Big data – ICO issues guidance to controllers

The Information Commissioner’s Office (ICO) has this week issued a report on ‘big data’, concluding that controllers of big data analytics need to comply with the requirements of the 1998 Data Protection Act – in other words, just because it’s big, and just because it’s clever, it can’t just ignore the Act.  As the Report concludes, ‘big data is not a game that is played by different rules.’

The Report, Big data and data protection, confirms that the controller is the person who decides the purpose for which and the manner in which the data in the big dataset is processed, even if it outsources much of the work to a specialist analytics contractor. As the data controller, it is that person’s responsibility to comply with the data protection principles, most notably around fair processing and data security, and to ensure that the contractor does not cause it to be in breach of those principles and data obligations.

The Report uses the Gartner definition of ‘big data’: “Big data is high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making”.

The Report recommends that controllers consider the benefits of anonymisation of personal data, which, if done correctly, means the information being analysed is no longer considered personal data. The downside, of course, is that if data is truly anonymised, trends can be discerned, but the controller cannot then loop back to a specific individual – if they could, the data was not properly anonymised.

The Report advises controllers to consider, by use of a ‘privacy impact assessment’, how the processing will affect the underlying data subjects concerned. Again, if what are being sought are trends, anonymisation might be the answer.

Another important issue raised is whether the controller is repurposing data, in which case they need to consider if the new purpose is incompatible with the original purpose, and if so, whether fresh consent is needed.  Likewise, if data is being bought in, in bulk, it is important to know what the provenance of the data is, and to ensure that one of the conditions for processing in the Act is met.

Finally, remember that individuals have a right to see the data that is being processed about them.  The controller can only charge £10 to handle a subject access request – designing systems that make it easy to respond to a Subject Access Request will more than pay off.