01 Mar TfL proposes tough data protection rules as GDPR comes into force
GDPR – the General Data Protection Regulation – is coming into force in the UK on the 25th May 2018 and all firms will need to make sure they are compliant.
GDPR is the most important piece of legislation covering data privacy in 20 years and any firm which collects or holds data will need to make sure it meets the new rules.
But it is not the only requirement which private hire companies may have to make sure they comply with: Transport for London wants all firms to specify who is accountable for passenger and driver safety and data – and they may still only get short term licenses.
Companies who want to operate in the capital will also have to ensure that crimes are reported quickly to the police – a clear swipe at controversial ride hailing firm Uber which concealed a hack that affected 57 million customers and drivers back in 2016 and which Uber paid £75,000 to hackers to delete the data without informing the authorities of the breach.
TfL has said it is rolling out the new changes in order for regulation to try to keep pace with technology, claiming there has been a surge in taxi-hailing firms and saying ride-sharing apps were of particular concern. However, critics have said that what has upset TfL is their lack of ability to monitor people and traffic flows.
“These trends have created challenges for transport authorities around the world, including how to apply existing licensing legislation, managing the impact of more vehicles moving around the city and ensuring a safe and secure service for all,” TfL said.
A policy statement released by TfL focused on increased safety and security, saying operators’ approaches to these factors will be “closely considered” when licensing decisions are being made. Safety was one of the primary reasons for the controversial decision by TfL to not reissue its PH operator license back in September of last year.
The body, which oversees transport for the whole of the Greater London area, also said that the rapid pace of technological change would mean that licenses are likely to be granted for shorter periods of time.
Uber has repeatedly come under fire for its attitude to safety with reports that they even continued to employ a driver accused of sexual assault and failed to report the incident to the police.
TfL will now require the firm to name a member of senior management accountable for safety and protection of personal data and set “clear policies and action for the prevention and reporting of offences”.
It also demanded that crime is reported to both the police and TfL “in a timely fashion to allow drivers who pose a risk to safety to be identified”.
There is also a more vague proposal that would ask firms to hold on to data for an unspecified time “to ensure that any patterns of behaviour are recognised”.
But in a move which could cause concern to firms’ compliance with GDPR, TfL has also used the new policy announcement as an opportunity to gain access to travel data.
Under GDPR rules, the collecting and sharing of data has to be accessible to the customers it is about and there has to be a method by which a firm can trace any data it has shipped to other organisations and demand it is either deleted or edited, depending on the request of the consumer.
“Operators should share data with TfL, so that travel patterns in London and the overall impact of the services can be understood,” TfL said in the document.
Monitoring movement of traffic and people in the capital is a crucial part of TfL’s work, and with the increasing number of journeys made by vehicles it doesn’t control, it would like to close that gap.
Failure to notify the authorities of a data breach can now result in a significant fine of up to 20 million euros or four per cent of turnover. In the UK it can also be combined with the Information Commissioner’s other corrective powers making it essential that all firms have a robust breach-reporting process.
Fareed Baloch of zoom.taxi said, “If you collect data on your customers you will need to inform them what you are receiving, why you are keeping it, what you are going to do with it and with whom you will share it.”
“For private hire firms this could include travel information, regular pick up and collection points as well as contact information. A breach of a single piece of this data could result in a significant fine which small companies will find hard to afford.”
Mr Baloch added that an increased demand from local authorities put an extra compliance issue in place for companies.
“Customers can demand to have all information on them erased. Erasing data not only applies to the company contacted directly but to any third parties you’ve shared your data with. So if it has left your particular company you need to be able to access and delete this data or your update the new data you have shipped elsewhere.”
All companies holding data need to provide the download of data as a minimum. Many people will, like cookies, simply opt in, It will, however, make business for anyone collecting and holding data more expensive.
“Can you stop people getting data they shouldn’t share out of the organisation? And can you allow people to do their jobs and share the data they need to in a way that lets you prove said sharing is all above board and no malicious sharing or erroneous sharing is taking place?
“If you can answer yes to both you can have a reasonable shot at compliance.”