Carl Wiper, a Senior Policy Officer in the ICO’s Policy Delivery department, explains big data in layman’s terms, when data protection laws apply, and argues that data protection principles already established in the UK and EU law are flexible enough to cover big data.
Big data is a hot topic at the moment, with businesses, scientists and governments all keen to see what benefits it can offer. But big data is not a game that is played by different rules. If it involves personal data, you need to follow the Data Protection Act. The ICO’s report gives our perspective as the regulator of that law.
1. What big data is
Big data is often defined by the so-called ‘three Vs’: volume, variety and velocity: big data typically uses massive datasets, brings together data from different sources and can be used to analyse data in real time. But it is difficult to produce a watertight definition. Big data has been described as a phenomenon rather than a technology, and that’s a useful distinction.
2. Why the ICO cares
Some big data won’t use personal information at all – for instance when using climate data. That doesn’t concern us. But if big data uses personal information, such as data from social media or loyalty cards, then the ICO is interested. Using personal data brings legal obligations under the Data Protection Act, and that’s regulated by the ICO.
3. Big data can be done within the law…
This report isn’t trying to discourage big data. Even aspects where big data and data protection seem in opposition can be resolved. For instance, using all available data (rather than a sample) is considered a key feature of big data. This doesn’t obviously fit with a data protection principle that insists information must not be excessive. But that contrast doesn’t have to be a deal breaker, so long as the organisation addresses from the outset what it expects to learn from its research, and ensures the data used is relevant and not excessive for that aim.
4. …but it’s easier if you think about the law at an early stage
The key to that work is to consider it early in the process. We’ve spoken of privacy impact assessments and ‘privacy by design’ before, but it is crucial here. By thinking about data protection issues sooner, areas like whether to get people’s consent, using data fairly and keeping information secure become far simpler.
5. Focus on the benefits
There’s a danger that organisations rush to try big data without thinking about what they want to achieve. By thinking about what benefits they hope to achieve, organisations will be in a better position to explain those benefits to customers. This goes some way to complying with data protection law, and could also offer a competitive advantage if it helps the organisations be seen as responsible and trustworthy custodians of customer data.
6. Anonymisation can help
Anonymisation is one route to consider. Done correctly, it means the information being analysed is no longer considered personal data. Take the use of mobile phone data to track the movement of crowds of people. By stripping out the data that identifies individuals prior to the analysis, the anonymised data can be shared, for instance giving retailers a chance to analyse footfall in a particular location. However, anonymisation is an increasing challenge, with the ever-growing amount of publically available information increasing the risk that individuals could be re-identified. Organisations must consider this risk.
7. The data protection principles still work (and you have to follow them)
Some commentators have argued that existing data protection law can’t keep up with the rise of big data and its new and innovative approaches to personal data. That is not our view. The basic data protection principles already established in the UK and EU law are flexible enough to cover big data. Applying those principles involves asking all the questions that anyone undertaking big data ought to be asking. Big data is not a game that is played by different rules.
The same principles form the core of the proposed new EU regulation. What we need to modernise is the law around those principles, so regulators have the right tools to effectively enforce the law and improve data subjects’ rights, including transparency and more effective control of personal data.
So read the report, understand the issues, and make sure you’re complying with the law to reap the full benefits of big data.
This article was originally posted on the ICO’s blog. It is re-posted here with permission and thanks. It gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics.
