Skip to content

Collected User Data

The Kiosk Client collects personal user information. Pressing I Agree in the GDPR page represents the agreement by the guest for Kiosk Client to process personal data.

  • From scanned identity documents: first name, last name, document number, document expiry date, person photo
    • Purpose: The Kiosk Client application collects this data for identity confirmation by comparing with a person's photo taken by the Kiosk Client camera and hotel reservation records.
    • Retention duration:
      • Depending on the external integrations and enabled features, face data may be stored at most 1 day or not at all. (Example: External validation enabled, and Early Arrival feature enabled will store at most 1 day.)
      • Integrated PMS - Some property management systems need to be updated with the guest data scanned from the document such as street address and guest name. Retention of data sent to the PMS will follow the PMS retention settings.
      • Scanned data is logged in log files. Retention follows the log file management.
  • From camera: person photo
    • Purpose: The Kiosk Client application collects this data for identity confirmation by comparing with scanned identity documents.
    • Retention duration: Photo data is used with scanned image and follows the same retention as scanned image data.
  • From credit card reader: credit card number
    • Purpose: Informative. The Kiosk only receives the credit card type and the last 4 digits of the CC#.
    • Retention duration: The partial CC# is stored in the database no longer than 1 day, however the partial CC# is logged in log files.
  • Health declaration data
    • Purpose: Collect one (for the main guest) or many (one for each additional sharers) health declaration page(s), containing the answer(s) for health questions, along with some other reservation specific info (reservation number, room number, guest full name, ...)
    • Retention: The health declaration document is retained as part of the Kiosk Admin reporting data.
  • Signature data
    • Purpose: Collect the image of the signature which is the user's agreement with the application's terms and conditions.
    • Retention: The signature can be configured to be added to a registration card in PDF format that shows the agreement to the terms on the registration card. The signature image and the registration card are retained as part of the Kiosk Admin reporting data.
  • External Validation
    • Purpose: Collect specific information to be sent to a local government tourism agency. Collected data includes scanned data, camera image, reservation data and possibly additional guest declaration information regarding the guest's purpose of stay.
    • Retention: Data collected for external validation is retained in the Kiosk system for at most 1 day.

Note

Some of the information enumerated above (first name, last name and identity document information) is usually stored in other systems such as the PMS.

Summary of Guest Data Usage

  • Which apps or services are using guest data
  • What guest data is used
  • Where and how is the guest data used
  • Preventive actions needed to prevent disclosure of guest data

Note

Notably, PII exposure can be mitigated by turning on LUKS disk encryption. This is a documented recommendation for Ubuntu servers (UIP and Adapter Hub).

