Car Crash TV: The Road Safety Authority, Crash Data, and Primetime

The Road Safety Authority has stopped sharing data about road traffic collisions with Local Authorities (who are responsible for the management of over 90% of the roads in Ireland). They stopped doing this, it is reported, because of GDPR compliance issues. Apparently 8 years worth of data about road traffic collisions is not available to Local Authority roads and traffic management planners. Because of GDPR concerns.

Apparently the LGMA (Local Government Management Agency, a ‘shared services’ body supporting all local authorities) decided in November 2023 that it’s legal advice meant that it couldn’t touch any road traffic collision data because “legal advice received was that local authorities would need to be placed on a higher statutory footing to receive it legally under GDPR” (source: RTÉ Prime Time). Apparently there has been a working party looking at this issue since 2022 and they still can’t work out the answer. But they are hoping the Data Protection Commission will tell them what to do sometime in the near future.

When I heard this, my immediate reaction was: “Bullshit”. My second reaction was: “This sounds like a Data Governance snafu, causing Data Protection confusion, resulting in a dearth of data to inform local authority actions on the safety of the roads, and possibly to avoidable deaths or injuries”.

Why is this bullshit?

According to the RSA they were advised that “that it should treat the pseudo-anonymised collision dataset as being personal data and, therefore, that GDPR principles should apply”. Let’s ignore for a moment the conflation of pseudonymised data (data that has identifiers altered to mask the real data but for which a mapping table exists that allows the data to be reidentified) and anonymised data (data that cannot be reidentified or contains no identifiers) and focus on the last part: that GDPR principles should apply. That means having a lawful basis, transparency, confidentiality, and above all, necessity and proportionality in what is processed/shared. It doesn’t mean you pull the plug and blame the law.

It’s worth noting that the Data Protection Commission issued a statement to RTÉ’s Primetime Investigates that was quite clear that “GDPR should not prevent the proportionate publication of crash location details, particularly where any personal data element is largely anonymised/limited in detail“.

That, in and of itself, is enough reason to conclude that the position that has been adopted is bullshit. However, mileage with the DPC’s analysis of issues can vary so it’s worth unpicking some key questions to determine the various factors that contribute to the rose growth promoting attributes of this policy position by the RSA and the LGMA.

1. Is data relating to Road Traffic Collisions Personal Data under GDPR?

This is the first key question that needs to be considered. The DPC’s statement hints at some elements that need to be factored in – specifically: what is the data that is being shared?

If the data that is being shared is data relating to the location of a road traffic collision, the time of day the collision occurred, the weather conditions or road conditions at the time, the number of vehicles, cyclists, pedestrians, or other road users involved, descriptions of nature of injuries or the number of deceased, it doesn’t meet the threshold of being personal data.

Why? Well, it isn’t possible to identify the people involved in the road traffic collision from that data. While it may be possible, hypothetically, for staff in a particular Local Authority to reidentify people from this data by applying ‘local knowledge’, that is an issue for the Local Authority as a Data Controller to address through appropriate controls and safeguards, such as a policy preventing staff from looking up the archive of the local paper to get the names of the people who were involved in a collision on a particular spot on the road.

If the data is anonymous in the hands of the RSA and as it is transferred to the LGMA and Local Authorities, there is no GDPR issue here. Also (and I hate to be grim here) if everyone died in the collision there is no personal data under GDPR – it only applies to the living.

1.1 The perils of small numbers

“But what about if there are low frequencies of road traffic collisions? Doesn’t that make it more likely that people could be singled out?”, you ask. To which I respond that that is indeed a risk, but it’s a risk that can be mitigated through STATISTICS and by designing the data reporting process appropriately with a view to the business need and objective of Local Authorities.

The objective is to improve road safety by identifying the roads where there are high frequencies of road traffic collisions of different sorts. That then enables Local Authorities to exercise their functions under Section 13 of the Roads Act 1993, which helpfully defines a “Road” as including anything related to the safety of the road as well as the road itself. Given that is the objective, Local Authorities (one assumes) are not interested in the singular incident but rather patterns of incidents over a time period.

So, the solution to the peril of small numbers and the risk of identification is to aggregate data over a time period and use clustering. Reporting “5 or fewer RTC” as a cluster, or aggregating the total number of collisions over a time period in terms of definable characteristics (e.g. location, estimated speed of vehicle, etc.) would all reduce the risk of data being disclosed which could be indirectly linked back to an identifiable person or persons.

1.2 Does GDPR even apply?

If we take the view that factual data about a road traffic collision that excludes from the data set any attribute that might directly identify any individual involved in the collision, and if Local Authorities have appropriate safeguards in place to discourage staff from snooping and relinking anonymised data back to identifiable people, then it’s hard to see how this data is personal data under GDPR.

Further statistical aggregation of data would still provide useful insights for Local Authorities but would provide an additional safeguard against singling individuals out in the dataset.

And even where a limited amount of personal data was to be shared which allowed for the identification of living individuals and therefore engaged GDPR, there would be no GDPR infringement if the amount and nature of that data was necessary and proportionate to the purpose for which it was being shared/processed.

2. But what if it is personal data? What would the lawful basis be for processing?

According to the RTÉ coverage of this story, the LGMA obtained legal advice that said that Local Authorities needed to be “placed on a higher statutory footing” in order to receive the data about road traffic collisions.

