COVID-19 Digital Campus

Privacy statement

Last changed: 6 October 2020

What is ‘COVID-19 Digital Campus: a living lab for digital technologies’?

The outbreak and rapid spread of Covid-19 across the world resulted in stringent limitations on interaction between people. Following the first wave of the pandemic, blanket lockdowns have  been lifted piece-by-piece. Yet, Covid-19 will remain among us for some time and events in recent months have shown that people, albeit often unintentionally, violate the prescribed social distancing guidelines. Solutions are required which can help people to act responsibly. Digital technologies can aid in this process.

‘COVID-19 Digital Campus: a living lab for digital technologies’ is an initiative that comprises four research and innovation projects in support of the ‘1.5m campus’. The initiative is unique because it combines scientific research and practical use. TU Delft researchers are expanding scientific knowledge on topics such as mobility flows and student wellbeing and leverage their expertise to create smart digital solutions in support of campus management and campus life. The aim of these new smart digital solutions is to monitor crowding levels on the TU Delft campus and measure the wellbeing of students.

The initiative features four projects, namely:

  1. Outdoor Mobility Dashboard (OMD)
  2. Building Rhythms
  3. Conversational agent
  4. Contact networks for human mobility processes

Jointly, these four projects provide various insights into crowding levels and mobility movements on the TU Delft campus. These insights can be used to define and evaluate crowd management measures and policies in support of the 1.5m-society.

Various data sources are used within the project. As far as possible, data will be drawn from publicly available sources. For instance, travel times and densities of the road networks are drawn from the National Data Warehouse (www.ndw.nu), planned and actual travel-time information from the national public transport data warehouse (https://ndovloket.nl), and real-time bridge openings (https://blauwegolfverbindend.nl). Only if the required data are not publicly available will data be collected as part of this project.

The Outdoor Mobility Dashboard and Building Rhythms project (Projects 1 and 2) feature data from a comprehensive mobility monitoring system consisting of an assorted set of sensors. The conversational agent (Project 3) collects responses of staff and students, e.g. about their well-being. The human mobility networks modelling does not involve any data collection (Project 4).

This privacy statement explains how your privacy is protected while your data are collected and analysed..

Privacy summary ‘COVID-19 Digital Campus – a living lab for digital technologies’

The primary interest of this initiative is to provide insight into crowdedness and mobility on campus, as well as insight into student wellbeing. These insights can be used to define, evaluate, and test policies that aim to limit the transmission of the Covid-19 virus on the TU Delft campus.

The different projects within the initiative have a different timing. The current privacy statement constitutes information relevant to Project 1, the ‘Outdoor Mobility Dashboard’. This Privacy Statement will be revised as soon as new functionality is added to Project 1 or when the other projects become operational. 

Project 1: Outdoor Mobility Dashboard (OMD)

The Outdoor Mobility Dashboard is an important aid to support protecting the well-being of our staff, students and visitors of our campus during the Covid-19 pandemic. It is deployed to detect potential high-risk situations when sufficient distance is not maintained, since this presents a potential risk for public health. It also serves scientific research related to mobility and social distancing.

No personal data are processed and collected for the Outdoor Mobility Dashboard. The sensor network that collects the data for the Outdoor Mobility Dashboard identifies how many people are within the view area of each sensor and how they move, not who is within the view area. Any piece of information that might relate to an identifiable person is obfuscated in such a way that it cannot be traced back to the individual.

Part of the OMD project is a digital twin of the TU Delft campus (see figures 1 and 2). This is a digital replica of the campus, which displays the multi-modal movements of people across TU Delft campus. This digital twin is fed by mobility data that is gathered by a mobility monitoring system. A mobility monitoring system is a set of sensors, algorithms and servers that continuously assesses the state of pedestrian and cycling infrastructure, such as TU Delft campus. This system, for instance, determines the average walking speed, maximum density and average interaction distance between pedestrians and cyclists at our campus.

Privacy-by-design is embedded in the backbone of the monitoring system. Below you can find detailed information about how the right to privacy is preserved, while developing and using the systems.

