At its core, smart cities involve tons of data and an intelligent network of connected devices transmitting this data. This creates big privacy challenges and risks.
Simply put, smart cities are described as a town, district or area which incorporates digital technology and data across all municipality functions in order to improve government services and enhance the way of life of its citizens..
Categories of data that a Smart City may collect are presented as follows:
Traffic data, waiting times, crowd management, smart cars, parking
Climate and weather, pollution, waste management
Citizens civil information
Census, elections, work
Education and health
School grades, absenteeism, number of doctor appointments/year, most common illnesses
Entertainment and consumption
Shops, theaters, cinemas (most/less popular ones, time and money citizens spent)
Security and surveillance
CCTV, police data
The collection, usage and interconnection of this level of data is exactly why Smart Cities creates big privacy challenges and risks, says Aphaia Partner, Cristina Contero.
Presenting at the 8th International Conference on Fibre Optics in Access Networks (FOAN2019) in Sarajevo last week, Cristina highlighted two significant data privacy issues:
Identifying the legitimate basis to process data
While most of the data collected and used in smart cities will be aggregated data, Cristina says that there is a risk—higher so in small cities—that individuals may be indirectly identified in smart cities due to the sheer amount of data and crossed sources.
“How many citizens of 28 years, with a red car, who lives next to this particular neighborhood, have two small children and is diabetic there might be in a city with 20.000 inhabitants? Maybe not that much as we could imagine,” she offered.
As a result, in the set up of Smart Cities, compliance with the GDPR’s requirement for a lawful basis is essential.
According to the GDPR, there are six lawful bases:
(b) Performance of a contract.
(c) Legal obligation.
(d) Vital interests.
(e) Public interest.
(f) Legitimate interest.
According to Cristina, it is most likely that a government’s legitimate basis regarding the set up of a smart city will fall under public interest.
“Public interest can apply either when:
Cristina also explained that in order to rely on public interest the Government has to previously:
Big amounts of data, multiple stakeholders, and the gathering/sharing of data in real time are all privacy risk sources in Smart Cities.
To this end it is imperative that the economic resources to prevent or address security breaches are identified and secured even before a smart city is developed says Cristina.
“Setting up an insecure Smart City structure will be much more costly in the long term than doing it properly from the very beginning. And if you do not have the resources to do it at the beginning, then do not do it.”
In keeping with the GDPR, Governments will also have to implement technical and organizational measures to ensure a level of security appropriate to the risks.
Meanwhile, Cristina offered that the adoption of a three-layered security approach can go a long way in further helping Smart Cities secure their networks and prevent/minimize security breaches such as hacking.
“Helpful security models include a layered approach, which features a system where all smart network devices have a unique identifying number and they operate within three layers of security:
✓ data protection application for the server (to identify malicious content);
✓ data scrutiny layer (as a firewall to protect servers); and
✓ secure smart software for devices (to prevent malicious software from being installed on the devices).”
Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.