rights of the data owners, it is recommended that the person responsible for the processing of personal data carry out an evaluation of impact prior to the implementation of the tool, in order to control and mitigate its risks, as well as assess its viability. Said impact evaluation may be carried out in accordance with the Data Protection Impact Evaluation Guide prepared by the Agency in collaboration with the Personal Data Regulatory and Control Unit of the Eastern Republic of Uruguay.
Likewise, the AAIP stresses that (i) anyone who considers that their privacy or personal data are being affected, can make a complaint to that agency and that (ii) public and private institutions can make inquiries about the scope of the LPDP before it.