This article looks at general considerations for GISc practitioners around privacy and copyright, and aims to raise awareness of policies and regulations governing spatial technologies with reference to global examples and an emphasis on South African applications.
In “Geo-spatial data accuracy and its legal implications in the Malaysian context” Awang, Ariff and Nordin highlight the duty of care that rests on the GISc practitioner based on the legal principle of liability as a harm-based concept. The authors emphasise that “the responsibility of due diligence to those who may be affected by a lack of care, the reliance on information to one’s detriment, and the subsequent injury, damage and loss that occurs, are established legal standards”.
These same legal principles apply in South Africa.
While data custodians have been getting to grips with the requirements of the Spatial Data Infrastructure (SDI) Act, the importance of understanding the legal implications of data custodianship were highlighted in late 2017 when the biggest data breach in South African history saw over 30-million personal records leaked due to poor management of personal information.
The Jigsaw Holdings scandal highlighted the need for data protection in an environment that has, to date, been run like the wild west. The personal information was contained in a single database, unencrypted, with virtually no security measures in place to protect it from being accessed. Poor information control and a lack of security awareness, as in this case, serve to justify the introduction of the Protection of Personal Information (POPI) Act. Despite the implications of the POPI Act, its understanding and implementation will make everyone better GISc practitioners.
The act gives effect to the right to privacy provided for in Section 14 of the Constitution, regulating the processing, collection, storage and disclosure of confidential information within justifiable limitations.
This counter-balances the right to access to information (Section 32 of the Constitution), whereby everyone has the right of access to any public information held by the state or another person that is required to exercise or protect any other rights. The Promotion of Access to Information Act (PAIA) gives effect to this right and furthermore provides for reasonable measures to alleviate the administrative and financial burden on the state.
The POPI Act is expected to come in to full effect in 2019/20, and to date the parts of the act in force are those that establish the office of the Information Regulator (section 39) and the Enforcement Committee (section 50). While 2019/20 may seem a long way away, it is important to be aware of key aspects of the act and factor these into planning and data management policies.
Despite the Information Regulator’s warning that organisations which have made no effort to comply will be treated harshly, there is a poor uptake especially amongst small and medium enterprises to date.
Another set of data protection regulations, the European Union’s General Data Protection Regulations (GDPR), already came in to effect on 25 May this year. According to Gartner, more than 50% of affected organisations are not compliant. South African organisations doing business with EU organisations may already be obliged to comply with GDPR, and it is likely that elements of GDPR will be incorporated into our legislation over time.
POPI Act roles and responsibilities
Firstly, it is important to note that all organisations will be required to have a role of Information Officer registered with the Information Regulator. The person holding this title will be responsible for ensuring both POPI and PAIA compliance.
Other role players are:
The Responsible Party must maintain information prescribed in terms of all processing operations under its responsibilities and must secure the integrity and confidentiality of personal information. This includes risk assessment, technical measures and written contracts between the Responsible Party and any Operator confirming that the Operator establishes and maintains adequate security measures related to the personal information. Personal information must be accessed, stored and processed with permission from the Data Subject. Personal information includes name, age, gender, physical or mental health, medical/financial history, ID numbers, e-mail, address and phone numbers, personal opinions, views, personal and confidential correspondence.
The POPI Act is not applicable to the processing of anonymised information, which may be used for education or research without consent provided that it cannot be re-identified (i.e. truly anonymous).
Public interest may include state security, the prevention, detection and prosecution of offences, compliance with legal provisions, economic or financial interests of a public body, historical, statistical or research activity.
A Data Subject may, after providing proof of identity, request from the Responsible Party:
Should any corrections be made to personal information, the Responsible Party must inform every person to whom this information was disclosed if such personal information could have impacted on or might impact on decisions taken.
The Responsible Party may refuse PAIA information requested on grounds of protection of privacy or safety of a third party who is a natural person, protection of commercial, confidential or research information of a third party or protection of records privileged from production in legal proceedings.
How does all of this affect GISc? Let’s start with the classic definition of GIS: A geographic information system (GIS) is a system designed to capture, store, manipulate, analyse, manage, and present spatial or geographic data.
Data protection and privacy
Data capture
The data capture process involves both systems and people, but what constitutes personal data in the geospatial realm? One legal question is whether aerial imaging constitutes an invasion of privacy.
This assertion has been challenged in the United States, when Barbara Streisand took a company to court for capturing aerial photos which included her house. The court ruled that there is no reasonable expectation that one’s yard could not be viewed from the sky, and that the taking of an aerial photo is not highly offensive to a reasonable person. In response to the claim of invasion of privacy for public disclosure of private facts the court held that nothing recognised by the law as private was disclosed in the aerial photography.
In the context of government disclosure of personal matters, an individual’s right to privacy is violated if the person has a legitimate expectation of privacy and that privacy interest outweighs the public need for disclosure. Substantive legitimate expectation has not yet been adopted as part of South African law and our courts have only applied it in the procedural sense.
