The National Academies

ACRP 01-50 [Active]

Data Protection and Privacy Management Guidelines for Airports

  Project Data
Funds: $350,000
Staff Responsibility: Matthew J. Griffin
Research Agency: Del Ray Solutions LLC
Principal Investigator: Sean Cusson
Effective Date: 4/19/2022
Completion Date: 10/18/2023

Airports are collecting, processing, and using large amounts of data from airport users, including personal identification, medical records (e.g., COVID-19 related), and biometric information. The methods used by airports for these activities are evolving.  Airports need to comply with an increasing number of data protection and privacy regulations. An initial review of the websites of several large U.S. airports suggests that few provide any information concerning data privacy.
Research is needed to understand current practices, provide guidance for fostering awareness of compliance requirements, and help airports incorporate data privacy management into their operational and business activities.
The objectives of this research are to develop guidelines to help airports of all types and sizes to: (a) identify customer data that is subject to protection; (b) implement compliant data protection management practices, policies, and systems; and (c) develop trust and accountability around data privacy practices for their individual customers.
For the purpose of this study:
a.    Customer data includes, but is not limited to, personal identifiable information (PII) (e.g., medical, biometric, credit card, license plate information);
b.    Compliance requirements and cybersecurity considerations should reference documents noted in Special Note A; and
c.    Trust includes instilling confidence in the airport’s uses and protections of customer data (e.g., published disclosure statements, transparency and associated customer communication).
The guidelines should address the following considerations, but be not limited to:  
  • Retention and destruction policies and standards;
  • Compliance with Americans with  Disabilities Act (ADA);
  • Parking data/ license plate recognition (LPR);
  • Data regarding customer behaviors and touchpoints and the use of such data; 
  • Current practices for managing data protection including contractual language for tenants and vendors;
  • Current practices for customer outreach and communications on data protection and disclosure;
  • Employee and tenant education of data protection and privacy;  and
  • Common use airport Information Technology (IT) infrastructure.  

To create a link to this page, use this URL: http://apps.trb.org/cmsfeed/TRBNetProjectDisplay.asp?ProjectID=5195