App/service exposing PII Machine Exposed PII Where is the PII exposed Preventive actions to prevent PII disclosure
Kiosk Client app Kiosk Client PII may be exposed in scandata folder:
  • ZIP file names
    • Reservation number, room number
  • Inside ZIP files
    • Image of scanned document (as PNG files)
      • Any PII data typically included on a government issued ID. This includes the following but not limited to:
        • Name
        • Document number
        • Nationality
        • Gender
        • Address
        • Date of Birth
        • Images
IMPORTANT: Storing of scanned data to a user defined shared path is an optional feature that is off by default. It is the responsibility of the hotel to manage and secure the data copied to the selected folder if this feature is chosen to be used.		 Scan Data folder
  • Secure access to entire Kiosk Client machine file system.
    • Allow access to C:\ProgramData folder only to users with admin privilege
    • Never share this folder or the C: drive across network
  • Periodically review the temporary storage location on each Kiosk Client machine for un-copied/un-removed scanned data and review the security and retention length for the permanent storage location.
Kiosk Server Adapter Hub
  • Guest names
  • ID Document number
 Log files
  • Secure access to entire Adapter Hub machine file system.
    • Use HDD level encryption
  • Secure access to Adapter hub machine command line and SSH sessions
    • Ubuntu does this by default
  • Clean up log files periodically
Kiosk Admin Adapter Hub
  • Guest names
  • Reservation number
  • Room number
 Reports
  • Kiosk usage reports
  • View signature in pop-up
  • Download PDF of Registration card (reservation details)
  • Download Health Declaration form (Questions on the form are determined by the hotel)
  • Secure access to entire Adapter Hub machine file system.
    • Use HDD level encryption
  • Guest names may be anonymized on demand in reports
Mongo DB Adapter Hub
  • Guest names
  • ID Document number
  • Gender
  • Street address
  • Email address, phone numbers
  • Occupation
  • Reservation data (Other than guest profile data)
    • Reservation number
    • Room number
    • CI/CO date
  • Masked CC number (eg XXXX-XXXX-XXXX-1234)
  • Registration Card (reservation details)
  • Signature
  • Health Declaration form
 Mongo DB used by Kiosk Services
  • Secure access to entire Adapter Hub machine file system.
    • Use HDD level encryption
  • Restrict access to Mongo DB only to internal Docker network services
PMS adapters:
  • Opera
  • Infor
  • UIP for adapters deployed as internal
  • Adapter Hub for adapters deployed as external
  • Guest names
  • ID Document number
  • Gender
  • Street address
  • Email address, phone numbers
  • Reservation data (Other than guest profile data)
    • Reservation number
    • Room number
    • CI/CO date
  • CC number last 4 digits
    		•  Adapter log files
    • Secure access to entire Adapter Hub machine file system.
      • Use HDD level encryption
    • Secure access to Adapter Hub / UIP machine command line and SSH sessions
      • Ubuntu does this by default
    • Clean up log files periodically
    Face match adapters:
    • Neoface
    • SFA
    • UIP for adapters deployed as internal
    • Adapter Hub for adapters deployed as external
    		 Partial (first 128 bytes) base-64 images of the scanned document image and the guest photo taken at the Kiosk. Adapter log files
    • Secure access to entire Adapter Hub machine file system.
      • Use HDD level encryption
    • Secure access to Adapter Hub / UIP machine command line and SSH sessions
      • Ubuntu does this by default
    • Clean up log files periodically
    MIWA Adapter
    • UIP for adapters deployed as internal
    • Adapter Hub for adapters deployed as external
    		 If debug logging is enabled:
    • Room number
    • CI / CO times
    		 Adapter log files
    • Secure access to entire Adapter Hub machine file system.
      • Use HDD level encryption
    • Secure access to Adapter Hub / UIP machine command line and SSH sessions
      • Ubuntu does this by default
    • Clean up log files periodically
    Email Sender adapter
    • UIP for adapters deployed as internal
    • Adapter Hub for adapters deployed as external
    • Email addresses
    • Email Message body may potentially transport other PII such as data from folio details:
      • Guest name
      • Reservation number
      • Masked CC number
    		 Adapter log files
    • Secure access to entire Adapter Hub machine file system.
      • Use HDD level encryption
    • Secure access to Adapter Hub / UIP machine command line and SSH sessions
      • Ubuntu does this by default
    • Clean up log files periodically
    EVA adapter
    • UIP for adapters deployed as internal
    • Adapter Hub for adapters deployed as external
    • Guest names
    • ID Document number
    • Gender
    • Street address
    • Reservation data (Other than guest profile data)
      • Reservation number
      • CI/CO date
    • Partial (first 128 bytes) base-64 images of the scanned document image, extracted photo from the scanned document image and the guest photo taken at the Kiosk.
    		 Adapter log files
    • Secure access to entire Adapter Hub machine file system.
      • Use HDD level encryption
    • Secure access to Adapter Hub / UIP machine command line and SSH sessions
      • Ubuntu does this by default
    • Clean up log files periodically
    UIP UIP UIP captures and records all values sent to and from adapters used by Smart Check-In. The same PII listed by the adapters used by a site applies to UIP.
    • Workflow History
    • Administration > Logging Events
    • Administration > Logging Packages
    • Restrict access to UIP only to authenticated users
      • UIP already does this
    • Secure access to entire UIP machine file system.
      • Use HDD level encryption

    Details

    This section describes how an application or service is using and storing guest data.

    Kiosk Client Machine

    Kiosk Client runs on a Windows machine.

    Application Log files Other places that may expose PII
    Kiosk Client app Location:
    • C:\ProgramData\NEC\kiosk\logs
    PII:
    • None (All data present in the log files is anonymized)
    		 If save scanned data feature is enabled:
    • Default Location: C:\ProgramData\NEC\kiosk\scandata
    PII:
    • Image of scanned document (as PNG files)
    • Any PII data typically included on a government issued ID. This includes the following but not limited to:
      • Name
      • Document number
      • Nationality
      • Gender
      • Address
      • Date of Birth
      • Images
    IMPORTANT: Storing of scanned data to a user defined shared path is an optional feature that is off by default. It is the responsibility of the hotel to manage and secure the data copied to the selected folder if this feature is chosen to be used.
    NEC Asure ID wrapper service Location:
    • C:\ProgramData\NEC\kiosk\logs
    PII:
    • None (All scanned document data present in the log files is anonymized)
    		 None
    Adapter helper services (Serial2Tcp / TcpProxy) Location:
    • C:\Program Files (x86)\Serial2TcpService\logs
    • C:\Program Files (x86)\TcpProxy\logs
    PII:
    • None
    		 None
    Assure ID scanner platform No logs None

    Kiosk Services on Adapter Hub Server

    Kiosk Services include Kiosk Server, Kiosk Admin and Mongo DB. All are running as Docker Services on the Adapter Hub machine.

