Most ITS implementations generate, use and store quantities of data which are enormous by the standards of even only ten years ago. Much of this data is highly personalised and very sensitive. Many countries recognise, in law, the right of individual citizens not to be excessively surveyed, monitored, recognised, and recorded.
Legislation to regulate data is cast to cover a variety of scenarios. It applies to drivers and passengers just as it does in other areas of life – such as voters and bank customers. Those handling ITS data (traffic control centre operators, electronic payment back-office operations, information service providers, for instance) will be subject to the regulations in place in their countries. Data collected and processed in a control room for instance, must be kept secure from unauthorised access and misuse. The principles behind data regulation should apply easily across sectors. ITS practitioners should bear in mind that digital camera images (such as images captured for traffic or payment enforcement) are classified as data.
ITS practitioners processing data should have access to simple and clear codes of practice, drawn up by their employing organisations on the basis of advice from those with suitable legal expertise. These codes should ensure that national legislation is followed but also add a layer of good practice relating specifically related to ITS. Training and monitoring of staff is essential to ensure that any code of practice is understood and adhered to. It should form part of the management culture of all ITS workplaces where data is processed or stored.
One reason why people distrust the collection of data by – by and for – ITS systems is the suspicion that the principles of personal data protection are overlooked or deliberately ignored. For example, if a request is made by the police or security agencies for access to personal data on journeys and locations, will the ITS data owner provide it? Are there requirements in place that govern how police and security requests are handled?
There have been examples where location data from an ITS source has been used as evidence in civil and criminal proceedings to prove that a defendant was present at a specific location and at a specific time. There are also cases where the defence has challenged the legality of the data capture, its accuracy and even its use. If the data is inaccurate, should have been destroyed or made anonymous under data regulation legislation, it may be ruled as inadmissible.
The best way of keeping personal data secure is not to expose it to the risk of theft or misuse – by minimising and making it anonymous it wherever possible. Where sensitive data has to be kept, it is essential to ensure it is stored and handled in compliance with legal requirements and good practice.
There will almost certainly be national legislation affecting how personal data should be stored and kept safe. Complying with legislation alone though, is not likely to optimise data security. Expert advice should be sought from specialists or by retaining expert capability in-house. While external, malicious attacks from hackers aimed at financial gain or disruption are often seen as the most likely security risk, organisations should also be aware of the possibility of attacks from staff who may, for some reason, misuse or misappropriate data to which they legitimately have access at work. There are also potential risks from staff who are incompetent, unlucky, or badly supervised, and who can do as much damage as an external hacker without intending to.
Data security threats evolve and renew daily. The security regime in place must be designed to recognise this so that the defensive measures keep pace with threats.
Good practice in ITS data security can be summed up as: