The National Academies

ACRP 01-50 [Pending]

Data Protection and Privacy Management Guidelines for Airports

  Project Data
Funds: $350,000
Contract Time: 18 months
Staff Responsibility: Theresia H. Schatz

Airports are collecting, processing, and using large amounts of data from airport users, including personal identification, medical records (e.g., COVID-19 related), and biometric information. The methods used by airports for these activities are evolving.  Airports need to comply with an increasing number of data protection and privacy regulations. An initial review of the websites of several large U.S. airports suggests that few provide any information concerning data privacy.
Research is needed to understand current practices, provide guidance for fostering awareness of compliance requirements, and help airports incorporate data privacy management into their operational and business activities.
The objectives of this research are to develop guidelines to help airports of all types and sizes to: (a) identify customer data that is subject to protection; (b) implement compliant data protection management practices, policies, and systems; and (c) develop trust and accountability around data privacy practices for their individual customers.
For the purpose of this study:
a.    Customer data includes, but is not limited to, personal identifiable information (PII) (e.g., medical, biometric, credit card, license plate information);
b.    Compliance requirements and cybersecurity considerations should reference documents noted in Special Note A; and
c.    Trust includes instilling confidence in the airport’s uses and protections of customer data (e.g., published disclosure statements, transparency and associated customer communication).
The guidelines should address the following considerations, but be not limited to:  
  • Retention and destruction policies and standards;
  • Compliance with Americans with  Disabilities Act (ADA);
  • Parking data/ license plate recognition (LPR);
  • Data regarding customer behaviors and touchpoints and the use of such data; 
  • Current practices for managing data protection including contractual language for tenants and vendors;
  • Current practices for customer outreach and communications on data protection and disclosure;
  • Employee and tenant education of data protection and privacy;  and
  • Common use airport Information Technology (IT) infrastructure.  
The research plan should include deliverables, for ACRP and panel review and approval that include at a minimum:  
  1. A technical memorandum on the pros and cons of each data protection practices, policies, and systems.
  2. An interim report, which describes the work done in the previous tasks and provides an annotated outline of the guidance document with an updated work plan and recommendations for subsequent tasks; 
  3. Best practices for managing data protection including governance and contractual language for tenants and vendors;
  4. Best practices for customer outreach and communications on data protection and disclosure; and
  5. Best practices of employee and tenant education of data protection and privacy. 
The research plan should also include checkpoints with the ACRP project panel, including at a minimum (1) a kick-off teleconference meeting to be held within 1 month of the Notice to Proceed and (2) one face-to-face interim deliverable review meeting, as well as web-enabled teleconferences tied to the project panel review and ACRP approval of other interim deliverables deemed appropriate.
The final deliverables will include: (1) guidelines that meet the objectives described above; (2) a contractor’s final report that documents the entire research effort; and (3) (a) a Summary of Key Findings; (b) a Further Recommended Research Memo; and (c) a technical memo titled, “Implementation of Research Findings and Products”.
Special Note A. Proposers should search TRB’s website: https://www.trb.org/Projects/Projects2.aspx for ACRP research projects, reports, and other industry wide/global reference materials that have been issued and should be consulted when conducting this research, including but not limited to:  
  • ACRP Legal Research Digest 42: Legal Implications of Data Collection at Airports; 
  • ACRP Report 140: Guidebook on Best Practices for Airport Cybersecurity;
  • ACRP Project 05-03, “Guidebook on Airport Cybersecurity and Incident Response”;
  • ACRP Research Report 233: Airport Biometrics: A Primer;
  • ACRP Project 03-61, “Implementing and Improving Data Analytics Capabilities at Airports”;
  • National Institute of Standards and Technology (NIST);
  • IATA PCI DSS & Travel Agent Compliance Requirements:   https://www.iata.org/en/services/finance/pci-dss/#tab-1.

Proposals have been received in response to the RFP.  The project panel will meet to select a contractor to perform the work.

To create a link to this page, use this URL: http://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=5195