Figure 1: Screen shot of the digital twin of the TU Delft campus with public transport information
Figure 2: Screen shot of the digital twin of the TU Delft campus with building information

How does the OMD project adhere to the General Data Protection Regulation (GDPR)?
By adopting privacy-by-design the OMD team commits to comply with the General Data Protection Regulation. Further, the OMD team undertakes to:

  • openly communicate about the locations and time periods at which a monitoring system is active;
  • provide details with respect to the type of sensors and information that are deployed to collect information;
  • explain the reasoning why crowd monitoring systems are used;
  • ensure that the usage and storage of your data has a legitimate purpose;
  • ensure that usage and storage of your personal data is minimised;
  • ensure that your data is secured and treated with care.

Legal basis for data collection
The legal basis for the processing of the data is the protection of the vital interests of TU Delft. Firstly, these encompass the health and safety of the staff, students of, and visitors to, TU Delft and companies located on campus (i.e. during the current pandemic). After the pandemic, these vital interests will pertain to the accessibility of the campus, as well as the safety, health and security in the short term (traffic safety) and the long term (liveability and sustainability).

In the case of UMO app, we will operate under consent as a legal basis. This means that we will ask you for specific permission to process some of your personal information, and we will only do so if you provide us your consent. You may withdraw your consent at any time by contacting s.hoogendoorn-lanser@tudelft.nl.

Adopting privacy-by-design
Privacy-by-design is at the heart of this project. The raw (unprocessed) collected data is encrypted at the source (i.e. the sensor) in such a way that it is impossible (even for those involved in the project) to recreate the raw data without the exact encryption algorithms and seeds. These algorithms and seeds change dynamically every day.

In addition, the only data which are essential to evaluate people’s movements are captured by the crowd monitoring system and transmitted from the sensor directly towards the mainframe.  No identifiable data leaves the camera’s. If someone manages to intercept the data stream, privacy is still maintained.The mainframe only stores anonymized aggregated statistics showing people as ‘moving objects’. These statistics cannot be traced back to any identifiable person.

Further, the Outdoor Mobility Dashboard only collects data for the purpose of the initiative ‘COVID-19 Digital Campus – a living lab for digital technologies’ firstly, and secondly for the ‘Mobile Campus 2.0’ project, intended to run for the coming five years. The system does not collect nor transmit video feeds. Video images captured (raw data) are translated into statistics at source (i.e. the sensor).

Finally, researchers and security staff have no access to the video feeds.

What data are collected?

As indicated above, only the following data are collected:

  • The speed and direction of moving objects; 
  • The location of all objects within a field of view of a sensor;
  • A temporary hashed identifier of Wi-Fi/Bluetooth enabled devices;
  • The (subjective) assessment of crowdedness by individuals that volunteer to participate in the collection of these data for the OMD (including the location that the assessment adheres to). 

No information is stored at the level of individual objects or Wi-Fi enabled devices. Aggregate statistics, such as average speed, density, flow, travel time and route pertaining to crowd movement dynamics at TU Delft campus are stored in a database within TU Delft’s secured ICT infrastructure.

Four distinct sensors are used to collect the data of the OMD, namely:

  1. Automatic counting systems;
  2. Stereo-vision sensors;
  3. Wi-Fi/Bluetooth/radar sensors;
  4. Smartphone applications which collect subjective crowdedness and location information (opt-in only).

Below you can see additional and detailed information about how these sensors work and where they are located at TU Delft.

How do these sensors work, and where are they located?

The table below provides an overview of the sensor locations and data that is collected by each sensor.

No.

Specification location

Sensor type

Collected data

C1

In front of faculty of Applied Sciences

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

C2

Mekelweg, in front of XDelft!

