The vocabulary developed in the Fundamentals is independent of any technique or even ability to measure. Naturally, for these to be useful in an analytical context, some form of measurement is required. However, because the nature of Occupancy is fundamentally about human behaviour, it is intrinsically very difficult to measure directly at any significant scale.
Utilization, Occupancy, Demand and all of our other fundamentals simply do not magically appear in our databases in a clean, simple and timely fashion.
It is also not sufficient to simply take what is measurable and perform analytics on this. Ignoring that which cannot be measured but only observed is called ‘quantitative fallacy’ (Fischer, 1970). As Harvard graduate and psychology professor Daniel Yankelovich described this all too common behaviour a couple of years later:
The first step is to measure whatever can be easily measured. This is OK as far as it goes. The second step is to disregard that which can’t be easily measured or to give it an arbitrary quantitative value. This is artificial and misleading. The third step is to presume that what can’t be measured easily really isn’t important. This is blindness. The fourth step is to say that what can’t be easily measured really doesn’t exist. This is suicide.
Daniel Yankelovich, “Corporate Priorities: A continuing study of the new demands on business.” (1972)
For example, it would be foolhardy to take, say, security badge or turnstile data simply because you have it, and then attempt to undertake occupancy analytics on this data ignorant of its limitations.
Instead, it is necessary to begin with what is important. This will be dependent on the nature of the decisions which need to be made and therefore the evidence and underlying analytics that are required. Measure what can be measured (directly or indirectly) in support of this important data, and then perform analysis of the measured data in the context of both its intrinsic limitations, and any unmeasurable but important factors.
The next section deals with error detection and correction – how we can establish how reliable a measurement is and what we can do to improve it. However, the first step is to establish what can be measured that is aligned to what is important.
Expanding the measurable domain
The measurable domain – the set of all measures available for an analysis – is not fixed. It can be extended in two ways, which are complementary to one another:
- Add new measurement methods – for example instrument an office with passive infrared sensors; and
- Identify reasonable proxies – for example there is some evidence for a correlation between wellbeing and productivity. Wellbeing can be measured using well established survey techniques, so these wellbeing measurements could be a reasonable proxy for productivity.
Once what is important has been established, the required measurement methods or proxies can be identified and reviewed to see if it is practical to incorporate them into the analysis
Measurement and proxies
In practice, very few of the Occupancy measurements can be directly and continuously measured.
For example, to measure Trace Occupancy consistently would require each Space to be continuously observed. Even if each Space was continuously observed, it is likely that the act of direct observation would influence the Occupancy (known as the ‘observer effect’) – placing an observer with a clipboard recording how someone occupies their desk and what activities they perform whilst at the desk, or watching someone sat in a stadium watching their favourite sport, is likely to influence the choices that individual makes, as well as being rather irritating!
Even when direct measurements are possible, it may not be possible for them to be continuous. For example, direct observation of Space Occupancy in offices normally samples the Trace Occupancy periodically – perhaps once each hour. Such samples are silent on activity during the period between direct observations.
New technologies have been put forward to try to “solve” this problem. For example passive infrared sensors fitted under a desk can, in theory continuously monitor the presence at that desk. However, in practice these devices have other shortcomings: unlike an observer, they can’t determine who is using the desk, how many people are present, or what they are doing. They typically also have systemic issues that must be understood and compensated for, and most software built on these also use a sampling technique, which, whilst the samples may be more frequent than an observer (perhaps 10 minute intervals rather than 30 minutes or 60 minutes) they are still rather vague on what is happening within each sample period.
To bridge this gap, proxy measures are sought. A proxy measure is something that correlates with the measure that is required yet is much easier to obtain.For example, it is very difficult to directly measure wind speed, and do a “cup anemometer” measures the rotational speed and applies an “anemometer factor” to estimate the actual wind speed.
An example of a proxy would be physical access control system data: if a person needs to use their own, personal security card to badge in to and out of a location, then the badge data is a candidate proxy for the user’s presence at that location.
This matrix below shows which proxies support which measurements in an office context. Different space types would have different proxies for these measurements. The proxies are then discussed in more detail below. It is also very important to realize that for any given measurement not all supporting proxies provide the same information.