    Docker service log files for Kiosk Admin, Server and Mongo:

    • Can be viewed via the docker service logs  command from Ubuntu OS shell
    • Physical location is in a subfolder of /var/lib/docker/containers
      • Actual subfolder name depends on container ID which is different across different instances)
      • Log file path can be discovered with the help of docker container inspect command (knowing the container ID)
    Application Docker container log files Docker volumes Other places that may expose PII
    Kiosk Server Service name:
    • hubsvc_KioskServices_neckioskserver
    PII:
    • Guest names
    • ID Document number
    		 None identified None identified
    Kiosk Admin Service name:
    • hubsvc_KioskServices_neckioskadmin
    PII:
    • None in logs
    		 None identified Kiosk Admin reports
    PII:
    • Reports
      • Kiosk usage reports
      • View signature in pop-up
      • Download PDF of Registration card containing guest reservation details
      • Download Health Declaration form (Questions on the form are determined by the hotel)
    • Guest names (May be anonymized on demand)
    • Reservation number
    • Room number
    Mongo DB Service name:
    • hubsvc_KioskServices_neckioskmongo
    PII:
    • None in logs
    		 Mongo DB data volume:
    • hubsvc_KioskServices_db-mongodb
    • Physical location: /var/lib/docker/volumes/
      hubsvc_KioskServices_db-mongodb/_data
    • Information is organized in a structure which is specific to a Mongo DB server.
    • Hard to identify where the PII is, unless the person looking into that folder has a very good knowledge on Mongo DB data files.
    • One can look into Mongo DB by attaching to the Mongo container and running specific Mongo shell commands
    PII:
    • Guest names
    • ID Document number
    • Date of birth
    • Gender
    • Street address
    • Email address, phone numbers
    • Reservation data (Other than guest profile data)
      • Reservation number
      • Room number
      • CI/CO date
    • Masked CC number (eg XXXX-XXXX-XXXX-1234)
    • Registration Card
    • Signature
    • Health Declaration form
    		 None identified

    Note

    PII exposure can be mitigated by turning on LUKS disk encryption. This is a documented recommendation for Ubuntu servers (UIP and Adapter Hub).

    Workflow Adapters

    There are three possibilities to run a workflow adapter:

    • Internal: as a Docker Service on the UIP machine it runs its log files can be found on the UIP machine (Ubuntu), as explained in above table
    • External: as a Docker Service on the Adapter Hub machine

    For both Internal and External adapters, the log files:

    • Can be viewed via the docker service logs  command from Ubuntu OS shell
    • Physical location is in a subfolder of /var/lib/docker/containers
      • Actual subfolder name depends on container ID which is different across different instances)
      • Log file path can be learn with the help of docker container inspect command (knowing the container ID)

    The Docker service names are not fixed like for Kiosk services but can be learned quickly by running the docker service ls command and looking at the image names.

    WF Adapter Docker container log files Other places that may expose PII
    Opera PMS
    Infor HMS    		 PII:
    • Guest names
    • ID Document number
    • Gender
    • Street address
    • Email address, phone numbers
    • Reservation data (Other than guest profile data)
      • Reservation number
      • Room number
      • CI/CO date
    • CC number last 4 digits
    		 None
    Neoface Watch
    SFA    		 PII:
    • Partial (first 128 bytes) base-64 images of scanned image of document and guest photo taken at the Kiosk.
    		 None identified
    Assa Abloy PII: None None identified
    MIWA PII: If debug logging is enabled:
    • Room number
    • CI / CO times
    		 None identified
    Email Sender PII:
    • Email addresses
    • Email Message body may potentially transport other PII such as data from folio details:
      • Guest name
      • Reservation number
      • Masked CC number
    		 None identified
    Microsoft Teams PII:
    • Reservation number
    		 None identified
    QR Code PII: None None identified
    EVA (STB) PII:
    • Guest names
    • ID Document number
    • Gender
    • Street address
    • Reservation data (Other than guest profile data)
      • Reservation number
      • CI/CO date
    • Partial (first 128 bytes) base-64 images of scanned document image and guest photo taken at the Kiosk.
    		 None identified
    CRT-571 PII: None None identified
    CRT PII: None None identified
    Sankyo PII: None None identified

    UIP

    UIP captures and records all values sent to and from adapters used by Smart Check-In. The same PII listed by the adapters used by Smart Check-In applies to UIP.

    UIP > Workflow History

    Workflow History retains all data passed to / returned by triggers, workflows and adapters. If PII information is part of this data, then it is visible in Workflow History.

    We need to assume that virtually any PII data exchanged by Kiosk with various adapters via UIP may be visible in WF History at any moment. This requires login access to the UIP Administrator application.

    Tip

    Use the Purge History Data button at the bottom of the Workflow History page to permanently delete all the existing workflow history data.

    UIP > Administration > Logging Events

    If an Adapter or Kiosk Service logs PII information, then this info is visible in UIP under Administration > Logging events for that particular Kiosk Service or adapter.

    PII data is only logged if Debug (All) is turned on for the adapter.

    UIP > Administration > Logging Packages

    If an Adapter or Kiosk Service logs PII information, then this info can be exported in a log package via Administration > Logging Packages.

    Tip

    Logging packages can be deleted from UIP after they are created from the Logging Packages page.