Sept/Oct 2004

Vehicle tracking systems may be good news for fleet managers and telematics companies alike - but could such systems lead users or suppliers into conflict with privacy and data collection laws? It's an issue that remains unresolved, says Robin Meczes

Vehicle telematics technology makes almost irresistible commercial sense, and it's hardly surprising that the use of such systems is growing rapidly in the UK. But the ability to monitor and collect data on vehicle activity inevitably means monitoring and collecting data on driver activity, too, and here the technology can conceivably bring employers and service providers into conflict with both the privacy requirements of the Human Rights Act and the Data Protection Act.

The Human Rights Act gives people a basic right to privacy, and although it is widely accepted that privacy at work is inevitably going to be compromised to some extent, the presence of an active tracking system outside normal working hours on a company vehicle being used privately by an employee - or a member of their family - could be regarded as a breach of human rights.

The kind of data collection and distribution inevitably involved in vehicle tracking, meanwhile, could also bring employers and those hosting the data into conflict with the Data Protection Act, depending on what data is collected, how it is stored and used and how it is shared.

 

The potential for finding yourself on the wrong side of these laws was the subject of a strongly-worded warning by Birmingham-based solicitor David Faithful of Amery-Parkes in late 2002, but although there has been a lot of discussion since, little has been resolved.

In particular, Faithful's plea to telematics service providers to put together a voluntary code of practice on what data is collected by telematics systems and how it is collected and stored has gone largely unheeded. "It fell on very deaf ears," he says. "I think some of the big suppliers are alive to the issues, but simply skip around them when they're selling. All they want to know is: how many do you want?"

The issues have also remained untested in law, adds Faithful - though there have been a number of disputes about privacy based on employment contracts, where telematics data has been used to dismiss or discipline employees. "Often, this comes down to what's in the contract. Do drivers know the system is there? Has it been specifically pointed out to them that they will be monitored and could be disciplined on the basis of it?" he says.

Although no cases have yet gone to tribunal, Faithful's advice to employers is still to be extremely careful. "For God's sake review your employment contracts, and make sure you have the right to use the technology and your employees know it may be used for disciplinary or grievance procedures."

His plea to telematics system providers is equally emphatic. "Providers need to sit down around a table and agree what data should be collected and what are the no-go areas. For now, there is still no guidance on what data can be collected, how long it's kept for or how it's stored."

The whole debate about telematics versus privacy has been re-ignited by a recent US court case involving Acme Rent-A-Car against James Turner. Turner sued the firm for illegal trading practices and invasion of privacy after it used a tracking system on a rental car to detect a number of speeding offences, and then withdrew $450 automatically from his credit card. Although Turner had signed a rental agreement in which both the use of a tracking system and this penalty policy were outlined, he said he had not noticed this condition and it was not highlighted to him.

A jury recently found Acme's business dealings to be deceptive and Turner has been awarded punitive damages. However, the privacy issues remained largely unaddressed after an argument by Acme's lawyer that tracking systems were no more intrusive than smoke detectors in hotel rooms.

"The recent US case was very interesting because it was almost entirely conducted on contractual grounds, rather than privacy or data protection," comments Elle Todd, a solicitor at Olswang. "But the lesson is that all companies should think carefully when entering into a contract with consumers. Particular care is needed to bring potentially onerous provisions in the contract to the customer's attention before they sign it."

In employment situations, it's important for employers to be able to show due diligence, she adds - "for example, showing you have done an assessment up-front in terms of checking the Information Commissioner's guidelines; and if you change the way you use the data or your internal structures, incorporating that. It's about bringing it to the individual's attention and ensuring they know about it - how it's being used and who it's going to be disclosed to."

She, too, warns that suppliers of telematics systems also need to pay more attention to what they're doing. "Suppliers need to forget about the fact that the law probably won't bite them directly and learn about the law, so when they are selling a product they can write appropriate limits of liability into the contract," she suggests.

Phil Jones, assistant commissioner at the Information Commissioner's office, stresses that it's not unreasonable for firms to want to track their vehicles, and that where employees use their vehicles privately - service engineers' vans or company cars, for example - employers need to do three things: be transparent and up-front with the workforce about the use of the technology; ensure the data collected is appropriate and appropriately used; and provide an easy mechanism for turning off the tracking so that private usage remains private.

Even then, there are situations in which it might still be reasonable to monitor employees during non-working hours, says Jones - for example, if engineers were being paid for emergency call-outs at weekends and an employer wanted to see which engineer to send to an emergency based on their proximity to it.

Unfortunately, the Information Commissioner's recommendations are only recommendations, and to take just one point - the issue of being able to "switch off" a tracking system - many products currently in the marketplace simply do not comply.

Cybit director of operations Steve Towe, for example, confirms that his company's system has no such switch. "We don't have a switch but there is a mechanism for privacy at the server end where you can define certain hours - say 5.30pm through to 8am - and stipulate that data shouldn't appear then," he says. The data is still collected however, admits Towe.

It's very important, he suggests, for firms to understand their role from the data protection point of view. "If companies who employ the technology are sensible in their approach and plan it and have a consultation process with drivers, so they know what the equipment is and what it's used for, then it should be possible to implement it within the laws," he suggests.

Until all the issues are tested in court, however, it seems nobody really knows for sure just where those legal limits really lie.