Legal, Technical & Spatial Considerations

We have combined the Technical, Legal, and Spatial aspects of the OSCM toolkit in one STEP 3 as they are so closely interrelated. All these three elements need to work together and in parallel guided by an ethical framework to effectively address social values and privacy by design principles to insure digital rights.

LEGAL

LEGAL COMPLIANCE – Based on technical and spatial decisions guided by Privacy by Design, you will need to double-check your choices against laws and regulations. There are several laws, regulations, procedures, and documents you should be familiar with in the Legal Resource Library. BUT FIRST – we recommend that you take a look at the ETHICAL FRAMEWORK.

See Legal

TECHNICAL

TECHNOLOGY, HARDWARE, AND SOFTWARE – Technical choices need to be made to help you achieve the goals of your crowd monitoring project. This step is not just about what sensors or devices you use but also how you use them responsibly. There are many complex considerations that begin with taking a close look at the different technologies available and their DEGREES OF INVASIVENESS.

See Technical

SPATIAL

SPACES, INSTALLATION, AND SET UP – After all the preparation, planning, and choices have been made, it is time start the physical installation. You need to know that everything is set up properly to get good data and achieve your goals. Successful installations of crowd monitoring projects are complex and different with each location, so we created the SPATIAL CONSIDERATIONS MAP to help get you started.

See Spatial

3.0.1 – Dilemma Diagram

The Legal, Technical, and Spatial aspects of crowd monitoring projects are all interrelated and all require serious ethical considerations. In order to better understand this complexity, we have visualized these interrelations in a Venn diagram that places Ethics at the center.

3.0.2 – Applying an Ethical Framework

At this point, it is important to take a step back to get an overview of the ethical considerations involved to effectively address the social values involved in your crowd monitoring project and apply a methodology to measure strengths and weaknesses with key stakeholders.

TIP –> roll over icons for more information

Inclusive

Our digital city is inclusive. We take into account the differencesbetween individuals and groups, without losing sight of equality.

Control

Data and technology should contribute to the freedom of citizens. Data are meant to serve the people. To be used as seen fit by people to benefit their lives,
to gather information, develop knowledge and find room to organisethemselves. People stay in control over their data.

Tailored To The People

Data and technology should contribute to the freedom of citizens. Data are meant to serve the people. To be used as seen fit by people to benefit their lives,
to gather information, develop knowledge and find room to organisethemselves. People stay in control over their data.

Open and Transparent

What types of data are collected? For what purpose? And what are the outcomes and results? We are transparent about this.

Legitimate and Monitored

Citizens and users have control over the design of our digital city. The government, civil society organizations and companies facilitate this. They monitor the development and the social consequences.

From Everyone For Everyone

Data that the city, companies and other organizations generate from the city are held in common. Everyone can use them. Everyone can benefit from them. Together we make agreements about this.

3.0.3 – Measuring Ethical Principles

We suggest that at this stage you hold an ethics workshop to apply a methodology to measure ethical principles related to the Legal, Technical, and Spatial considerations of your project. In Amsterdam we have used the TADA principles and workshop with success, consider using this format or source a data ethics workshop in your city.

3.1.1 – Legal Compliance

In Europe, GDPR compliance guided by Privacy by Design principles are where to begin when you start gathering and understanding all the information you need to start a legally responsible crowd monitoring project.

General Data Protection Regulation (GDPR)
(AVG – Algemene Verordening Gegevensbescherming)

The GDPR is the umbrella reference for all EU member states regarding regulations for any organization that targets or collects data related to people. It’s very important to comply with the new EU law for data privacy in every way as the fines for violations can be very heavy.  It’s complicated, but The Guide to GDPR Compliance is a good place to get familiar with regulations that you need to consider in the beginning phases of your OSCM camera vision project.

IMPORTANT: In order to make sure you are GDPR compliant you should complete the GDPR Compliance Checklist https://gdpr.eu/checklist/

Other Useful Links: https://gdpr.eu (English) and how-to-make-your-business-gdpr-compliant (English), privacy-en-persoonsgegeven (Dutch)

3.1.2 – Privacy By Design

The privacy by design framework is an engineering design approach which calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., to take human values into account in a well-defined manner throughout the whole process.  In general it is a seven step process framework to guide the design process. 

More Specifically, Privacy by Design is a key regulation in the GDPR as described in Article 25: Data Protection by Design and by Default.

For general information about Privacy by Design as a framework visit: https://en.wikipedia.org/wiki/Privacy_by_design

For specific information about Privacy by Design as a regulation in the GDPR visit:
https://gdpr-info.eu/art-25-gdpr/

Procurement Law (Aanbestedingwet)

This is a good place to start with any project.  We need to make sure that local and regional procurement practices are being followed in such a way that we can create real impact, innovate and level the playing field.  You should be aware of exceptions when there are not competitive vendors for a novel solution and/or the innovation is involved with stimulating the startup ecosystem, for instance.  The tendering process differs based on city, country and region. 

