This post was written by Cynthia O’Donoghue.
On 28 July, the ICO released its report ‘Big data and data protection’ (the ‘Report’).
The Report defines ‘Big Data’ and sets out the data protection and privacy issues raised by Big Data, as well as compliance with the UK Data Protection Act 1998 (‘DPA’) in the context of Big Data.
The ICO defines Big Data by reference to the Garter IT glossary definition, and further explains that processing personal data must be of a significant volume, variety or velocity.
When announcing publication of the Report, Steve Wood, the ICO’s Head of Policy Delivery, stated that “Big Data can work within the established data protection principles….The principles are still fit for purpose but organisations need to innovate when applying them”.
Under the DPA 1st Principle (fair and lawful processing), the Report emphasises that the complexity of Big Data analytics should not become an excuse for failing to seek consent where required, and that organisations must process data fairly, particularly where Big Data is used to make decisions affecting individuals. A study by Barocas and Selbst entitled ‘Big Data’s Disparate Impact’ found that Big Data has the “potential to exacerbate inequality”, and use of Big Data that resulted in discrimination would violate the fairness principle.
The Report addresses the significant issue of data collection when using Big Data analytics, and stresses that an organisation must have a clear understanding from the outset of what it intends to do with, or learn from, the data to ensure that the data is relevant and not excessive for the purpose. The Report seeks to address the growing concern that Big Data analytics tends to involve collecting as much data as possible, but that under the DPA, data minimisation remains an essential element of Big Data.
The Report also cautions that organisations seeking to use analytics must ensure against purpose-creep by following the purpose limitation principle to ensure that data collected for one purpose is then not used for another purpose incompatible with the original purpose. With this in mind, the ICO suggests that organisations employ a risk-based approach to identify and mitigate the risks presented by Big Data.
The Report also addresses whether the growth of Big Data leads to an increased data security threat, and highlights how The European Union Agency for Network and Information Security (‘ENISA’) has identified a number of emerging threats arising from the potential misuse of Big Data by so-called ‘adversaries’. In contrast, the Report also illustrates that there is evidence illustrating how Big Data can be used to improve information security.
To address these concerns, the ICO recommends several ‘tools for compliance’, including:
- Privacy Impact Assessments (PIAs)
- Privacy by Design
- Promoting transparency through Privacy Notices
Big Data is a fast-growing area that offers many opportunities and commercial advantages. It also presents many challenges. As the Report argues, the benefits of Big Data can only be realised by adhering to current DPA Principles and safeguards. Only through compliance will individuals trust organisations and become more open to the use of their data for Big Data analytics.