Measurement | CAFM |
Reservation Management System |
Access Control System |
Direct Observation |
Presence Sensors |
Trilateration / Indoor Positioning |
3D Cameras |
Virtual Gates |
|
---|---|---|---|---|---|---|---|---|---|
Assigned Occupancy | ✓ | ✓ | |||||||
Trace Occupancy(1) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Physical Occupancy | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
Capacity | ✓ | ✓ | ✓ | ||||||
Resource Count | ✓ | ✓ | ✓ | ||||||
Space Demand | ✓ | ✓ | ✓ | ✓ | |||||
Area | ✓ | ✓(2) |
The measurements listed above are often used in combination to derive other commons measurements. For example:
- Density is defined as the ratio of Assigned Occupancy to Capacity, and so both of these measurements would need to be obtained (from appropriate proxies) in order to establish Density. In this case it can be seen that both CAFM and Reservation Management Systems can provide information about both of these underlying measurements, and indeed it is typical to report on density from one of these systems (most commonly CAFM).
- Apparent Utilization of Capacity (which is commonly what people are talking about when they just use the term Utilization) is the ratio of Trace Occupancy to Capacity. Unlike Density, these two underlying measurements – Trace Occupancy and Capacity – are typically not available from the same system, and so data must be harvested and combined. Reservation Management Systems do contain information about both, but the ways in which Trace Occupancy is estimated from such systems can be unreliable, particularly for headquarters or hub offices.
Office proxy types
The following sections describe the most common proxies that are used to obtain data to help measure occupancy in offices.
CAFM – Computer Aided Facilities Management
Space management modules of CAFM systems are used to store and maintain floor plans, use polylines to identify, classify and measure areas, and record the allocation and assignment of desks and neighbourhoods to individuals and teams. See Allocated Occupancy and Assigned Occupancy.
This information is maintained using a combination of day-to-day facility management tracking, change reporting (e.g. when a project takes place) and periodic audits.
Reservation Management System
These systems allow users to reserve specific spaces for their use. Modern reservation systems contain a range of capabilities that support their use in occupancy analytics, including:
- Reservations of both workstations/desks and meeting rooms;
- Tracking permanent workstation assignments, not just hoteling or hot desking
- The ability to make ‘just-in-time’ or walk-up reservations as well as reservations in advance
- Check-in – much like an airline check-in, if this isn’t done, the reservation is released, and the space made available for others to use
- End-early – allows users of a space with a reservation to end the reservation before the planned time if they find they no longer need the space, and thus release it for others to use
- Presentation of floor plans and wayfinding capabilities to places and people
The capabilities are often “operationalized” – meaning that other workplace features that the occupants depend upon are linked to the effective use of the reservation management system: for example, wayfinding, or hoteling, or using badge swipes to automate check-in. This means that the information is often more real-time than CAFM data and typically higher quality.
Access Control System
Physical Access Control Systems use a range of technologies to identify and individual and – if appropriate – grant them physical access to buildings or zones within a building. Because they are relied upon for this operational purpose, the data they produce is often of a relatively high quality. They are also very widely deployed, and their data is typically very easy to access and available historically (at least for some months).
IP Device Discovery – IPDD
Internet Protocol Device Discovery (IPDD) is a method for identifying where devices connect to a network. It can be used to track laptops, mobile phones, tablets and other devices using the wired or wireless networks.
Connections to the wired network show the presence of a device that can be linked to a person (e.g. a laptop) at a specific plan (because each desk has its own network ‘port’). IPDD can provide continuous(3) and very precise location information in this case (i.e. desk level positioning).
IPDD can also be used with wireless connections. Again the data is continuous, but in this case the position is less certain – IPDD can determine which access point a device is connected to, but this only localizes the locations to a few tens of metres in most cases, and may not always give correct information about which floor the device is on. Trilateration techniques discussed below can be used to improve the positioning aspects of Wi-Fi data.
Direct Observation
Still known as “clipboard surveys” from the historical practice of having people walking around with clipboards marking a sheet of paper with occupancy observations, this method involves people making periodic direct observations and recording their results (these days usually on a tablet).
These surveys are often repeated multiple times each day (perhaps as often as hourly) and for several days (typically anything from one to three weeks). The result is a set of discrete direct observations of the space occupancy.
Direct observation is also used during “surveys” or “audits” of the space itself. It is an effective and often used technique to verify and validate measurements taken from other sources – for example a CAFM or Reservation Management systems.
Presence Sensors
Presence sensors can provide useful information about physical presence. They are specifically designed to directly measure physical presence, and do so using a range of sensor technologies, including amongst many others:
- Passive Infrared (PIR);
- Pressure (often used in seats); and
- CO2 (detecting changes in the air when people breathe it).
