ICO publishes 'big data' guidance and stresses fairness and transparency for data protection compliance

Out-Law News | 29 Jul 2014 | 10:38 am | 3 min. read

Businesses buying personal information from third parties for use in 'big data' projects need to check with the sellers whether they have a right to use the data in that context or whether they need to obtain consent from individuals to use the data for the purposes they intend, the UK's data protection watchdog has said.

The Information Commissioner's Office (ICO) has published a new report on big data and data protection (51-page / 482KB PDF) in which it warned businesses to ensure that they process personal data fairly and in a transparent manner when undertaking big data initiatives. Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, had called on the ICO to explain "what transparency and fairness looks like" in the big data era.

'Big data' is a term used to describe the vast generation of data and the possibilities presented through analysing the information through computers. Big data offers a range of opportunities for businesses to personalise their services to consumers, from insurers using telematics data generated about driving habits to individualise the premiums they set, to targeting advertising based on consumers' previous retail habits.

In some cases businesses will use new analytics capabilities to make use of existing personal data sets that they have collected. However, in other cases companies will use data collected from third parties to glean information on individuals' behaviours and attitudes or to personalise services they offer. The ICO warned businesses of the checks they need to carry out to ensure they comply with the Data Protection Act (DPA) in those cases.

"If an organisation is buying personal data from elsewhere for big data analytics, it needs to practice due diligence," the ICO said in its report. "It should first consider whether it needs to use personal data at all, or whether it could take the data in anonymised form. If it is acquiring personal data, then it becomes the data controller for it and has to meet the requirements of DPA."

"The organisation should establish whether the individuals concerned have in fact consented to this further use of their data, or whether it can rely on another data protection condition. If not, it will need to tell those individuals what it is doing and seek consent for the new use. It will also need to assess whether the new processing is incompatible with the original purpose for which the data was collected," it said.

Whether new personal data processing activities that businesses intend to carry out are compatible with the original purpose for which that information was collected will depend, in part, on whether the new processing activity is "fair", the ICO said. This means businesses must assess how individuals' privacy will be affected by the new processing and whether it is in those individuals' "reasonable expectations that their data could be used in this way".

"If, for example, information that people have put on social media is going to be used to assess their health risks or their credit worthiness, or to market certain products to them, then unless they are informed of this and asked to give their consent, it is unlikely to be either fair or compatible," the ICO said. "Where the new purpose would be otherwise unexpected, and it involves making decisions about them as individuals, then in most cases the organisation concerned will need to seek specific consent, in addition to establishing whether the new purpose is incompatible with the original reason for processing the data."

The ICO said that businesses need to get "innovative" to convey concise information about the way in which they intend to use individuals' personal data in a big data setting.

"Big data increasingly uses observed, derived and inferred, rather than provided data," the ICO said. "This can be problematic in terms of providing privacy information, because individuals may be unaware that this data is being collected and processed, and the processing may be done by organisations that are not directly customer-facing. However, this does not remove the need for transparency; it is even more important because the processing is not obvious to the individuals concerned."

"The issue is finding the point at which to communicate this information and the most effective way to do it. Privacy information does not need to be provided by just one method; a combination and mix can be used. Innovation will be needed to support different types of data collection. This will need to include consideration of in-product and just-in-time notices. There is also a strong case to consider at an early stage how this information will be provided, e.g the relationship between usability and privacy by design," it said.

The watchdog said companies need to update their privacy notices and make sure individuals are aware if they find new purposes for processing personal data when processing that information that were unforeseen when consumers were first told of the reasons for which their data was to be used. Uncertainty over how personal data may be used in future big data projects does not remove businesses' obligations to explain possible foreseen purposes of future processing to individuals, it added.