In another case, Kyllo v. United States, the court held that the use of a thermal-imaging device requires a warrant as the device is not in general public use, and the surveillance reveals information about the house that ordinarily only a physical search would reveal.
Data storage, management and manipulation
Today, we are faced with heightened risks associated with mobile working. Employees are often the weakest link in the information technology security chain and mobile working amplifies this. Gartner recommends utilising biometrics for authorising access to a system or data wherever possible. The increased threat of malware targeted at IoT (Internet-of-Things) devices is leading to a practice of storing data remotely as opposed to on mobile devices – i.e. from thin client towards zero client.
From a practical point of view, it is necessary to consider what personal information is being stored on mobile field worker devices, whether it is necessary to store this information on the device, how this information is protected in the event of theft, and security around logging into the device and the data capture interface on the device.
A further consideration is that the backup or cloud storage of personal information to an overseas-based cloud service, for example, could be seen as trans-border information flow. According to POPI, a Responsible Party may not transfer personal information about a person to a third party that is in a foreign country without the permission of the Data Subject and unless this operator is bound by an agreement that upholds the principles of the reasonable processing and protection of the information. This agreement must provide substantially similar conditions for the processing of information as exist in South Africa and must also include a provision that prevents any third party from transferring the information to another foreign country.
Even with the Data Subject’s permission to access personal information one still needs to operate within the terms of service under which that data is supplied.
Take for example the criticism Twitter faced over third-party companies’ use of its users’ massive stream of real-time data. One such third-party was Geofeedia, which marketed social media monitoring tools to police departments and authoritarian regimes. Their tools were able to draw on location and other data, pulled from Twitter and social networks like Facebook, to identify protestors and dissidents. Twitter has since cut off this unlimited access to companies, claiming that the use of Twitter’s Public APIs or data products to track or profile protesters and activists is not in line with its user and service agreement.
Data analyses
What about analytics, and in particular where personal information has been aggregated for statistical and planning purposes? Chapter 6 of the POPI Act states that such processing requires prior authorisation. The Responsible Party must obtain authorisation from the Regulator prior to any processing if the Responsible Party plans to process any unique identifiers of Data Subjects for a purpose other than the one for which the identifier was specifically intended at collection and with the aim of linking the information with information processed by other Responsible Parties.
That said, special authorisation may be granted by the Information Regulator to insurance companies, medical aids or organisations where processing of personal information is in the public interest and the clear benefit of such processing outweighs interference with privacy to a substantial degree.
Data aggregation, however, is not synonymous with anonymity. Fitness app Strava is an excellent example of this. The app allows its users who run, walk or swim to track and compare with one another their training activities on specific routes. In 2017 Strava published this data, over three trillion GPS points, on a web map to illustrate the coverage of its user base. Unfortunately, the users of Strava in Afghanistan are almost exclusively foreign nationals and the web map served to clearly highlight the locations and detailed movements of military forces and the locations of secret military bases.
Copyright issues
Besides legal implications of data privacy and data protections, there are also copyright issues that GISc practitioners should be aware of.
Sometimes the presentation of spatial data may violate copyright in unexpected ways, as has been the case when the Visual Copyright Society of Sweden successfully sued Wikimedia Sweden for publishing a Sweden Art Map which they claimed provided free access to a database of photographs of artworks without the artists’ consent. The society won the case even though these sculptures were displayed in public spaces, since the law gives the copyright owner the right to decide where their work is published.
It is worth noting that according to the law it is not enough to give credit to the author. If you do not have consent from the owner you should not publish their work. Maps should be treated like any other intellectual property. As a general rule, you cannot publish a map or an image which you do not own or for which you do not have the owners’ permission, unless the image or map is covered by something like a Creative Commons license such as that of OpenStreetMap.
There is a general exception from copyrights law called fair dealing. Under fair dealing, the use of maps, images, text, and other works that would otherwise be protected by copyright law may be used without the author’s permission in some instances. The South African fair dealing clause only applies to a narrow list of purposes, including research or private study, personal or private use, criticism or review or reporting current events.
A simple test of fair use is to asks whether the use would deprive the author of revenue by substituting the work in the market. A good example would be the copy of a textbook for distribution to students at a university. This would not constitute fair dealing as it deprives the author of revenue by substituting his work in the market, even though it will be used for educational, study or research purposes. The use of small excerpts from said book to illustrate a point in a research paper or assignment would most likely be considered fair use.
Workflow considerations
Copyright infringements might not be new, but should you make use personal information in your workflows it might help to consider the following to comply with data protection regulations:
The POPI Act has potentially significant implications, including up to ten-years imprisonment for transgressors. However, if the application of these principles leads to more professional and considered use of personal information then it can only be a good thing.
The author will be presentation on “Geospatial Law and Policy – The Global Perspective” at AfricaGEO 2018.
Contact Adrian Roos, Hexagon Geospatial, adrian.roos@hexagon.com