Use of OccupEye in Futures Institute

The request was partially successful.

Dear Coventry University,

Regarding your deployment of the "OccupEye" automated workspace utilisation analysis system within the Futures Institute building at Coventry University Technology Park, and the study relating to that deployment.

Please provide any information you hold relating to:

1. Name and position of the person authorising the deployment, and the date on which that decision was made.

2. The purpose, scope and duration of the deployment, and a detailed description of the data to be captured.

3. Discussion and decisions taken in respect of ethical approval for this deployment, together with a copy of the ethical approval.

4. Discussions undertaken with the staff and students working within the Futures Institute building regarding this deployment.

5. Discussion and decisions taken as to whether staff and students should be informed of the deployment and, if so, date-stamped copies of that information.

6. Detail what measures will be taken to ensure that no persons can be directly or indirectly identifiable in the outputs or findings of this study.

7. Detail how you will guarantee the full security and confidentiality of any personal or confidential data collected during the study?

8. Is there a possibility that any person could be directly or indirectly identified in the outputs or findings from this study?
If YES, please explain why this is the case.

9. Is there a possibility that any person could have confidential information made known in the outputs or findings from this study?
If YES, please explain why this is the case.

10. Will any member of the research team, or elsewhere in the University, or third party, retain any personal or confidential data at the end of the study, other than in fully anonymised form?
If YES, please explain the nature of that data, and why this is the case.

11. Will any member of the research team, or elsewhere in the University, or third party, make use of any confidential information or knowledge obtained for any purpose other than the research project?
If YES, please explain the nature of that data, and why this is the case.

12. What steps have you taken for secure data management, in accordance with the Data Protection Act 2018?

13. Detail the location where data will be stored, who will have access, the method of access, and what encryption methods will be used.

14. Please explain how collected data will be destroyed, when it will be destroyed, and by whom.

15. Will all the participants be fully informed, BEFORE the monitoring begins, why the study is being conducted and what their participation will involve?
If NO, please explain why.

16. Will every participant be asked to give written consent to participating in the study, before it begins?
If NO, please explain how you will get consent from your participants. If not written consent, explain how you will record consent.

17. Will all participants be fully informed about what data will be collected, and what will be done with this data during and after the study?
If NO, please specify.

18. Will there be audio, video or photographic recording of participants? Will explicit consent be sought for recording of participants?
If NO to explicit consent, please explain how you will gain consent for recording participants.

19. Will every participant understand that they have the right not to take part at any time, and/or withdraw themselves and their data from the study if they wish?
If NO, please explain why.

20. Will every participant understand that there will be no reasons required or repercussions if they withdraw or remove their data from the study?
If NO, please explain why.

21. Does the study involve deceiving, or covert observation of, participants?
If YES, please explain why this is necessary.

22. Will you debrief participants at the earliest possible opportunity?
If NO, please explain why.

23. What steps have you taken to reduce and address any physical harm to participants in the study?
If NONE, please explain why.

24. What steps have you taken to reduce and address any psychological or emotional distress to participants in the study?
If NONE, please explain why.

Yours faithfully,

J. Wescott

Freedom of Information requests, Coventry University

3 Attachments

Dear Mr Wescott,

REF: Freedom of Information Request - FOIA0768

The University has completed its search for the information you requested pursuant to the Freedom of Information Act 2000.

In response to your questions, please see attached.

If you are unhappy with the service you have received in relation to your request and wish to make a complaint or request a review of our decision, you should write to the Information Protection Unit, Coventry University, Portal House, 163 New Union Street, Coventry, CV1 2PL or email [Coventry University request email].

If you are not content with the outcome your complaint, you may apply directly to the Information Commissioner for a decision. Generally, the ICO cannot make a decision unless you have exhausted the complaints procedure provided by the University. The Information Commissioner can be contacted at: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; Tel: 01625 545 745; Email: [email address]

If you wish to discuss this matter further, or require any other information, please do not hesitate to contact me.

Kind Regards

Will Doherty | Information Protection Disclosures Advisor | Information Protection Unit (IPU)
Coventry University, Portal House, 163 New Union Street, Coventry, CV1 2PL
T: +44 (0)2477 658202 | M: +44 (0)7557425844 | E: [email address] |
W: www.coventry.ac.uk
Working hours: Monday – Friday 08.30am – 17.00pm

The contents of this email (including any attachments) are confidential, may be legally privileged, and are for use only by the intended recipient(s). If you are not an intended recipient, you must not use or disclose the contents to anyone; instead, please notify the sender immediately by reply email or by calling +44 (0)24 77 65 7777 and then delete this email.

show quoted sections

Dear Coventry University,

Thank you for your detailed response.

Please can you clarify a few of your responses.
(Numbers as per the original request/response)

4. Please detail all direct discussions which have taken place, regarding this deployment, with students working in the Futures Institute building.
(For the avoidance of doubt, I refer to discussions direct with students; not "managers".)