Trilateration / Indoor Positioning
Indoor positioning is typically based on trilateration: establishing the location of something based on its distance from three or more known points. The known points are physical devices within the space that can send and/or receive signals, and the distance of the point from these devices is estimated by measuring the signal strength: the lower the signal strength, the farther away from the device the point is.
The most common signal types to use are:
- Wi-Fi – this has the advantage of being a pre-existing infrastructure in most locations, and it can be used to position any Wi-Fi device – laptops, phones, tablets – even if they do not actually connect to the network. However, the density of Wi-Fi access points may not be sufficient for indoor positioning unless this was part of the design;
- BLE – Bluetooth Low Energy is typically used to locate smart phones or tablets as they use this technology extensively. Its low power is attractive, and – like Wi-Fi – the transmitter and receiver technology is built in to laptops, phones and tablets. However, infrastructure for BLE sensing or transmitting is not usually present and so the facility would typically need to be instrumented; or
- RFID – Radio-Frequency Identification is the technology used for most asset tagging and Near Field Communications (NFC). It is extremely low power and very small – RFID chips can run for years and be triggered by being passed into a reader’s detection field (as happens for example with contactless card payments). However, RFID is very short range and overcoming this requires either large volumes of sensors or very expensive longer-range sensors, neither of which is practical at scale at the time of writing.
3D Cameras
This technology has been in use for some years in public spaces, especially airports and shopping centres. There are several variations available, but all use devices containing two or more cameras mounted in such a way as to provide a stereoscopic set of images.
Digital Image Processing technology is then used to analyse these, and using some combination of object recognition, scene cues, depth analysis and facial recognition they can provide information including people counting, queue length, wait time, and indoor positioning.
Virtual Gates
These are electronic devices that detect passage from one side of the ‘gate’ to the other. They are typically situated in doorways, corridors, or openings in walls and can count (and in some cases identify) people passing through the ‘gate’. Various technologies are used for detecting the motion, including BLE, RFID, optical beam and cameras.
These virtual gates vary greatly in their accuracy as each approach has its own limitations. These systems often suffer from difficulties identifying each individual person, and sometimes the direction of travel through the gate (especially when the gate is wide enough for multiple people to pass through simultaneously).
Suitability of proxies
The proxies described above can be used to help determine office occupancy measurements. However, for each occupancy measurement, not every proxy provides the same quality or depth of data. The following sections describe how each of the proxies can contribute to the occupancy measurements.
Assigned Occupancy
Candidate proxy | Considerations for use |
CAFM | Whilst these systems are often the ‘system of record’ for assignment – and typically drive cost allocation – they often contain stale information. This is because it is often difficult to track local changes as they happen – people moving themselves or new arrivals being given a ‘free’ desk without involving the facilities team. This is often verified and corrected annually. |
Reservation Management System | This operational nature of these systems means that the information is often more real-time than CAFM data and typically significantly higher quality. However, it is important to recognize that this improvement of data quality is contingent on a greater engagement of the user in the space-use process. If the user is booking their own space, engaged actively in the process of check-in and/or may have someone else sit in a desk they have recently used if they don’t reserve it, then the data quality can be expected to be higher. On the other hand, if the reservation management system is used only for Assigned (i.e. long-term or permanent assignment of a desk to a person), and if the check-in and/or end-early functionality is automated without user engagement (e.g. by using badge-in/badge-out data), then this is unlikely to yield data quality that is any better than that found in a CAFM system, because the reservation data is automated but not Operationalized. |
Trace Occupancy
Candidate proxy | Considerations for use |
Direct Observation | This is a natural method for measuring Trace Occupancy as it is the most aligned to the definition, involving as it does a person looking at the space and making a judgement. However, measurements taken by direct observation have systematic issues discussed in the following section. |
Physical Occupancy + … | Due to the problems with direct observation, an alternative approach is to build upon the measurements of Physical Occupancy by making an adjustment – often on a heuristic basis – to obtain an estimate of Trace Occupancy. The adjustments applied can be based on policy – for example people can leave a desk for up to two hours without having to clear away their belongings to make it available for others to use. They can also be based on cross-referencing with other information – for example Access Control Data (to evidence presence in the vicinity) or Reservation Management (to evidence intent to be using a space). |
Physical Occupancy
Candidate proxy | Considerations for use |
