New ICO paper on Big Data published

Who: The Information Commissioner’s Office

Where: United Kingdom

When:  3 March 2017

Law stated as at: 10 April 2017

What happened:

The UK’s data protection regulator, the ICO, has issued a new version of its paper on Big Data, Artificial Intelligence, Machine Learning and Data Protection.

The growth in this area is reflected in the size of the paper, which has over doubled in length from 50 to 114 pages in this version (we reported on the last version here).  The paper is rich in detail; in this article we pick out a few key aspects, but the paper itself should be required reading for all organisations carrying out “big data” processing.

The ICO sees recent progress in artificial intelligence and machine learning as being a key driver of developments in the field of big data. This has allowed businesses to process, manipulate and extract meaning from large, complex and disparate data sets in ways which previously may not have been possible.  While this may not always involve personal data, instances where big data processing touches personal data will still fall firmly within the ICO’s remit and that of the Data Protection Act and, from 25 May 2018, the stricter rules under the General Data Protection Regulation.

Six key recommendations

The ICO concludes its report by making six key recommendations for organisations when using big data:

1. Consider whether big data activities need to use personal data at all, or if datasets can be anonymised using appropriate techniques.
2. Be transparent about processing of personal data by finding innovative methods of providing meaningful privacy notices at appropriate stages throughout a big data project (e.g. icons, just-in-time notification and layered privacy notices).
3. Embed a privacy impact assessment framework into big data activities to identify and mitigate privacy risks. Data analysts, compliance teams, board members and members of the public may all need to be involved. The report contains a specific privacy impact assessment framework for big data analytics in Annex 1.
4. Ensure that privacy by design principles are adopted when developing and applying big data solutions, implementing technical and organisational measures to address matters such as data security, data minimisation and data segregation.
5. Develop ethical principles to help reinforce key data protection principles.   Smaller organisations can use these as a frame of reference when planning big data projects, larger ones are encouraged to create ethics boards to help scrutinise projects and assess complex issues arising from big data analytics.
6. Innovate to develop auditable machine learning algorithms.   Ensure that it is possible to conduct internal/external audits to check the rationale for algorithmic decisions and to check for bias, discrimination and errors.

A few further key areas highlighted in the report which will be of particular interest for advertisers will be as follows:

• “Big” personal data is still personal data. The report makes clear that the ICO does not consider that special rules apply to big data applications. The usual laws governing use of personal data under the DPA and GDPR will apply.
• Stricter rules under GDPR. Some of the stricter rules in the incoming GDPR will have a material impact on big data operations. For instance the new law around profiling and automated decision-making, and the qualified right individuals have to not be subject to it. If consent is the basis for big data processing, this will also need to meet the new standards of being “unambiguous” and a “clear affirmative action”, along with the individual being able to withdraw the consent. Conversely, relying on legitimate interests will need the specific interests to be set out in the organisation’s privacy notice.
• Innovation likely needed around provision of privacy notices/consents. Big data may require innovation in terms of how privacy notices are delivered. It may be that, in processes where the full details of how the data will be processed are not known at the start, incremental privacy notices may need to be delivered and, where necessary, additional consents obtained as the big data process progresses.
• Keep track of your algorithms. The report considers the implication of using algorithmic methods to analyse and process personal data, and urges companies to consider the data protection considerations – including the need to explain the processing to an individual if requested to do so. If a business is using an algorithm, the onus is on the business to be able to audit the automated decision making process and ensure that decisions are not made automatically that are biased, discriminatory or wrong. It will be a specific requirement under the GDPR for data controllers to provide details of the logic involved in automated decision making processes and the significance/envisaged consequences for the data subject.
• Remember the rules on repurposing. If a technique involves repurposing personal data, the new purpose must be fair and compatible with the initial purpose for which the data was collected. If the new purpose involves finding out about individuals and making decisions about them, this will almost certainly require consent (the example given here is leveraging data provided to a social network by individuals to assess health risks, credit worthiness or to target products to them).

Why this matters:

• The publication of this report illustrates that the ICO is not shying away from engaging with the challenges of reconciling big data and data protection. Particularly in the context of the new requirements under the GDPR, it will be more important than ever for organisations using such techniques to ensure that they are doing so in a way that is compliant with the law. In practice, those designing and operating such solutions will need to ensure that they are bringing in and working closely with legal and privacy teams, both in the planning stages of such projects and an ongoing basis.
• The ICO’s focus on this area has been underlined in a blog post which sets out the work it plans in this area going forward. Of the items listed here, the regulator has already published its thinking on the “profiling” provisions under the GDPR on 6 April for feedback. Other upcoming plans include the release of an Information Rights Strategy, to set up a grants/contributions fund to enable research on big data, AI and machine learning, and further upcoming reports on big data in mergers and acquisitions, social scoring, EU-US transfers and higher education.