5. Was a deliberate decision made to not inform students about the deployment? If yes, please explain why.

6. The desks being monitored are used by only 1 individual (they are not shared/'hot' desks) - please justify your claim the data cannot be associated with an individual person.

8. Please detail the precise way the "the system has been configured so that any personal association with location is masked". What is the nature of the "masking"? Who has access to the un-masked data?

12. Who is the Data Processor (as defined by the UK Data Protection Act)?

13. Where (geographically) will the data be stored? What steps (validation) have you taken to ensure the data are held and processed in compliance with the UK Data Protection Act?

14. Please provide a date by when the data will be destroyed (as required by the DPA).

15. Are you aware that no staff or students working in the Futures Institute were informed about the monitoring before it began?
Why was the monitoring equipment installed at 10pm in the evening; while the offices were closed?

17. Staff or students working in the Futures Institute have received no information about what data will be collected - when will this be done?

21. Do you agree that installing equipment capable of observing the habits and behaviour of building occupants, in secret, and without prior notice to those occupants, constitutes covert observation?

23. Please provide a copy of the report/communications from the "Safety and Risk Management" team.

24. You provide a very unsafe conclusion. Whether or not you consider the staff or students in the building to be "participants", did you consider the possibility that some psychological or emotional distress could be caused by your monitoring?
Would it have been 'safer' to have assumed the project *would* cause distress to the building occupants and have addressed the same, proactively?

Thank you for your time.

Yours sincerely,

J Wescott

Freedom of Information requests, Coventry University

Dear Mr Wescott,

REF: Freedom of Information Request - FOIA0768

Please be advised that the University has received your email of below and will investigate further and revert back to you in due course.

Kind Regards

Will Doherty | Information Protection Disclosures Advisor | Information Protection Unit (IPU)
Coventry University, Portal House, 163 New Union Street, Coventry, CV1 2PL
T: +44 (0)2477 658202 | M: +44 (0)7557425844 | E: [email address] |
W: www.coventry.ac.uk
Working hours: Monday – Friday 08.30am – 17.00pm

The contents of this email (including any attachments) are confidential, may be legally privileged, and are for use only by the intended recipient(s). If you are not an intended recipient, you must not use or disclose the contents to anyone; instead, please notify the sender immediately by reply email or by calling +44 (0)24 77 65 7777 and then delete this email.

show quoted sections

Freedom of Information requests, Coventry University

1 Attachment

Dear Mr Wescott,

 

REF: Freedom of Information Request - FOIA0768

 

I write in response to your email of the 31st August.  To clarify the
previous responses, please see the below using the same numbering:

 

4. Please detail all direct discussions which have taken place, regarding
this deployment, with students working in the Futures Institute building.

(For the avoidance of doubt, I refer to discussions direct with students;
not "managers".)

 

The University's Estates department has not taken part in any direct
discussions regarding the deployment with students working in the Futures
Institute building.  We cannot confirm if this means that none took place
– there was a decision made that the management team would be responsible
for communications.

 

5. Was a deliberate decision made to not inform students about the
deployment? If yes, please explain why.

 

There was no deliberate decision made by Estates not to inform students –
as mentioned above Estates provided information for the local management
team to manage the communication process.

 

6. The desks being monitored are used by only 1 individual (they are not
shared/'hot' desks) - please justify your claim the data cannot be
associated with an individual person.

 

Estates doesn’t hold information about who sits at each desk.  The only
information we need is patterns of how desks are used so that future space
can be planned.

 

8. Please detail the precise way the "the system has been configured so
that any personal association with location is masked".  What is the
nature of the "masking"? Who has access to the un-masked data?

 

The “masking” is by not collecting or inputting data about who might be
using a particular space.  This means that no names are associated with
the workstations.

 

12. Who is the Data Processor (as defined by the UK Data Protection Act)?

 

There is no defined Data Processor as this is only required when personal
data is being collected.

 

13. Where (geographically) will the data be stored? What steps
(validation) have you taken to ensure the data are held and processed in
compliance with the UK Data Protection Act?

 

The data is stored in Manchester in the UK. We worked with IPU to check
that all relevant legislation is being complied with.

 

14. Please provide a date by when the data will be destroyed (as required
by the DPA).

 

The data will be destroyed after completion of the project.  Because of
the delays with the project starting, we do not have a completion date
yet.

 

15. Are you aware that no staff or students working in the Futures
Institute were informed about the monitoring before it began?

 

We are aware now that there has been a lack of briefing. We believed that
there would be briefings before data collection started, but this was to
be handled by the local management team.

 

Why was the monitoring equipment installed at 10pm in the evening; while
the offices were closed?

 

The units needed to be installed and therefore accounted for in the
2017/18 financial year which ended on 31st July 2018.  There were only a
limited number of installation slots available with the suppliers.  Given
this it was decided to minimise disruption to the office and fit the units
outside of working hours.

 

17. Staff or students working in the Futures Institute have received no
information about what data will be collected - when will this be done?