Reservation Management System | Using the “check-in” and/or “end early” capabilities can provide a useful indication of whether someone is actually present for their reservation or not. However, reservation systems – particularly when applied to desks – are not very granular: the timing of a check-in or ‘end-early event may not coincide with the start or end of use – for example many reservation systems connect access control systems to check-in so that when someone badges-in to a building their reservation(s) are automatically checked-in. However, in reality many people do not go straight to their desk when they arrive (coffee, meetings etc.), and hardly any remain at their desk all day. In some applications of Physical Occupancy, these inaccuracies become important. |
Access Control System | These systems are typically not very granular: they do not give the location of a person within the zone. This makes them most suited to either facility-level analysis, or as a cross-reference to be used alongside other data sources. |
IPDD | IPDD uses a person’s laptop as a proxy for the person themselves. People will often leave their laptop in one location whilst moving around a space. However, there are techniques to detect this and knowing where the laptop is located is often useful, if the data is interpreted appropriately. |
Direct Observation | This method has the advantage of potentially also allowing some simple classification of activity to be noted, although is subject to the same systematic issues as all direct observation. |
Presence Sensors | These sensors rarely provide any identity information. This means that they can be used to estimate whether a space is being used or not, but are not helpful in understanding who is using the space. This makes them less suitable for studies that need to classify the occupants in any way – for example by team, role, or assignment/reservation. |
Trilateration / Indoor Positioning | Trilateration uses a signalling device – laptop, smart phone, tablet etc. – as a proxy for the person being positioned. As with IPDD, the device may not be with the person. If using Wi-Fi trilateration, it is commonplace for people to have more than one device that can be tracked, particularly as Wi-Fi trilateration often does not requires that the tracked device be connected to the network. This may be a laptop and smartphone, or personal smartphone and work smartphone. Mapping these devices back to a specific person and understanding what the data is telling you about that person’s behaviour is not trivial. |
3D Cameras | Like presence sensors, camera systems are typically anonymous. Cameras are also more useful in determining location in open areas like information collaboration spaces, as well as measuring dwell-time (i.e. how long someone stays in a particular space). |
Virtual Gates | Cameras / RFID / BLE Similar to ACS but more granular – can even be used to gate individual resources (e.g. a single meeting room or hotel room) and count people in and out. |
Capacity and Resource Count
Candidate proxy | Considerations for use |
CAFM | Counting desks (effectively Capacity) or spaces (Resource Count) and designed Capacity of meeting and collaboration space can often be done very effectively from floor plans and polylines contained and maintained within CAFM systems. However, as with Occupancy, CAFM systems can lag reality in being updated after changes to the workplace. Ideally, the change management and projects processes will systematize the process of updating CAFM and therefore Capacity and Resource Counting. Both of these can be established from plans, before the changes are actually made (although it is important to ensure any subsequent changes – e.g. during fitout – are correctly captured). Care should be taken with spaces that have variable Capacity, for example meeting rooms that support multiple layouts. CAFM systems will often record the default configuration in these cases, and frequently will not be updated if new furniture is procured enabling additional layout options or Capacity. |
Reservation Management System | Where the Capacity being counted is managed within a reservation management system, this will typically provide the most accurate and up to date information about Capacity. As with Occupancy, this is because reservations are operationalized – if the information they contain is incorrect, it is likely to have immediate consequences that will drive rapid correction. For example, a person might not be able to reserve a desk that they can see exists, or be able to reserve a desk that doesn’t exist anymore. As with CAFM, it is important to build into the change and project processes updates to the Reservation Management System. Reservation Management Systems also typically contain more accurate information about spaces that have alternate layouts. This is because part of the operational function of a Reservation Management System is to allow the required layout to be chosen at the time of booking, and this in turn requires that the system provides information about the capacities each of the various layouts offers, and this can be used to describe the range of Capacity supported. |
Direct Observation | Direct observation is a reliable method for measuring both Capacity and Resource Count at a point in time. In fact, updates that are made to CAFM or Reservation Management Systems may well occur due to observed changes – for example during a post refurbishment inspection. |
Space Demand
Candidate proxy | Considerations for use |
