Information Commissioner's Office
|Printable version||E-mail this to a friend|
Be wary of public Wi-Fi
Blog posted by: Simon Rice, Group Manager for Technology.
If you’re among the many who make use of free Wi-Fi services in our shops, hotels, train stations and airports, you may have noticed how different the sign-up process can be – ranging from just a simple click, to completing a lengthy form before you get online.
With so many organisations responsible for public Wi-Fi and the widely differing requests for personal information we decided to take a look at some of the Wi-Fi networks available on the UK high street. The results highlighted that while some networks did not request any personal data, others asked for varying amounts. In one case, this included a full name, postal and email address, mobile number, gender, as well as asking for a date of birth. Only the gender question was optional, the rest mandatory.
It was also the case that those Wi-Fi networks who requested personal data, generally also processed this for marketing purposes too. Some provided users with the choice to receive electronic newsletters and updates, with either an opt-in, or opt-out tick box. Others offered no choice at all during the sign-up process – the only choice was to not use the service.
What does the law say?
The Data Protection Act (DPA) does not contain any obligation for Wi-Fi network providers to force users to register, or otherwise provide personal data in order to use a free service. In fact, the DPA states that personal data must only be collected for specified purposes, as well as being adequate, relevant and not excessive.
But of course these specified purposes can include direct marketing which may result in the collection of personal data.
What should you do?
Once you connect to the right Wi-Fi network, be sure to take the time to read the information given by the provider. This should describe why they want your personal data.
It’s acceptable for a Wi-Fi provider to ask for an email address, with the intention to send you marketing material, but they need to be up front about this, and importantly, you need to agree to it.
You should only give out personal data which you are happy to share, if you are in any doubt… stop! One clear finding from our review highlighted that there are many providers of Wi-Fi services, so you should choose the one you are most comfortable with. If you don’t want to give out your primary email address, it may be useful to create an alternative to use for these services.
You should be aware that there are other security risks with using the internet in a public place. All Wi-Fi providers reviewed operated in an ‘open’ mode, which means that it does not encrypt traffic. There is a risk that anyone else connected to the same network can intercept your traffic. As a rule of thumb, look for a ‘HTTPS’ or padlock in your web browser, and you should think carefully before sharing information such as your bank details or passwords, especially if there is not a secure connection. If in doubt, wait until you get home.
Although not seen in this review, some networks can allow access if you log in with a social media account. Doing so will often require you to grant certain permission to the operator, such as granting them access to your profile or post messages on your feed.
What has the ICO done?
We have contacted the Wi-Fi network providers who were part of the review, to let them know of improvements they would need to make in their practices and if necessary we can take enforcement action to remedy breaches of the DPA or PECR.
If you think an organisation is not providing you with enough information about how they process your information, or that the data is not relevant or excessive, you can report your concerns on our website.
Latest News from
Information Commissioner's Office
Information Commissioner’s response to Yahoo data breach26/09/2016 13:25:00
Information Commissioner Elizabeth Denham has responded to the Yahoo data breach.
Privacy regulators study finds Internet of Things shortfalls23/09/2016 09:20:00
Six in ten Internet of Things devices don’t properly tell customers how their personal information is being used, an international study has found.
ICO statement on Named Person scheme16/09/2016 12:05:00
29 July 2016: Following the Supreme Court judgement about the 'Named Person' scheme, the Information Commissioner's Office has issued a statement.
ICO says ‘there’s nowhere to hide’ for companies bombarding people with nuisance texts16/09/2016 09:10:00
The fight against companies sending spam texts continues as the ICO issues a £30,000 fine to Manchester firm Carfinance247 Ltd.