Big data is a big issue for organisations across the world. Businesses, governments, health organisations, analysts and scientists are all looking at the opportunities to be gained from using big data.
Another big issue is the matter of individuals’ privacy and data protection. The EU data protection principles are already established throughout the member states, and in the UK we have the Data Protection Act, which is regulated and enforced by the ICO.
So what is big data?
I first wrote about big data in 2012. Analyst Doug Laney described it as being three-dimensional – a combination of volume, velocity and variety.
It probably began when customers started shopping over the internet. Businesses started to save and analyse data from clicks, searches, registrations, purchases and so on. Then came social networks where individuals post personal and business information about themselves, hold conversations with their friends, family and colleagues, post updates and opinions, store their photographs and music and films and videos in the cloud…
This technology is continuing to develop at speed, while big data analysis and algorithms are becomng ever more sophisticated. As a result, big data’s relationship with data protection and privacy regulations is becoming a serious and significant issue.
Big Data and the Data Protection Act
Of course, not all big data actually uses personal information. For example, researchers analysing data from particle physics experiments at CERN’s Large Hadron Collier sift through approximately 16 million gigabytes of data every year. This is hardly a serious threat to individuals’ privacy.
On the other hand, businesses using data from social media, in combination with sales transactions and loyalty cards does indeed use personal data, and in this case the Data Protection Act (DPA) comes into force to protect the individual.
Regardless of whether or not we think the DPA is adequate to protect individuals against organisations working with data, it is the only legislation we have. And the ICO has just produced a report suggesting a number of areas where organisations must be mindful of their big data regulatory responsibilities:
- Fair processing: Where big data is used to make decisions affecting individuals, a key requirement is that such processing – including the initial collection of that individual’s data – is fair and transparent. A clear explanation of why the data is being collected (the Purpose) and, where necessary, consent of the individual to that purpose is a key element in the compliant use of such data.
- Consent: any consent must be ‘freely given, specific and informed’. People must be able to understand how their data is to be used, and there must be a clear indication that they have consented to such use. If an organisation is relying on consent as a condition for processing big data, it is important that the data subjects have a clear choice and are able to withdraw their consent if they wish. Otherwise, the consent does not meet the requirements of the DPA.
- Repurposing: where data has been collected for one reason, and is now being used for a completely different purpose, then the organisation needs to make its users or customers aware of this – most particularly if the data is being used for a purpose that the individual could not reasonably have expected at the time the data was initially collected. In this case, where consent is relied on, consent is required.
- Excessive, relevant data: using all the available data for analysis might be expected to contravene Principle 3 of the data protection act which states that data must be adequate, relevant and not excessive. An organisation must be clear from the outset what they expect to learn or do by processing all the data. They must also be in a position, if necessary, to demonstrate how they have satisfied themselves that the data they are using from perhaps a multiplicity of sources is relevant and not excessive.
- Security: organisations using personal data should always be mindful of security and the potential for data security breaches. The use of big data is no different in this respect – but the number of new datasets that may be acquired in combination with the existing data used may make the security issues a little more widespread, and will require robust risk assessment and risk management policies and procedures.
- Anonymisation: if data is correctly anonymised it will no longer be considered personal data and will therefore not be subject to the DPA. However, when using the multiple data sources associated with big data analytics, achieving genuine anonymisation can be difficult to achieve and the ICO advises organisations to carry out a robust risk assessment of the risk of re-identification, and provide solutions proportionate to the risk.
- Privacy Impact Assessment (PIA): a PIA is an important part of being compliant as it helps gain an understanding of how the processing will affect the individuals concerned. For example, there is a difference between using personal data to identify general trends, and using it to make decisions that affect those individuals.
- Long-term use: using big data for analytics does not waive the requirement that data should be kept only for the period required for the stated business purposes. If a business wants to hold the data for long-term use, the reasons must be articulated and justified.
- Subject access: don’t forget that people can request to see the data you are processing about them. When using big data, systems can become complex and unwieldy making such requests difficult, time-consuming or expensive to fulfil. Keeping the system simple will obviously benefit the organisation.
- Third parties: if data has been purchased from a third party in order to run its big data analytics, the purchaser becomes the data controller for the purchased data. It is now responsible for ensuring it has met the DPA’s conditions for further use of that data, and, if it is relying on the original consent obtained by the supplier, then the purchaser must ensure that this is adequate to cover its further processing requirements.
When using big data, always make sure you comply with the DPA.
Don’t be secretive, deceptive or misleading. Make sure you obtain appropriate consents as required. Explain clearly what you’re doing with big data to your users, your customers and those from whom you’re collecting data. And make sure the information is utterly transparent. It’s also worth being creative about how you tell them what you’re doing, by finding, describing and providing visible benefits that they will appreciate.
If you have any compliance or security questions on your own use of big data, please contact firstname.lastname@example.org or call 01787 277742. Data Compliant offers the following services: