BLOG: Don’t forget about the data
With the UK starting to head towards the new abnormal and travel resuming, many industry voices, including Heathrow and Gatwick airports, are calling for measures, such as COVID-19 testing, to encourage the reinvigoration of international tourism.
Questions are, however, being raised around the benefits and drawbacks of collecting and processing large quantities of sensitive data.
Biometric technologies such as facial, iris and fingerprint recognition have been in use at many airports for some time to enhance passenger experience by reducing queues and speeding up journeys, as well as for security reasons.
Testing for body temperature is however still uncommon, except perhaps in airports in Asia which have previously been affected by SARS and bird flu outbreaks. With mounting cross-industry efforts to tackle COVID-19, recording temperature data may seem like an effective and simple solution for airports.
Whether carrying out temperature checks with laser thermometers, or using more advanced thermal imaging, the data gained can help identify those with COVID-19, reassuring passengers about the safety of their journey and potentially helping them avoid the need to quarantine.
The absence to date of health testing at airports in Europe can at least in part be explained by the stricter privacy laws which apply to such data. Both biometric and health data are deeply personal and give rise to particular privacy law issues in the UK and the EU, since the General Data Protection Regulation (GDPR) classifies this type of data as ‘special category’.
This means that additional conditions need to be satisfied before processing such data is lawful, and the law also requires that particular care must be taken with its storage, handling, use and disposal.
If breaches occur, airports may face much steeper fines from regulators, class actions from affected travellers, as well as serious reputational harm and loss of trust, than they would if they mishandled just names and emails.
Before considering implementing temperature testing, the GDPR requires airports to carry out a data protection impact assessment, so that the airport can document the privacy risks identified and the mitigations which can be put in place to minimise the risks.
The airport needs, by asking itself a series of questions, to demonstrate that the testing is a necessary and proportionate way of achieving the specific objectives of the proposed testing.
The assessment will analyse whether the objectives could be achieved in a less intrusive way, whether the data will only be used for the identified purposes and whether passengers can be kept informed about the way their data will be used, stored and deleted.
Airports also need to ask themselves whether they could trace travellers without identifying them, for example from other information, such as images from CCTV.
Some data types, like temperature, could be misleading if used without other measures. A raised temperature is one of the many symptoms of COVID-19, however it is far from the only one. There is no guarantee that someone with a temperature higher than normal has the virus, so airports need to consider if they really need to collect and process this type of data in the first instance, as well as how helpful it will ultimately be.
Most importantly, the airport needs to ensure that it has a lawful basis under the GDPR for collecting the data and also that it satisfies the extra conditions which apply to health data. They may be able to show that the testing is in the legitimate interests of the airport and the passenger and that it is being carried out in the least intrusive way possible. It will however be much more difficult for the airport to satisfy one of the required extra conditions.
Obtaining the explicit, fully informed consent of every passenger being tested will be logistically difficult. For example, what if a passenger refuses, or withdraws consent after giving it? Also, is the consent really freely given if the passenger has no alternative if they want to continue with their journey?
Approaches that ensure this is the case include giving employees a script to read to passengers covering all the required details or displaying clear messaging throughout the airport. The main details that passengers must know are why the data is being taken, how it will be stored, who it will be shared with, and when it will be disposed of.
An alternative to obtaining consent is to show that the testing is necessary on grounds of public interest in the field of health, which will not be easy. The logistical difficulties will also not be straightforward to overcome.
For the public interest condition to be satisfied, the testing must be carried out under the supervision of a health professional and it is unclear what would happen to passengers who have an elevated temperature. Any disruptions or causes of delay will have knock-on effects.
Airports also need to bear in mind national differences in the way the laws around health testing have been implemented. The GDPR allows each member state to specify additional conditions before it can occur, so airports can’t assume that what is possible in one country is allowed in another.
Airports are complex environments and the fact that temperature testing is rare so far in Europe is surely evidence that airports are not finding it easy to overcome the legal and logistical difficulties involved.
In practice it seems likely that testing at airports will only become widespread when national governments decide to make it compulsory, removing the current legal hurdles airports face and ensuring that any resulting delays and disruptions cannot be laid at their door.
• Kim Walker, is a partner and data protection specialist at law firm, Shakespeare Martineau in the UK.