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

C3

Mekelweg, in front of Balpol 1

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

C4

Mekelweg, in front of EEMCS

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

C5

Stieltjesweg, between CEG and Applied Sciences  – Old

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

C6

Between Aula and faculty of Applied Sciences - Old

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

C7

Mekelweg, next to bridge towards faculty of Industrial Design Engineering

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

C8

Mekelweg, near intersection Jaffalaan

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

C9

Christiaan Huygensweg, near intersection Schoenmakerstraat

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

C10

Leegwaterstraat, near intersection Jaffalaan

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

C11

Leegwaterstraat, near intersection Cornelis Drebbelweg

Wi-Fi/Bluetooth/radar

Id Wi-Fi enabled devices, flow of people

S1

Bus platform TU – Mekelpark, side CEG

Depth sensor

Location, movement direction and speed of all moving objects

S2

Bus platform TU – Mekelpark, side EEMCS

Depth sensor

Location, movement direction and speed of all moving objects

S3

Bus platform TU – Aula, side Aula

Depth sensor

Location, movement direction and speed of all moving objects

S4

Bus platform TU – Aula, side IDE

Depth sensor

Location, movement direction and speed of all moving objects

S5

Entrance faculty of IDE

Depth sensor

Location, movement direction and speed of all moving objects

S6

Mekelweg, near intersection Jaffalaan

Depth sensor

Location, movement direction and speed of all moving objects

S7

Mekelweg, near bridge towards IDE

Depth sensor

Location, movement direction and speed of all moving objects

Types of sensors

This digital sensor is a combination of a 2D-camera and computer vision software. The video feed from the camera is analysed using software in the camera real-time and is erased directly afterwards. Only the results are transmitted to the Digital twin of the TU Delft campus (DCTUD) mainframe. Each minute, the mainframe receives a message consisting of the sensor ID, the timestamp, the inflow and the outflow. In some cases, also the trajectory of the moving objects in the field of view are part of this message (depending on the precise make and model of the camera). These trajectories feature only the location of the object at a specific moment in time. No identifiable information pertaining to the object is captured. The cameras are placed far enough from one another such that fields of view do not overlap and consequently trajectories from different cameras cannot be combined into a single trajectory.

This digital sensor is a combination of a stereo-vision camera and computer vision software. In real-time, the video feed of the camera is analysed by means of this software at the source and directly erased afterwards. Only the results of the analyses are transmitted to the OMD mainframe. Each minute, the mainframe receives a message consisting of the sensor id, the timestamp, and the inflow, the outflow and the number of objects that are visible in the field of view and the trajectory of the moving objects in the field of view. It is not possible to trace individual objects since the fields of view of the stereovision cameras do not overlap.

Figure 3: Trajectories of pedestrians at the Mekelpark bus stop (background is a photo not a video feed)
Figure 4: Trajectories of cyclists at the corner of Jaffalaan and Mekelpark (background is a photo not a video feed)

Combined Wi-Fi / Bluetooth / Radar sensors are used to determine the density of pedestrian and cyclist flows on a specific location on campus as well as the routing of pedestrians and cyclists over campus.

1. Wifi / bluetooth

In the OMD project the Wi-Fi / Bluetooth in the combined Wi-Fi / Bluetooth / Radar sensors are used to determine the routing of pedestrians and cyclists over campus.

Each Wi-Fi enabled device, such as a smartphone or a wireless printer, transmits messages to determine the nearest cell tower and/or to communicate with other devices. These messages contain information pertaining to the identification of the Wi-Fi enabled device and the signal strength of the connection of the device and the cell tower. A Wi-Fi sensor detects the communication of these Wi-Fi enabled devices with the nearest cell tower or Wi-Fi router, and filters out the unique media access control (MAC) addresses of these mobile devices. Only part of the messages is detected, and this corresponds to roughly 20% of the devices in the vicinity of a sensor. The main reason that only a minority part of the messages is detected is that some types of mobile devices (specifically newer models) shield the MAC address of a device, and send a rotating MAC-address instead. The messages of these types of mobile devices can consequently not be used to track the movements of a device through the sensor network. Furthermore, if a user has disabled Wi-Fi / Bluetooth on a device, they do not send messages and can thus not be detected. Comparing the lists of unique devices of two locations makes it possible to determine how many devices moved from one monitored location to the next. Routing of pedestrians and cyclists over campus can be determined even when only some of the devices are detected as long as the number of devices on campus is large. 

