Out-Law News 2 min. read

Businesses can justify 'big data' processing on 'legitimate interests' grounds, says ICO

Businesses do not always need consumers' consent to process their personal data contained in 'big data' sets, the Information Commissioner's Office (ICO) has said.

The UK watchdog confirmed that businesses can process that information without consent if they can demonstrate that they have "legitimate interests" in doing so and that those interests do not disproportionately disregard "the rights and freedoms of individuals".

The ICO's comments were contained in a paper that summarises the responses it received to the 'big data and data protection' report it published last July. In its latest paper the ICO defended itself against claims that it had "focussed too much on consent as a condition" for processing big data after one respondent said it "did not sufficiently recognise the relevance of the legitimate interests condition for processing personal data" in its July 2014 paper.

"[The respondent] argued that this [legitimate interests] condition can authorise new uses of the data, since it provides that personal data may be processed if it is necessary for the legitimate interests of the data controller (or a third party) unless there is unwarranted prejudice to the rights, freedoms and legitimate interest of the data subject," the ICO said. "This condition puts an emphasis on organisational accountability rather than individual responsibility for giving consent."

"Our paper deals with consent at greater length than legitimate interests, partly because the former is an issue which is the subject of current debate in the context of big data. We did not mean to imply that consent is the only or the most important condition; any of the conditions listed in the Data Protection Act and the Data Protection Directive can legitimise the processing of personal data. The need to balance the legitimate interests of the data controller with the rights and freedoms of individuals is a key theme in our paper. We agree also that this is consistent with organisational accountability," it said.

Under EU and UK data protection laws, organisations can rely on a number of legal grounds on which they can legitimately process personal data. Examples of the legal grounds that can be relied upon include where the organisations obtain individuals' consent to the processing, or where the organisations are subject to a legal obligation to process personal data, such as being subject to a court order.

However, businesses can rely on the so-called 'legitimate interests' ground to process personal data too. Businesses can rely on this provision providing their interests in processing personal data do not unduly prejudice the rights and freedoms of individuals.

In the big data guidance it issued last July, the ICO said businesses must process personal data fairly and in a transparent manner when undertaking big data initiatives. The guidance explained the extent to which businesses can rely on consent previously given by consumers to the processing of their personal data when they identify a new use for the data.

"The organisation should establish whether the individuals concerned have in fact consented to this further use of their data, or whether it can rely on another data protection condition. If not, it will need to tell those individuals what it is doing and seek consent for the new use. It will also need to assess whether the new processing is incompatible with the original purpose for which the data was collected," the ICO's guide said.

Whether new personal data processing activities that businesses intend to carry out are compatible with the original purpose for which that information was collected will depend, in part, on whether the new processing activity is "fair", the ICO said. This means businesses must assess how individuals' privacy will be affected by the new processing and whether it is in those individuals' "reasonable expectations that their data could be used in this way".

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.