The Information Commissioner’s Office (ICO) has today released a new report that considers how big data will operate within existing data protection laws which ensure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Not transferred to other countries without adequate protection
The Big data and data protection report accepts that the use of big data can bring benefits to companies and doesn’t wish to stifle innovation. That said, the ICO is keen to point out that organisations still have an obligation to keep information both private and secure, offering the following practical advice for dealing with personal information used in big data analytics:
- Personal data - Does your big data project need to use personal data at all? If you are using personal data, can it be anonymised? If you are processing personal data you have to comply with the Data Protection Act.
- Privacy impact assessments - Carry out a privacy impact assessment to understand how the processing will affect the people concerned. Are you using personal data to identify general trends or to make decisions that affect individuals?
- Repurposing data - If you are repurposing data, consider whether the new purpose is incompatible with the original purpose, in data protection terms, and whether you need to get consent. If you are buying in personal data from elsewhere, you need to practice due diligence and ensure that you have a data protection condition for your processing.
- Data minimisation - Big data analytics is not an excuse for stockpiling data or keeping it longer than you need for your business purposes, just in case it might be useful. Long term uses must be
articulated or justifiable, even if all the detail of the future use is not known.
- Transparency - Be as transparent and open as possible about what you are doing. Explain the purposes, implications and benefits of the analytics. Think of innovative and effective ways to
convey this to the people concerned.
- Subject access - People have a right to see the data you are processing about them. Design systems that make it easy for you to collate this information. Think about enabling people to
access their data on line in a re-usable format.
The ICO’s head of policy delivery, Steve Wood, says that there is a buzz around how big data can be used for social benefits as well as the more obvious economic advantages it can provide. He did, however, highlight how organisations are struggling to understand how they can put big data to innovative new uses without falling foul of the law. Wood also explained that individuals are also expressing concern over how their personal data is being used in big data scenarios.
The answer, he says, begins with organisations being more transparent about how they are using big data:
“What we’re saying in this report is that many of the challenges of compliance can be overcome by being open about what you’re doing. Organisations need to think of innovative ways to tell customers what they want to do and what they’re hoping to achieve.
Not only does that go a long way toward complying with the law, but there are benefits from being seen as responsible custodians of data.”
The ICO report says that openness is a key factor, pointing out how organisations need to ensure that personal information is only used in ways previously communicated to users. The complexity of big data, it says, should not be used as an excuse to use data without consent.
Responding to concerns that existing data protection law is insufficient in the face of big data, Wood added that:
“Big data can work within the established data protection principles. The basic data protection principles already established in UK and EU law are flexible enough to cover big data. Applying those principles involves asking all the questions that anyone undertaking big data ought to be asking. Big data is not a game that is played by different rules.
The principles are still fit for purpose but organisations need to innovate when applying them.”
The organisation notes how the area of big data is fast-evolving, leading it to conclude that its guidance will likely change over time. In light of that, the ICO positively encourages feedback which can be sent to [email protected] up until September 12 of this year.