LINKS:

EU 

About writing a GDPR compliant privacy notice (template included): https://gdpr.eu/privacy-notice/ 

Dutch 

https://business.gov.nl/regulation/protection-personal-data/?gclid=EAIaIQobChMIkaiqlsGn6wIVjrd3Ch3giAPPEAAYBCAAEgLeW_D_BwE

Amsterdam 

https://www.amsterdam.nl/privacy/specifieke/privacyverklaring-parkeren-verkeer-bouw/verkeersmanagement/

For example here in Amsterdam,  if the budget is over 50k for instance, the call must be nationally competitive and published on Tenderned.nl  and if the budget is over  211k has to become an EU tender. 

Data Protection Impact Assessment

The DPIA process aims at providing assurance that controllers adequately address privacy and data protection risks of ‘risky’ processing operations. By providing a structured way of thinking about the risks to data subjects and how to mitigate them, DPIAs help organisations to comply with the requirement of ‘data protection by design’ where it is needed the most, i.e. for ‘risky’ processing operations.  (text copied from EDPS website) 

LINKS:

  • Guidelines for determining if data processing is likely to result in  “high risk” in which case registration and/or application with the EDPR  is required (note: this is also related to assessing proportionality described in Step 1 “Use Case and Goals” resource library of this toolkit). https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236 
An OSCM project that collects data from the “systematic monitoring of a publicly accessible area on a large scale” is required to complete a DPIA and submit to the EDPS for review.

The Data Processing Agreement

A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor. (text from Google search result about)

LINKS:

The DPA is all about clear definitions, roles and responsibilities of the data owner and the data processor in a “client vendor” relationship.  When a city innovator enters into a business relationship with a solution provider that processes personal data they must complete this agreement.

TADA Principles and Manifesto

At the core of any successful OSCM computer vision project are the ethics regarding data use and reuse. How you, as a government innovator, uphold data ethics in your project will ensure the public best interests are in mind and inform your team how to communicate your ethical data practices.  Understanding how Data Ethics relates to the Technical, Legal and Spatial considerations for your project is also important in the beginning stages.

LINKS:

English: https://tada.city/en/home-en/

Dutch: https://tada.city

You should be aware that whatever information or data you create in a project that generates data in public spaces or acquires data from people needs to be accessible to the public. Make a plan  to publish your data on an open data portal.

Dutch Public Access to Government Information Act ( Wet openbaarheid van bestuur- WOB)

Otherwise known as the Dutch Freedom of Information Act, the WOB is specific to the Netherlands rules and regulations for access to and reuse of public sector information including data.  Unless there are valid legal reasons to withhold, citizens and organisations have the right to access or request any government information and/or data and reuse for commercial or non-commercial purposes including apps, visualizatoins and analysis.

English

https://business.gov.nl/regulation/freedom-of-information/ 

https://www.government.nl/topics/government-communications/organisation-of-government-communications

https://www.maastrichtuniversity.nl/about-um/organisation/dutch-public-access-government-information-act-wob 

Dutch 

https://wetten.overheid.nl/BWBR0005252/2018-07-28

You should be aware that whatever information or data you create in a project that generates data in public spaces or acquires data from people needs to be accessible to the public. Make a plan  to publish your data on an open data portal.

The Reuse of Government Information (Wet hergebruik overheidsinformatie- WHO)

In European law this is also known as the Open Data Directive.  This law provides a common legal framework for a European market for government-held data (public sector information). It is built around two key pillars of the internal market: transparency and fair competition.  In the Netherlands the policy is “open by default” meaning that if there are no security, privacy, or copyright issues, government data must be open and accessible. 

EU/English  

https://ec.europa.eu/digital-single-market/en/european-legislation-reuse-public-sector-information

Dutch 

https://www.open-overheid.nl/open-overheid/handleiding-wet-hergebruik-van-overheidsinformatie/ 

https://wetten.overheid.nl/BWBR0036795/2016-10-01

Government published data is a great way to use data-fusion to add value to your project.  Open data portals are available in many countries in Amsterdam there is  https://data.amsterdam.nl  and in EU we have https://data.europa.eu

The Prohibition on State Aid and EU law (Het verbod op staatssteun staat en EU wetgeving)

State Aid is defined as an advantage in any form (not just funding) given to a selected undertaking by national public authorities.  This is prohibited by European law when it distorts competition or may affect trade between EU member states.  Make sure that when you are funding your Open Source Crowd Monitoring project or if you are granting funds for such a project that you are following transparency requirements and complying to fair competition policies. 

