The growth in the amount of data used and created by ITS and the increasing depth and coverage of this data – often personalised and with reference to time and location – make privacy considerations increasingly important in ITS. The capabilities for collecting and storing personal data are very well developed. For example, when using public transport the use of an electronic ticket and the deployment of CCTV cameras at stations, stops and on vehicles gives access to data such as a person’s name, address, date of birth, gender, bank details, place of work and other places regularly visited. The data may be combined with the use of software that recognises faces, a way of walking or other types of movement such as running.
A driver of a private vehicle may have a similar level of detail recorded about themselves and their vehicle – such as driver licensing and insurance arrangements, the payment of vehicle taxes, fees and tolls , and monitoring of the vehicle for traffic management purposes, parking enforcement or tolling.
There are a number of definitions of privacy from that offered by Google to Article 12 of the UN Declaration on Human Rights (1948):
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Sensitivity to privacy varies greatly between countries and cultures and this is one area of ITS where local knowledge of, and understanding what is acceptable and what is necessary is necessary for each deployment. For example, in the UK the prevalence of closed-circuit television (CCTV) surveillance in towns and cities, buses and trains, means that the average Londoner appears in camera shot 300 times a day – the figure below provides an example. Some people find this unacceptable; others accept that being observed and even actively monitored is a consequence of travel in this day and age. One person’s privacy can be another person’s danger. CCTV monitoring of motorways (See Network Monitoring) may be regarded as a loss of privacy for drivers, but if the operator spots a “ghost driver” travelling along a motorway in the wrong direction, it can save lives.
Camera technology provides the basis for many ITS application such as enforcement of traffic laws and electronic payment in tolling and ticketing. Vehicle licence plate recognition and facial recognition software depend on the capture of digital video images. Enforcement notices rely on camera images to identify the offending vehicle and – in some cases – the driver. A photograph of the whole front of the vehicle may remove any doubt about who was driving the vehicle at the time of the offence but in some countries this is considered an unacceptable intrusion.
One general principle is that privacy can be traded for benefits – such as correct fares or safety. The technology allows the traveller to be charged the right amount to use public transport, and may increase personal safety or ensure that traffic information provided is relevant. If the intrusion into the individual’s privacy is seen as benign and fair, public concerns are also lessened. For example, in the event of a serious road accident, eCall (the European Union’s collision notification system) automatically initiates a 112 emergency call from an in-vehicle device to the nearest emergency centre with details of the vehicle’s precise location. (See Driver Support)
Another principle concerns the storage of information. Digital images and other personalised data (for example details of a journey or a transaction) may be stored and held in a computer’s cache memory for the benefit of the police, road authority or transport operator – but the individual may not benefit from this directly. Good practice requires that data is made anonymous or reduced (by discarding the data elements not needed for a specific purpose) and eventually deleted (by setting a sensible deadline in terms of the purpose of use, after which the data will be destroyed).
The practice of making data anonymous may to help to allay suspicions about potential misuse and concerns about data security, criminality and identity theft. Payment transactions that involve details of credit card accounts are especially vulnerable. For instance, when a person passes through a ticket-operated barrier to use public transport it is not necessary for the operator to know the name of the user or their credit card details – only that the ticket is valid. Once this has been recorded, all personal data relating to the ticket holder can be discarded – retaining only data that is essential information for transport management purposes, such as trip origin, destination, fare paid and timing.
As camera and other sensing technology become more sophisticated, privacy will increasingly be at risk. Undertaking a proper impact assessment of privacy issues for each camera deployment can mitigate the risk. Any formal or informal assessment of risks to privacy must take account of national laws, regulations or codes of practice and factor in variables such as what may be acceptable to data subjects, what is socially desirable (for example for law enforcement or road safety) or commercially attractive such as a product loyalty card. Proper consideration of privacy issues must be based on reaching a consensus on the acceptable balance between loss of privacy and the achievement of objectives – such as seamless journeys.