Good to see a start !
actually, reading the "table of contents" version of those guidelines, with minimal adaptation they make a not-too-bad set of guidelines for security monitoring too; general patterns can be monitored, but those who have access to data should be responsible for keeping it secure and no scope/mission creep, no tracking of named individuals without just cause, and so on.
As far as the comment in the article about commercial entities being involved and will they wish to exploit the data, of course they will, if they are doing it for nothing or subsidising it: if they have a contract at commercial rates, then couldn't contract terms possibly be used to stop that?