The MAC-address, which is part of this message, is privacy-sensitive information as it can be used to identify one particular Wi-Fi enabled device that belongs to a particular person. To ensure that the privacy rights of individuals are safeguarded, the Wi-Fi sensors used in the OMD project anonymise the data (hashing) every minute so it cannot be traced back to a Wi-Fi device. Moreover, a person’s hashed MAC-address is ‘forgotten’ as quickly as possible (average: 30 min), but at least once a day. 

The anonymisation process consists of four steps, which are performed each minute:

  1. Capturing the messages and filtering the MAC-addresses and timestamps from each of the collected messages.
  2. Scrambling the MAC-addresses by applying a hashing algorithm. All sensors within the monitoring system apply the same hash at the same time, which is changing at least once a day. 
  3. Deleting a part of the hashed addresses, which ensures that even if one knows the exact hashing algorithm, one is not able to recreate the original MAC-address.
  4. Transmitting the list of shortened hashed MAC-addresses to the mainframe via a secure connection.

After this process, the mainframe database translates these lists of hashed identifiers into aggregate statistics and erases the underlying lists. These lists are only stored for as long as it has a value for the analysis modules, which is maximum 30 minutes after the data was captured. The ‘old’ data is continuously pro-actively erased from the mainframe.

2. Radar

In the OMD project the Radar in the combined Wi-Fi / Bluetooth / Radar sensors is used to determine the density of pedestrians and cyclists on specific locations on campus. The radar detects moving objects (without identifying who is who) and distinguishes between pedestrians, cyclists and cars e.g. based on their speed. 

A smartphone application is provided to volunteers aiming to collect (subjective) information about the situation on campus. Users of the app are asked to send a notification if a location appears to be crowded to them and about the perceived reason of overcrowding. The location of the smart phone and the timestamp are automatically sent with the notification. This means that only location information is collected for specific moments in time after the action taken by the smartphone user.

Use of the app and the notification is voluntary. Before a person is able to use the app, they are required to accept the service agreement (informed consent) and are explicitly asked whether they agree that their location information may be shared with the DCTUD as part of the assessment.

The notification, location and timestamp are directly transmitted to the mainframe and securely stored. As these notifications are very important for the operation as well as policy evaluations of the longer term, this particular information will not be deleted from the mainframe.

How does OMD handle your data?

Data collected are transmitted from sensor to our data storage facilities through https. Only anonymized data are stored in our databases. Potentially identifiable data like a MAC address are hashed with a non-stored and often changing hash key. This means that, even with access to the data, it is impossible to reconstruct multi-day movement patterns and identify persons that way.

Access to our data API is strictly monitored and only possible with a 256-bit key provided by us. In the event of unexpected activity all keys are invalidated and changed immediately.

What data is retained by the OMD for what time period and why?

Any personal data collected and processed in this project will be deleted or anonymised once it is no longer needed for its purpose.

This table complements the specific retention times for the data used in the Project.

Project area

Type of data

Retention period

Outdoor Mobility Dashboard

Raw data

Immediately erased

 

Anonymised identifiers derived from hashed MAC addresses

Stored indefinately

 

Movement data and people counts from stereo camera’s

Images are not stored, coordinates are transmitted and stored in our databases

 

Radar detections (pedestrians and cyclist counts)

Counts are transmitted and stored in our databases


Aggregate statistics, such as average speed, density, flow, travel time and route pertaining to the mobility movement dynamics on the TU Delft campus are stored indefinitely for management and research purposes. Please bear in mind that no personal data is involved. The one exception to this rule is the crowdedness assessment from individuals that voluntarily send this data via a smartphone application. OMD stores the location from where the assessment was sent indefinitely for management and research purposes.

Keeping the privacy statement up to date

This Privacy Statement is regularly checked to reflect any changes in the project. The date at the top of the page is the date on which this statement was last reviewed and updated. 

Contact information

If your questions are not yet fully answered after reading this page, please contact Sascha Hoogendoorn-Lanser (director of the Mobility Innovation Centre Delft) the OMD team via s.hoogendoorn-lanser@tudelft.nl.

For relevant privacy questions you can also contact our Data Protection Officer, Erik van Leeuwen via privacy-tud@tudelft.nl.