Reservation Management System | Uniquely amongst the proxies considered here, Reservation Management Systems provide a demand forecast – that it to say they contain information that describes the future demand for space. None of the other proxies considered capture the users’ intended use of space, whether that is meeting rooms, workstations or other reservable space or assets. It is also vital to understand that simply studying the reservations in a Reservation Management System at a point in time is not sufficient on its own. There are two other critical information assets associated with Reservation Management Systems that inform Demand: 1. The reservation lifecycle: that is to say when reservations are made, modified and cancelled. Understanding, for example, comparing how far in advance of the meeting taking place a cancellation usually happens to how far in advance meeting room reservations are made provides insight into the likelihood that a cancelled reservation will result in the released space actually being available to meeting a genuine demand. If cancellations almost always happen within 24 hours of the reservation, but reservations are always made at least 72 hours in advance, then it is clear that a cancelled reservation will not provide additional capacity to meet demand, because there is no demand for space within 24 hours. 2. The search process that users undertake to find a space provides more information about the demand than the resulting reservation they choose. Although there are several factors that influence a user’s choice of space and time for a reservation, one is Availability. By tracking what a user initially searches for, and recording the range of available spaces (if any) offered to the user, it is possible to begin to infer whether or not the availability of space is constraining its use, and therefore whether or not demand is being met. For example, if a user searches for a 6 person meeting room at 10am for 1 hour on the 22nd May, but there are no 6 person (or larger) spaces available at that time on that day, then there is unmet demand. This is particularly important, because if availability is causing meetings to be scheduled later than the user wants, it is possible that these delays are having an unintended (and potentially unnoticed) negative impact on productivity, as significant decisions are often made in meetings – delaying the meeting may be delaying the decision and thus slowing down the organization’s ability to execute. |
Access Control Systems | Can provide facility-level occupancy and this can be used to infer demand for certain space types based on established patterns of behaviour (perhaps from other similar locations with more detailed measurement data). |
Trilateration / Indoor Positioning | These techniques can provide relatively detailed information about individuals’ location and movement around a building. Whilst care must be taken due to the imprecision, they can nonetheless provide some of the most comprehensive information about the working patterns of space users, and from this some perspectives of demand can usually be inferred. |
3D Cameras | Similar to trilateration, but typically not as pervasive: technical limitations and cost of deployment usually result in 3D cameras only being used in certain locations. |
Virtual Gates | Similar to ACS but more granular – can even be used to gate zones that may detect people moving in and out of collaboration spaces looking for space. This is one method to help understand “unmet demand”, if intent can safely be inferred. |
Area
Candidate proxy | Considerations for use |
CAFM | CAFM systems are often the only sources of area information. Occasionally BIM models provided by architects can be used, but these are very commonly only provided for new builds or major refurbishments, and so quickly become out of date as smaller changes are made. Calculation of area in the CAFM system is very effective based on the floor plans and polylines contained and maintained within them. However, as with Occupancy, CAFM systems can lag reality in being updated after changes to the workplace. Ideally, the change management and projects processes will systematize the process of updating CAFM and therefore Capacity and Resource Counting. Both of these can be established from plans, before the changes are actually made (although it is important to ensure any subsequent changes – e.g. during fitout – are correctly captured). |
Reservation Management System | In some cases (particularly for enclosed meeting rooms), the Reservation Management System will hold space areas. However, care must be taken that (i) all of the areas of interest are included (Reservation Management Systems usually do not include space that cannot be reserved, and that can be a majority of space in a building when circulation, community spaces and unreservable meeting or work spaces are included), and (ii) the process for maintaining this area data is robust. |
Anonymization and pseudonymization
In many cases, it is not necessary to understand the specific identity of the subject of occupancy analysis. For example, when considering cafeteria demand, cleaning schedules, or conference centre usage, it is typically not important who it is that is creating the demand.
However, there are also many cases where it is critical to understand at least something about the individual occupant in order to undertake a useful analysis.
As already discussed in ‘other core dimensions‘, the most commonly occurring classifications for an individual are by organizational unit and by job role. It is therefore necessary to be able to classify any data based on these classifications, and to do so requires the event giving rise to the data to be linked to the classifications.
Single-source anonymization
As a general rule, it is not recommended to use single-source for occupancy analytics (see ‘error detection and correction‘ for more details about why this is a bad idea).
However, single-source anonymization is explained here primarily in order that it may be distinguished from pseudonymization.
For data to be anonymous, there must be no way to identify the specific individual to which it relates. That means that whatever key is used for each data point, that key must be impossible to relate back to the specific individual to which the data point relates.
