Mayor launches London Privacy Register for smart city information

The Mayor of London has launched a trial of the London Privacy Register, which aims to provide greater openness around the use of smart city technologies throughout the capital’s public spaces.

According to the Mayor’s Office, the adoption of smart city technologies in public spaces – including networks of sensors, cameras, drones, robotics, mobility services, augmented reality, and algorithmic decision-making – is expected to increase massively over the coming decade as capability grows, costs lower and even more use cases are developed.

In anticipation of their increasing take-up, the Privacy Register is intended to improve public transparency around the use of these technologies by acting as a central catalogue of data protection impact assessments (DPIAs) for smart city projects that collect people’s personal information as they navigate public spaces.

As part of the effort to improve transparency around publicly deployed technology, the Mayor’s Office has also placed a fresh mandate on the Greater London Authority (GLA) Group to publish their DPIAs in the Privacy Register as their projects go live.

The Privacy Register already contains a number of DPIAs, including for the Met Police’s use of both live and retrospective facial-recognition technology; Wi-Fi data collection on the London Underground; the processing of personal data in Transport for London’s (TfL) GO app; and the use of automatic number plate recognition (ANPR) under London’s ultra-low emissions zone (ULEZ).

Londoners are also able to request the publication of DPIAs for smart city tech operating in the public realm, which will trigger a communication from the chief digital officer (CDO) for London to the organisation responsible asking it for a DPIA publication or its reasons for refusal.

“By starting to publish these data protection impact assessments we bring transparency to a rapidly growing area,” said London CDO Theo Blackwell. “Over the next decade, there will be an increase in the use of sensors, upgrades to camera networks, drones and other uses. While some data protection assessments are already published at launch, others are not, so we’ll gather these documents in one place as open data.”

Under UK data protection law, organisations are obliged to conduct DPIAs when their projects are likely to result in a high risk to people’s privacy, and are further required to provide privacy notices about why personal information is being collected, for what purpose, where it’s being stored, and for how long.

However, as it stands, the only way of accessing DPIAs and making them public in practice is generally through the use of freedom of information (FOI) requests after a system has been already been deployed.

Although the open publication of DPIAs is encouraged by the UK’s data regulator, there is no legal requirement to make the documents publicly available.

The Information Commissioner’s Office (ICO) DPIA guidance states: “Although publishing a DPIA is not a requirement of UK GDPR, you should actively consider the benefits of publication. As well as demonstrating compliance, publication can help engender trust and confidence. We would therefore recommend that you publish your DPIAs, where possible, removing sensitive details if necessary.”

The Privacy Register forms part of the Mayor’s Emerging Technology Charter for London, which was first created in July 2020 to provide a set of practical and ethical guidelines for the deployment of new technologies in public spaces; and the Public London Charter, which sets out the rights and responsibilities of the users, owners and managers of new public spaces.

Built around four principles of openness, respecting diversity, being trustworthy with people’s data, and sustainability, the Technology Charter also aims to create common expectations for how buyers and makers can innovate successfully; give Londoners and their elected representatives a clear framework to ask questions about the technologies being deployed in London; and improve transparency around the products and services that data protection law considers a high risk to privacy.

While the Privacy Register is only the first public iteration of the service, it is expected to change over time following feedback from users, with plans already on the books to expand its scope through the on-boarding of local authorities, private landowners and others in the coming months.

In a digital policy manifesto published in March 2024 ahead of the UK general election, the Open Data Institute suggested reforming data protection law in ways that build public trust, including by requiring the open publishing of DPIAs. It also called for reforms to the DPIA process itself, so there is a proactive review of dataset harms to different communities and demographics.