Some parts of this confuse me. Firstly, the role of the LGMA here seems to be both central and also confused. The LGMA was established in 2012 and it amalgamated several other pre-existing ‘shared services’ functions that support Local Authorities in Ireland. They describe their own function as follows:

“Simply put, we help local authorities to get things done.”

https://www.lgma.ie/en/

Except, it seems, when it comes to ensuring that Local Authority Engineers can get access to data necessary to help them make the roads safer.

But the LGMA describes themselves as “the help” and as a provider of professional services to 31 Local Authorities. And when we look at the underlying legislation, their functions look very much like they are providing services to entities that define the means and purposes of processing personal data rather than necessarily having a function to define the means and purposes of processing. In other words, they are a Data Processor, not a Data Controller. [Pro-tip for Data Controllers: don’t rely on legal advice from your processors – get your own advice/consulting support]

In respect of their role in handling any data from the RSA relating to road traffic collisions, they are acting on behalf of the local authorities, who are recognised in Section 4(4)(b) of the Road Safety Authority Act 2006 as being key entities that the RSA needs to engage with on matters of Road Safety, and who Section 13 of the Roads Act 1993 assigns statutory roles to in relation to the roads, which includes safety.

The LGMA’s role here is to process the data. I am unclear if it’s statutory role actually extends to defining the means and purposes of processing, when that is related to the statutory functions of the RSA and the Local Authorities. But by pulling down the shutters based on its legal advice, that’s the position it’s put itself in.

2.1 But what is the legal basis for processing (assuming there is personal data involved, which there probably isn’t)?

Section 13 of the Roads Act 1993 makes Local Authorities responsible for roads other than motorways (they’re the job of the Transport Infrastructure Ireland – who are able to get this data from the RSA with no problem it seems). The Roads Act 1993 defines “road” as including anything necessary for the safety, convenience, or amenity of road users. And knowing which parts of a road are dangerous under what conditions seems to be a thing that falls neatly into the scope of that definition without needing to bend physics.

Therefore, ensuring the safety of roads is a “task carried out in the public interest or in the exercise of official authority vested in” the Local Authority. Who are the Data Controller for that purpose if they look for data to inform their analysis of things that are dangerous in the road (and that only matters if there is personal data included in the dataset). Therefore there is a lawful basis under Article 6(1)(e) of GDPR to process personal data where it is necessary and proportionate for that purpose.

This is a key point that we need to consider, mainly because some Local Authorities tried to argue that CCTV systems were a necessary part of the road when trying to justify their use to the Data Protection Commission. However, when we consider that argument through a proportionality lens, monitoring and recording the movements of everyone past a camera is disproportionate without a very specific legal basis and safeguards. Having data about bad things that have actually happened to help figure out how to stop them happening again is not as disproportionate, particularly if we can take steps to remove or reduce the level of personal data that might need to be disclosed to achieve that objective. Remember: if there is no personal data involved, GDPR doesn’t apply!

Regarding whether the RSA has a legal basis for sharing data, that can be found in either Section 4(4)(b) of the Road Safety Act 2006 which establishes co-operation with Local Authorities on Road Safety as a function of the RSA. If we wanted to be very nitpicky, we could look to Section 8(1) of the 2006 Act which allows the Minister for Transport to direct any authority to compile and share information and statistics relating to road safety.

So far, no speedbumps arise on the existence of a legal basis as there seems to be grounding under Article 6(1)(e) of GDPR for both sides of the transfer of data, once the level of personal data that is disclosed is necessary and proportionate to the purpose. Which we’ve established may not need personal data at all.

What would be required, to supplement the general legal basis for sharing of data, would be well defined administrative controls governing the processing of data and dealing with how personal data, where it is encountered should be handled. And this would need to be made public.

2.2 The specificity of a basis for data sharing

Of course, one issue that might be argued is that there is no specific legal basis for the transfer of data from the RSA to a Local Authority. There are functions that arguably provide a basis for the processing of personal data (if it is transferred), but there is no explicit legislative measure that covers this specific type of transfer which might .

If only there was a piece of legislation that existed that created an arguable “umbrella” legal basis for sharing of data between Public Bodies, even where that data contains personal data? Well, kids, let me introduce you to the Data Sharing and Governance Act 2019. This kind of data sharing is exactly what the DSGA was pushed through by DPER to allow. It’s right there in the long title to the Act: “An Act to provide for the regulation of the sharing of information, including personal data, between public bodies;”

Requirements here? A DPIA, a Data Sharing Agreement, and a Public Consultation on the Sharing, followed by an approval by the Data Governance Board.

So.. no barrier. Just paperwork.

What have I missed?

It may be that there is some nuance I’ve missed here. After all, the LGMA, RSA, and Local Authorities have been battling with this for 2 years. I’ve just thought about it for a few hours.

But I doubt it.

What should be done now is that the RSA and LGMA should stop hiding behind the apron strings of the Data Protection Commission. They should publish their Data Protection Impact Assessment and the legal advice that started all this so that it can be considered. The best way to do that is if they were to publish it as part of the process of entering in to an approved data sharing agreement under the Data Sharing and Governance Act.

Or they should step back, look at the data that needs to be shared to help Local Authorities address road safety, exclude unnecessary personal data from that dataset and apply some policy safeguards to prevent reidentification of individuals from the data.

But what they really need to do is stop stalling and bullshitting and make a decision to share or not to share.

Hiding (incorrectly) behind the GDPR is moral cowardice in the face of a road safety calamity.