Ireland’s Central Statistics Office (CSO) is proposing to track tourists in Ireland and Irish residents travelling abroad using mobile phone roaming data.
The CSO wants to get a better understanding of where tourists coming into Ireland travel outside of Dublin and what areas they are bypassing. This proposal also includes tracking Irish citizens abroad to understand where the Irish flock to on their holidays.
The proposal is based on the CSO using its powers under the Statistics Act to compel mobile phone companies to transfer on a monthly basis the details of phones or users roaming on their network, including the dates and times of their calls.
The Data Protection Commissioner Helen Dixon has told the CSO the project is “disproportionate” and there would be adverse consequences if tourists’ movements were being tracked while holidaying in Ireland.
According to the Irish Times officials from the Telecommunications and Internet Federation (TIF) representing mobile network providers held talks with the commissioner’s office and the CSO in recent years regarding the project. At present, however, mobile network operators are declining to comment on the project.
With the new EU General Data Protection Regulation (GDPR) coming into effect in less than a year, the commissioner has asked the CSO to carry out a privacy impact assessment to examine the potential risks of the project. Pádraig Dalton, the director of the CSO, has since signed off on the assessment and said that, after considering the merits and identifying all issues and concerns, he is satisfied that the project should proceed.
The GDPR is huge in scope, unifying data protection laws across the EU. Under the new regulation, organisations must carry out data protection impact assessments (DPIAs) for any new processing of personal data likely to create “high risks” to an individual’s privacy.
Do you have an ongoing project or any future projects that you need to assess? Failure to carry out an assessment may be in breach of the GDPR.
Learn from our experts how to carry out a robust and thorough DPIA with our five-day EU GDPR Foundation & Practitioner courses.