EU/English 

https://ec.europa.eu/competition/state_aid/overview/index_en.html 

Dutch 

https://ecer.minbuza.nl/ecer/dossiers/staatssteun/het-verbod-op-staatssteun.html

https://europadecentraal.nl/onderwerp/staatssteun/

There are exceptions when the project is innovative and the goal is to stimulate a well functioning and equitable economy.  An example of this in Amsterdam would be the Startup in Residence Program https://startupinresidence.com/amsterdam/

Privacy Statement or Privacy Policy

Transparency and informing the public about how their data are being used are two basic goals of the GDPR. This article explains what is a privacy notice and offers a privacy notice template to help you comply with the law. 

About writing a GDPR compliant privacy notice (template included): https://gdpr.eu/privacy-notice/

3.1.3 – Legal Compliance Overview

Among several laws, procedures, documents and ethical principles you must consider before moving forward you  needed to make sure you are familiar with the specific legal aspects of crowd monitoring in public spaces in your country, region, and city. For OSCM projects in the EU and the Netherlands here is a list of items we know are important from our experience.  For full details download the Legal Resource Library PDF. 

See below for more resources:

Name Useful Links
European Data Protection Officer (DPO) /data-protection-officeer-en
The Dutch Data Protection Authority (DPA) https://autoriteitpersoonsgegevens.nl/en
Right to Erasure Form (Part of GDPR) https://gdpr.eu/right-to-erasure-request-form/
 IoT registration (Amsterdam) https://slimmeapparaten.amsterdam.nl/about

https://www.amsterdam.nl/privacy/camera’-sensoren/
Video Camera Registration (Amsterdam) https://www.amsterdam.nl/privacy/camera’-sensoren/
AI Register (Amsterdam) https://algoritmeregister.amsterdam.nl/en/ai-register/
Legally required signs and stickers (Amsterdam) https://slimmeapparaten.amsterdam.nl/about/faq
 Project Description https://slimmeapparaten.amsterdam.nl/about/faq

Additional General Legal considerations that will vary greatly by region and use case. 

  • Governance, ownership and responsibilities 
  • Contracts and liability 
  • Open Data publishing, use, and reuse compliance issues (EU)

3.2 – Technical

As technology grows, so does the number and complexity of sensors and devices that can be used to monitor public space. The technical choices you make will relate to decisions made in the previous steps when you established your goals, use case and planned your project accordingly. What is important in this step is that you first familiarise yourself with the different options available and then take a closer look at the Degrees of Invasiveness to help guide a responsible and ethical decision.

Computer Vision

Current computer-vision systems do a decent job at classifying images and localizing objects in photos, when they’re trained on enough samples but it takes a lot of work to achieve a high level of accuracy. Computer vision applications include facial and object recognition, also biometrics which can be very invasive.

More about Computer_vision

CCTV

An acronym for Closed Circuit Television, CCTV has been around for a while and is used mostly for security purposes. It’s all about recording video footage of people either in public or private spaces and can be applied to computer vision applications but not necessarily. Also known as video surveillance, it is perhaps the most invasive technology you can use.

More about Closed-circuit_television

Sound Sensors

These come in all shapes and sizes. They can record sound or just detect it. They can be highly accurate and measure volume (dbl), tone, pitch, and/or frequency or simply detect the existence sound above a certain threshold. They all use microphones but not all deliver insights related to the nature of sound or sound identification which is enabled by using existing libraries or training using machine learning.

More about sound-sensor

Thermal

Or Thermal Imaging Cameras used for crowd monitoring use infrared technology to measure object radiation and vary greatly in range and accuracy, from detecting the existence of a person at night at long range to a fairly accurate temperature reading at close range.

/wiki/Thermographic_camera

Mobile App

Convenient because almost everybody has a Smart Phone with them wherever they go but also problematic depending on what you want to achieve. Geolocation services, Bluetooth, Wifi, and/or Mobile Data must be on for instance depending on the application.

More about Mobile App data

Motion Sensors

Or Motion Detectors can be one of several technologies including Passive Infrared (PIR), Microwave, Sonar, and Ultrasonic. Although this technology is useful to detect single object presence, iit is not effective for multiple objects or crowds in large spaces.

More about Motion_detectors

Millimeter Wave

Or high resolution radar uses an ultra high frequency radio wave to detect, locate, and track moving targets with a very high level of accuracy but with a limited distance. This technology is also used for security screening to detect weapons and other dangerous objects under clothing.

More about Millimeter Wave

WiFi Sniffer

Also known as a packet sniffer. This technology detects smart phones on Wifi mode searching for networks.  The sniffer intercepts probe requests and the MAC address of the device making it useful to track an individual in a large space but also potentially invasive. 

More about  WiFi_Sniffers

3-D Sensors

A depth sensing technology that uses three different techniques to detect and image map objects: stereoscopic vision, structured light pattern, or time of flight (ToF). All capture or produce 3-D images which are anonymous and trackable in crowded spaces with a high level of accuracy.

