ICO's big data guidance must address business concerns about compliance when using third party data, says expert

Out-Law News | 24 Jul 2014 | 9:47 am | 1 min. read

Guidance that the Information Commissioner's Office (ICO) is expected to issue on 'big data' must serve to ease concerns businesses have about how to achieve compliance with data protection laws when making use of personal data collected by third parties, an expert has said.

Deputy Information Commissioner David Smith said that the ICO would issue a "big data publication shortly" at an event in London last week, according to a report by Computer World UK.

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said: "The ICO's guidance needs to explain to businesses how they can meet their obligations to be transparent with consumers about the way they intend to use their personal data when the data has been collected by third parties."

"With increasing volumes of data being generated, businesses are increasingly sourcing data sets from third parties to enhance their understanding of consumer behaviours, attitudes and other trends," she said. "However, businesses face a challenge in ensuring that the data they acquire from third parties has been collected fairly - that is to say that consumers have been informed about the potential uses of the data being collected about them and have provided their consent to that usage."

"Businesses need practical guidance that explains the steps they need to take to ensure they meet their obligations around transparency in a way that is not overly burdensome and risks stifling innovative new uses of personal data that can ultimately benefit consumers," Wynn said.

Wynn also said that the ICO's guidance must provide clarity to businesses on how to stay compliant when seeking to make use of personal data for different purposes than consumers were notified of when the data was originally collected.

"Advancements in technology and improvements in analytics are providing businesses with opportunities to make new uses of personal data that they have access to," Wynn said. "However, data protection rules require organisations to ensure that they only use personal data for purposes for which the data was collected. Businesses need guidance on how to achieve purpose limitation requirements when organisations wish to use the data in a way that was not envisaged at the time of collection."

"Businesses previously have issued broad descriptions in their privacy policies or other consumer-facing documents about what they intend to do with the data they collect from customers, which could cover a whole host of uses both anticipated and unanticipated. However, there is uncertainty about whether those descriptions are sufficiently specific and clear to achieve a valid consent in light of newly envisaged purposes for the data being found in the big data era," she said.

"The ICO needs to tell business what transparency and fairness looks like in this situation and set out clear, feasible and achievable steps the companies can take towards compliance to address the lack of clarity at the moment. What the guidance must not deliver is more questions than answers," Wynn said.