Privacy & Information Security Law Blog

On July 28, 2014, the UK Information Commissioner’s Office (“ICO”) released a comprehensive report on Big Data and Data Protection (the “Report”). This is the first big data guidance prepared by a European data protection authority. The Report describes what is meant by “big data,” the privacy issues big data raises, and how to comply with the UK’s Data Protection Act in the context of big data.

The Report notes that big data is a fast-evolving area, so the ICO’s guidance on the topic is subject to future changes. The Report also invites public feedback to specific questions set forth in Annex 1, including whether (1) there are additional big data issues that must be addressed, (2) the ICO should produce further guidance, and (3) there are practical tools other than the ones mentioned in the Report to protect privacy in the context of big data. Comments are due by September 12, 2014

The Report includes the following key findings:

• Big data analytics that involve processing of personal data must comply with the Data Protection Act.
• A key requirement of data protection is fairness in processing, particularly where big data is used to make decisions affecting individuals. Fairness includes being transparent about collection and use, considering the effect of the processing and the reasonable expectations of the individual.
• Big data processing must satisfy one of the conditions / grounds for processing, such as “legitimate interest” or consent. Consent may be used where it is an appropriate condition for big data processing. Equally, the complexity of big data does not excuse a failure to obtain consent where it is required. The legitimate interest ground may be appropriate as well, provided it meets certain criteria, as discussed in the June 2014 opinion of the Article 29 Working Party.
• Purpose limitation is an important consideration and organizations must consider whether a new purpose for big data and analytics is “not incompatible” with the original purpose for which data have been collected. Individuals need to be made aware if their personal data is being repurposed to perform big data analytics.
• Big data analytics require clarity from the outset regarding what an organization seeks to do with, or learn from, data, so as to ensure that the data is relevant and not excessive for the purpose.
• Organizations must consider and provide information security measures to protect big data based on a proper assessment of the risks, though big data also may be a tool used to improve security.
• Some organizations are beginning to develop an “ethical” approach to big data analytics that can help ensure compliance with data protection obligations.
• Transparency with respect to the social benefits of big data promotes confidence in the digital world.
• Given that there is some flexibility inherent in data protection principles, they also apply in the big data context and must not be seen as a barrier to progress, but as a framework for facilitating both privacy rights and innovative approaches to informing and engaging the public.
• Done correctly, anonymization may be an appropriate privacy protection tool in the context of big data.

The Report also addresses numerous other issues, including the use of privacy impact assessments in the big data context, how to handle repurposing data, the continued relevance of data minimization, the research exemption, data subjects’ right of access, and the impact of the proposed EU General Data Protection Regulation.