More about 3-D sensors

3.2.1 Technical – Degrees of Invasiveness

Different crowd monitoring technologies have their own degree of invasiveness depending on how they are used and where. You should be aware of how different sensors and devices can compromise privacy and compare them to others to understand your options.

3.2.2 Technical – Invasiveness Matrix

A quick guide to the various kinds of data that different crowd monitoring technologies generate.  The Invasiveness Matrix will tell you what solutions will create biometric data versus anonymous data, location data and more.

3.3 Spatial

Different spaces have different requirements when designing and implementing a sensor project. We have crated a simple example with six spatial categories and specific considerations.  Below you will find these considerations and some important questions you need to ask yourself and your team. 

In Amsterdam it is compulsory for all data gathering devices or sensors to be registered. Make sure you follow the requirements in your city. For more information in Dutch:  https://www.amsterdam.nl/nieuws/nieuwsoverzicht/meldplicht-dataverzamelaars/ 

Signage:

Does your project area have signage, boards, or flags to inform public that they are in a monitoring zone? 

Privacy:

Does your project area provide the public the  right to be invisible or anonymous? How so?  

Permission:

Do you need permission from property or facility manager? In public space, you’ll need specific permissions or exceptions from the municipality. 

Agreements:

Do you need data processing agreement, data protection or any other regulatory requirements? 

Registration:

Should the cameras, project documents or FAQ’s need to be registered? 

In this example we are using the Marineterrein Amsterdam Living Lab – Inner-city test ground for a sustainable living environment. This 1/2 square mile district is a wonderful microcosm of any city space, function or activity. For more info: https://www.living-lab.nl

Private Property

Cities are mostly made up of private properties. Owners of these properties control access and can only collect data from visitors for security reasons.

Considerations
Permission
Agreements
Registration
Signage
Privacy

Public Parks

City parks are owned or managed by the local municipality. You’ll need special permission from authorities to collect data from these areas.

Considerations
Permission ✔︎
Agreements ✔︎
Registration ✔︎
Signage ✔︎
Privacy ✔︎

Waterfronts & Harbors

Mixed management between the city, water authorities and sometimes private boating clubs or marinas. Collecting data needs to be approved by every stakeholder

Considerations
Permission ✔︎
Agreements ✔︎
Registration ✔︎
Signage ✔︎
Privacy ✔︎

Campus & Business Parks 

Hospitals, universities, commercial or industrial properties are mostly private. Collecting data is usually permitted by facility management or the owner.  

Considerations
Permission ✔︎
Agreements
Registration
Signage
Privacy

Hotels, Bars & Restaurants 

Cafes, courtyards and terraces are usually private property. Owners of these properties can collect data of their customers with consent.

Considerations
Permission ✔︎
Agreements
Registration
Signage ✔︎
Privacy ✔︎

Sports Grounds & Recreation

Clubs, pitches, playgrounds or stadiums can be mixed between private and public ownerships. Collecting data of guests should be for legitimate safety reasons.

Considerations
Permission ✔︎
Agreements ✔︎
Registration ✔︎
Signage ✔︎
Privacy ✔︎

3.4 Video Library

The expert interviews are a quick way for you to get some great advice. Before moving on to Step 4: Public Engagement and Communication, please take a few minutes to learn from personal experience and insights that will help you think about Legal, Technical, and Spatial Considerations for your crowd monitoring project.

All expert interviews ask these three questions:

What are the biggest challenges for crowd monitoring in public spaces?
What are some approaches to address these challenges?
What advice can you give innovators thinking about crowd monitoring?

Douwe Schmidt

Data Ethicist & Lead TADA

TADA is all about the ethical and responsible use of data. As the lead for TADA Douwe is concerned with informing the public properly and ensuring they benefit from crowd monitoring. He suggests involving the people we are monitoring but you should always ask “is this the right solution to the problem?”

Beryl Dreijer

Privacy Officer, City of Amsterdam, Information Safety & Privacy, Space and Economy

Beryl provides valuable insights about why we should develop crowd monitoring projects in open, inclusive and transparent ways. GDPR compliance is important but so is informing the public about what sensors are doing, why they are there, and where they can complain helps people feel safe about your project.

Maarten Sukel

AI Lead City Of Amsterdam

As the AI architect behind the Object Detection Toolkit www.odk.ai Marten shares his experience specific technical aspects of Computer Vision as a crowd monitoring tool. Regardless of the techniques used, we should always use sensors for the benefit of the public and using Living Labs to test your solution will avoid many problems.

Tom van Arman

Future City Maker and Founder of TAPP.NL

Tom is an architect & urban planner using open data, api’s & IoT solutions to create more social, sustainable & resilient cities. He tells us why ethics is at the heart of good design practice in public space and how using the data to make informed decisions creates value for future cities.