 

All information regarding the deployment of the sensors was given to all
the research centre EDs and Ops managers before installation.  This was
done verbally at a Research Leadership Team meeting and then through two
emails.  The ED and Ops manager in this centre failed to disseminate this
information.  They have all the necessary information to brief the staff
and students to do this and should be expected to do so if they have not
done so already.

 

21. Do you agree that installing equipment capable of observing the habits
and behaviour of building occupants, in secret, and without prior notice
to those occupants, constitutes covert observation?

 

No.  The equipment isn’t capable of observing the habits and behaviours of
building occupants.  Moreover we understood that briefings would be taking
place, and had provided information for this to happen.

 

23. Please provide a copy of the report/communications from the "Safety
and Risk Management" team.

 

From: [email address] <[email address]>

Sent: Monday, July 30, 2018 3:24:06 PM

To: Stephen Heath; Karen Lawrence

Subject: RE: Space utilisation check

 

Hi Stephen and Karen,

 

Hope you had a nice weekend.

 

Please see below a high-level overview of H&S:

 

OccupEye

 

Element confirm that the FCC report contains the safety aspects of the RF
emissions.

For CE because we are under 20 mW and automatically pass the safety
testing by default (OccupEye is approx 10 times lower than the 20 mW
staring threshold to even require assessment).

 

This is the relevant information for OccupEye 433 MHz:

EiRP

 

Base Station

Measured at -7.4dBm (0.2mW) – well below the 10mW allowance

 

Sensor

Measured at –25.3dBm (0.003mW) – well below the 10mW allowance

 

The 10 mW allowance referenced relates to the maximum permissible output
in the ISM433 MHz band (Band H).

The figures to focus on are the 0.2mW and 0.003 mW.

For ERP and EiRP see:
https://emea01.safelinks.protection.outl...

 

https://emea01.safelinks.protection.outl...

 

Hope this helps,

 

Please let me know if you need anything else.

 

In addition to this, it would be good to schedule a call with you Stephen.
Josh is in the process of completing your dashboard, I want to ensure we
have everything included that meets your requirements in terms of the
detail/ metadata.

 

Are you available Thursday?

 

Look forward to hearing from you.

 

Many thanks

Emma

 

Emma Howard

Business Development Executive

 

24. You provide a very unsafe conclusion. Whether or not you consider the
staff or students in the building to be "participants", did you consider
the possibility that some psychological or emotional distress could be
caused by your monitoring?

 

No. We thought that by briefing managers who could explain the purpose of
the installation in the context of the work done by the teams and the
strategic goals for research in the University that students and staff
would appreciate the need for the study, and would have an opportunity to
raise concerns and questions in a forum where these could be immediately
addressed.

 

Would it have been 'safer' to have assumed the project *would* cause
distress to the building occupants and have addressed the same,
proactively?

 

Given the experience with this installation and the distress that has
clearly been caused, we as a team have learnt a great deal. In retrospect
it would have been safer to assume that we needed to take a more proactive
role in communications.

 

If you are unhappy with the service you have received in relation to your
request and wish to make a complaint or request a review of our decision,
you should write to the Information Protection Unit, Coventry University,
Portal House, 163 New Union Street, Coventry, CV1 2PL or email [Coventry
University request email].

 

If you are not content with the outcome your complaint, you may apply
directly to the Information Commissioner for a decision. Generally, the
ICO cannot make a decision unless you have exhausted the complaints
procedure provided by the University. The Information Commissioner can be
contacted at: The Information Commissioner’s Office, Wycliffe House, Water
Lane, Wilmslow, Cheshire SK9 5AF; Tel: 01625 545 745; Email: [email
address]

 

If you wish to discuss this matter further, or require any other
information, please do not hesitate to contact me.

 

Kind Regards

 

Will Doherty | Information Protection Disclosures Advisor | Information
Protection Unit (IPU)

Coventry University, Portal House, 163 New Union Street, Coventry, CV1 2PL

T: +44 (0)2477 658202 | M: +44 (0)7557425844  |  E:
[1][email address] | 

W: [2]www.coventry.ac.uk        

Working hours: Monday – Friday 08.30am – 17.00pm             

[3]175 Coventry University.jpg

 

The contents of this email (including any attachments) are confidential,
may be legally privileged, and are for use only by the intended
recipient(s).  If you are not an intended recipient, you must not use or
disclose the contents to anyone; instead, please notify the sender
immediately by reply email or by calling +44 (0)24 77 65 7777 and then
delete this email. 

 

 

show quoted sections

Dear Coventry University,

I'm disappointed the University's response is for one department to blame another, rather than responding as a whole.

The University's own Data Protection Policy states that it becomes applicable when individual persons can be identified from data when in combination with any other information in the university's possession.

But by responding only from one department, this issue has been sidestepped in the response. One department monitors the desks, another has a list of who sits at each desk.

(Note the Data Protection Act covers *potential* use of data, not just actual use.)

Yours sincerely,

J Wescott