Risk Framework Body Related Data (PD) Immersive Tech

Organizations are increasingly incorporating immersive technologies into their products and services, creating both novel applications and increased risks. This shift typically relies on the collection and use of massive amounts of data about individuals’ bodies, and leading organizations developing or deploying immersive tools are adopting riskbased approaches for body-related data practices—pproaches that often go beyond legal mandates regarding data handling.
The Future of Privacy Forum’s Risk Framework for Body-Related Data in Immersive Technologies provides organizations a structure to create appropriate safeguards for the collection, use, and onward transfer of body-related data in immersive technologies. The framework’s risk-based approach can be used by organizations to mitigate potential harms and help ensure that data is handled safely and responsibly.
FPF’s framework was developed in consultation with privacy experts and is grounded in the experiences of organizations operating in the immersive technology space. It consists of four stages, wherein organizations:

1. Understand their data practices: map data practices and specify their purpose.
2. Evaluate legal obligations: analyze existing legal obligations and how they may change in the near future.
3. Identify risks to individuals, communities, and society: catalog features of data or elements of data practices that create greater risks.
4. Implement best practices: operationalize technical, organizational, and legal safeguards to prevent or mitigate the identified risks.

These four steps should be repeated in an ongoing manner to account for changing norms, business practices, and legal requirements.

This framework serves as a straightforward, practical guide for organizations to analyze the unique risks associated with body-related data, particularly in immersive environments, and to institute data practices that earn the public’s trust. After consulting
this framework, organizations will be able to:

• Evaluate whether their body-related data practices pose privacy risks, namely: whether the data they collect is identifiable, sensitive, prone to sensitive inferences, or biased; and whether their data is used to inform critical decisions, is used fairly by third parties, is retained over time, or is used in ways that individuals expect and understand.
• Implement relevant best practices based on how they handle data, including: data minimization, purpose specification and limitation, meaningful notice and consent, user controls, local and on-device processing and storage, third

Views: 7