Who: Information Commissioner
Where: UK
When: 27 July 2014
Law stated as at: 7 August 2014
What happened:
The Information Commissioner’s Office (“ICO”) published a 50 page paper on 27 July entitled “Big data and data protection” (“Paper”).
The Paper gives an overview of the privacy issues which arise from using big data and suggests how to comply with the Data Protection Act 1998.
The ICO states that the Paper’s aim is to ensure that the different privacy risks of big data are considered alongside its benefits. It emphasises that the “benefits cannot simply be traded with privacy rights”.
The Paper invites comments by 12 September 2014 and has asked for feedback on three specific questions:
• whether the paper reflects all the relevant issues;
• should ICO produce further guidance documents and if so, what should they cover; and
• are there any other practical measures and tools needed to address the issues in addition to those already contained in the Paper.
The Paper focusses in particular on the importance of transparency. It emphasises that where big data involves personal data then data protection laws still apply and should not be seen as a barrier to progress, but as a stimulus to “develop innovative approaches to informing and engaging with the public.”
The full Paper is here.
Conclusions in the Paper
Definitions – The ICO references the Gartner definition of “big data” although it emphasises that there is no fixed meaning. Big data is defined, the Paper says, by volume, variety and velocity (the three Vs).
Big data typically uses extensive amounts of data from a variety of sources and can be used to analyse data in real time. Sources of data include metadata from internet searches, payment transactions, social media postings and mobile phone location data. Issues can arise when combining data from different sources when data is sourced externally.
Fairness – This is a key data protection requirement. Organisations need to be transparent when they collect data and the “complexity of big data analytics is not an excuse for failing to obtain consent when required”. Individuals should be informed about the purposes, implications and benefits of processing their personal data in a big data context.
There is a danger, the Paper says, that algorithms may be used to perpetuate stereotyping or bias e.g. customers’ “like,” purchase and search history being used for targeted advertising.
Data quality can also be an issue. The Paper recognises the challenges in providing notice about use of data and the fact that people very often do not read privacy notices does not necessarily mean they are unconcerned about how their data will be used. Often individuals will not even know their data is being used as big data uses observed, derived and inferred rather than provided data.
Consent – The Paper references research which shows users may want to give consent to different uses of data throughout the relationship (graduated) rather than being asked to consent at the beginning and will often want to receive a benefit in return for data. In addition the benefits of big data should be explained but consent does not mean people “trade all their privacy rights”.
Repurposing data – personal data is often collected for one purpose and then analysed for a completely different purpose. Individuals should be made aware of this intended use. If the new use is incompatible with the original purpose then consent may be needed to use the data.
Data minimisation and retention – big data often features using personal data in a way which may not be compatible with the data protection requirements to minimise data use and ensure use of data is not excessive. Big data is not an excuse to stockpile data or keep it for longer than needed.
Security – this is always a key requirement and a proper assessment of risk should be carried out. The collection and retention of large volumes of data (often in the cloud) could potentially, if “uncontrolled,” increase the risk of a security breach but big data can also be used to improve information security. The paper concludes that while there is a potential for increased risk, this can be mitigated by applying normal security procedures and using big data in security analytics.
Ethics – organisations adopting an ethical approach to big data are more likely to be complying with data protection laws and they may gain a competitive advantage by being seen to be “responsible and trustworthy custodians of customer data.”
Anonymise – consider if personal data is really needed in a big data project or can it be anonymised. The ICO states that the issue is not about eliminating the risk of re-identification altogether but whether it can be mitigated so it is no longer significant.
Privacy Impact assessments (“PIA”) – carry out a PIA to consider how the processing could affect privacy.
Subject access – design systems to facilitate easy access to data in the event of subject access requests.
Why this Matters:
Big data is clearly on the radar for regulators and the fact that the ICO has issued a 50 page report indicates the importance.
The Paper, however, is on the whole balanced and recognises that big data is not always bad (as the media sometimes suggests) and that privacy and big data can be compatible by going back to basic privacy principles.
Many of the points and issues raised in the paper are not new but reinforce that the existing privacy rules continue to apply. One area which may be challenging to apply in practice will be getting consent where required and coming up with innovative means for notification.
Announcing the publication of the report Steve Wood, the ICO’s Head of Policy Delivery, said:
“What we’re saying in this report is that many of the challenges of compliance can be overcome by being open about what you’re doing.
Organisations need to think of innovative ways to tell customers what they want to do and what they’re hoping to achieve.
Big data can work within the established data protection principles…… established in UK and EU law [which] are flexible enough to cover big data. Applying those principles involves asking all the questions that anyone undertaking big data ought to be asking.
Big data is not a game that is played by different rules.”