Unfortunately, in workplaces the possible list of users is finite. Even a large global company will only have tens of thousands or a small number of hundreds of thousands of employees and contractors. That means that the use of a one-way hash algorithm – a technique for encoding a given item in a reproducible but irreversible way – is not sufficient to meet the requirement for anonymization. That is because, even though the hash cannot be reversed, it is possible to use a brute force attack to simply hash every possible user (employee or contractor) until the hash matching the data item in question is found.
Therefore, where data must be anonymous, the keys used must be unrelated to the identity of the user.
This prevents a serious problem: if the key used is entirely unlreated to the identity of the user, it is impossible to know that two distinct data points relate to the same user. This makes it impossible to use trilateration to track how someone uses a building (because it would be impossible to associate each location data point with the preceding and following locations).
To overcome this problem, some technologies use a system of daily refreshed randomly keyed one-way hashes. These system generate a new random key at the begining of each day, and use that key as an input to the hasing algorithm. That means – for that day only – the data points for a specific individual can be tied together as they will have the same hash. Providing that at the end of the day the random key that was used is permanently deleted, there is then no way to reproduce the exact same hashing algorithm, and therefore the brute force attack described above will fail.
The downside of this approach is that whilst data points can be related intra-day, they cannot be tracked from one day to the next. This means, in a Groundhog Day fashion, each day is a unique event, with no longer term (e.g. weekly, monthly or annual) patterns of behaviour discernable.
Independently of the method of anonymization that is used, it is posisble to do an in-process mapping of an individual to typical taxonomies like organizational unit or role and store these with the data point. This enables team or function level analysis to be performed, and anonymity is assured by making sure that the size of any set of users that can be created by intersecting the availability classifications exceeds a reasonable minimum (say 10 people). For example, if both organizational unit and function classifications were being made, and it turned out that there was only one “executive assistant” function in the “finance” organizational unit, then filtering the data points by “finance” and “executive assistant” would yield the data of a specific individual, and therefore no longer be anonymous.
Multiple-source pseudonymization
Of more interest is pseudonymization. As the name suggests, this is a form of identity obfuscation that is not genuinely anonymous.
The principle of pseudonymization is that it is accepted that identities can be discovered by anyone who has access to all of the available information. It therefore becomes more of an issue of management and authorization of who it is that has access to which elements of information.
Pseudonymization is typically implemented using one-way hashes as described above in single-source anonymization. The hash used is not randomly keyed and therefore does allow the tracking of the same individual over the course of a week, month, year or whatever. The hash is also one-way, so various stakeholders can be given access to the data including the hash and with that alone be unable to reverse engineer the actual identities from the data.
However, as described above, this approach is susceptible to the brute-force attack. In order to undertake a brute force attack, four pieces of information must be available to the attacker:
- The exact hashing algorithm being used;
- The unique identifier of the user that is the input to the hash;
- The full list of all the unique identifiers for all users in scope; and
- The mapping from the unique identier of a user to the user’s real life identity.
For example, a specific impolementation might use the following:
- The SHA-256 algorithm (SHA stands for Secure Hash Algorithm, and is designed by the United States National Security Agency using the Merkle-Damgard structure).
- Each user is identified by their employee number, a six digit numeric string.
- The full list of users is extrcated from the corporate HR system.
- The HR system extract also include the users full name, email address or other unique identificaiton required.
In practice, therefore, these four things should be treated carefully, and those knowing any one of them carefully controlled. In the example given, the specific hash algorithm should not be published and ideally not easily guessed – a hash algorithm that can be keyed by a random and secret key is best of all. The unique identifier used should not in itself give away the identify directly. An employee number or an Active Directory GUID (‘globally unique identifier’) are good candidates because without access the system to look them up they tell you little or nothing about the identity of the person.
Although in most practical implementations, the control of access to this information is restricted to a small project or operational team, it is also possible to ensure that no single individual has access to all the required elements necessary. This prevents, for example, a disgruntled employee using their knowledge and access to conduct a significant privacy breach.
Footnotes:
- Trace Occupancy can be inferred to some extent from Physical Occupancy. That is why the proxies (other than Observation) are shared with Physical Occupancy and are shown in grey.
- Reservation Management Systems often contain the area of meeting rooms, and this can be used for certain area calculations. However, maintaining the areas of other spaces in the Reservation Management System is less common, and in addition, informal collaboration spaces and social spaces are often not maintained at all in the Reservation Management System.
- Although IPDD can provide continuous data, in practice systems that capture this data use a sampling method. This usually involves reading temporarily cached connection tables from the network routers every few minutes.