ICO Offers Big Data Privacy WarningBusinesses Must Ensure Data Protection Compliance
Warning from the U.K. Information Commissioner's Office: Businesses that work with big data must ensure they still comply with EU data protection regulations, especially when it comes to keeping personal information private.
See Also: 2016 Social Engineering Report
That's one takeaway from the ICO's new, 50-page "Big Data and Data Protection" report, which the agency says it intends "to give an overview of the issues as we see them and contribute to the debate on big data and privacy."
The guidance makes clear that the ICO sees no need to amend U.K. or EU law to cover the use of big data. "The principles are still fit for purpose but organizations need to innovate when applying them," says Steve Wood, the ICO's head of policy delivery.
Big Data, Big Potential
The use of big data is being eyed to advance the state of everything from health research and fraud detection to security information and event management and detecting malware. But the ICO says it doesn't want advances driven by big data practices to come at the expense of privacy rights.
"Our aim is to ensure that the different privacy risks of big data are considered along with the benefits of big data - to organizations, to individuals and to society as a whole," says the ICO's report. "It is our belief that the emerging benefits of big data will be sustained by upholding key data protection principles and safeguards. The benefits cannot simply be traded with privacy rights."
No Free Pass
The ICO, in other words, says U.K. businesses and organizations will get no free privacy pass when it comes to working with big data. Its report references Gartner's definition of big data, which refers to combining three Vs: volume, variety and velocity. Working with big data, in other words, often means bringing together large amounts of data, from a large number of sources, and processing it in near-real time.
"Big data is a hot topic at the moment, with businesses, scientists and governments all keen to see what benefits it can offer," says Carl Wiper, an ICO senior policy officer, in a blog post. "But big data is not a game that is played by different rules. If it involves personal data, you need to follow the Data Protection Act."
In particular, the U.K. Data Protection Act - a 1998 law designed to bring the British legal code in line with the EU data protection directive of 1995 - enshrines an individual's right to keep their personal information private.
Per those EU regulations, people also have a right to access almost any type of personal information that a business or organization is storing about them, minus certain exemptions, such as for active law enforcement investigations. Accordingly, the ICO is urging businesses to design online systems that allow consumers to see any personal information being stored about them in "big data sets." But more than that, businesses must also "be as transparent and open as possible about what you are doing," says the ICO, which is the agency charged with investigating privacy complaints from consumers. "Explain the purposes, implications and benefits of the analytics. Think of innovative and effective ways to convey this to the people concerned."
Beyond the U.K.
The United Kingdom isn't the only country to be sounding cautionary notes on the use of big data. In the United States, for example, Federal Trade Commissioner Julie Brill has said that privacy must factor into all big data project discussions.
"Privacy is an ethical discussion, it's a structural discussion and it's a legal discussion," she said in April. "Rather than have this big notion that big data is going to benefit mankind, we have to be specific about the benefits of any specific project and balance that with the potential harms."
What's not been clear to date, however, is how exactly those concerns should be balanced. The ICO, for example, has said that all big data programs must use data in a fair manner, as well as be transparent to consumers about how and why the data is being used. "The complexity of big data analytics is not an excuse for failing to obtain consent where it is required," the ICO's report says.
Whenever possible, the ICO also says, businesses should evaluate whether they need to use privacy information in the first place, and if so, carry out a "privacy impact assessment." The ICO also warns businesses to beware repurposing data - especially if they will require consent to use the information for a different purpose than the one originally intended - as well as to practice "data minimization" and to avoid "stockpiling data or keeping it longer than you need for your business purposes, just in case it might be useful."