Logo

ICO says 'big data' must operate within existing data protection laws

The Information Commissioner’s Office has warned that ‘big data’ – the analysis of massive datatsets – “can – and must – operate within data protection law”.

In a report, Big data and data protection, the watchdog highlighted how both public and private sectors were making increasing use of big data analytics. It insisted that operating within the law “should not be seen as a barrier to innovation”.

The ICO said:

  • Where personal data is being used, organisations must ensure they are complying with their obligations under the DPA;
  • One key data protection requirement is to ensure that processing of personal data is fair, “and this is particularly important where big data is being used to make decisions affecting individuals”. The complexity of big data analytics is not an excuse for failing to obtain consent where it is required;
  • If an organisation has collected personal data for one purpose and then decides to start analysing it for completely different purposes (or to make it available for others to do so) then it needs to make its users aware of this. “This is particularly important if the organisation is planning to use the data for a purpose that is not apparent to the individual because it is not obviously connected with their use of a service”;
  • Organisations need to be clear from the outset what they expect to learn or be able to do by processing the data, as well as satisfying themselves that the data is relevant and not excessive, in relation to that aim;
  • Organisations must be proactive in considering any information security risks posed by big data;
  • The proposed EU General Data Protection Regulation, if adopted, could improve the level of data protection for individuals in the context of big data analytics, in that it aims to increase the transparency of the processing, enhance the rights of data subjects and introduce a requirement for privacy by design and privacy impact assessments. The ICO stressed that these data protection benefits should be achieved through a risk based approach that avoided over-prescription;
  • It did not accept the argument that data protection principles were not fit for purpose in the context of big data. “Big data is not a game that is played by different rules.....There is some flexibility inherent in the data protection principles. They should not be seen as a barrier to progress, but as the framework to promote privacy rights and as a stimulus to developing innovative approaches to informing and engaging the public.”
  • In a world of multiple data sources effective anonymisation can be challenging and organisations must carry out a robust risk assessment.

Steve Wood, the ICO’s Head of Policy Delivery, said: “There is a buzz around big data and emerging evidence of its economic and social benefits. But we’ve seen a lot of organisations who are raising questions about how they can innovate to find these benefits and still comply with the law. Individuals too are showing they’re concerned about how their data is being used and shared in big data type scenarios.

“What we’re saying in this report is that many of the challenges of compliance can be overcome by being open about what you’re doing. Organisations need to think of innovative ways to tell customers what they want to do and what they’re hoping to achieve.”

Wood added: “Not only does that go a long way toward complying with the law, but there are benefits from being seen as responsible custodians of data.”

The ICO said publication of its report was intended to address concerns raised by some commentators that current data protection law did not fit with big data.

“Big data can work within the established data protection principles,” Wood said.

“The basic data protection principles already established in UK and EU law are flexible enough to cover big data. Applying those principles involves asking all the questions that anyone undertaking big data ought to be asking. Big data is not a game that is played by different rules.”

(c) HB Editorial Services Ltd 2009-2022