UK Regulators Seek to Balance Big Data, Privacy
As concerns grow over how companies collect and use personal data, a UK regulator has issued guidelines for how companies leveraging big data must operate under Britain’s data protection law.
The UK Information Commissioner’s Office recently released a report on July 28 that seeks a balance between operating within Britain’s Data Protection Act of 1998 without slowing data innovation. The report acknowledges that big data analytics frequently focus on areas other than the collection and use of personal data. It cited weather and climate data as examples, noting that these scientific uses “enable new discoveries and improved services.”
The rub comes when data analytics ventures into the realm of repurposing personal data, the report stressed. “If an organization has collected personal data for one purpose and then decides to start analyzing it for completely different purposes (or to make it available for others to do so) then it needs to make its users aware of this,” the report stressed.
“This is particularly important if the organization is planning to use the data for a purpose that is not apparent to the individual because it is not obviously connected with their use of a service.”
A key feature of the British data protection law is the principle of “data minimization,” that is, limiting the stockpiling of personal data for some unforeseen future business use. “Long term uses must be articulated or justifiable, even if all the detail of the future use is not known,” the report warned.
“The challenge for organizations is to address this by being clear from the outset what they expect to learn or be able to do by processing that data, as well as satisfying themselves that the data is relevant and not excessive, in relation to that aim.”
The message to industry in the UK big data report is that industry must be “proactive” about information security risks posed by big data. The inference is that failure to do so may result in stricter data protection laws.
A proposed European Union “General Data Protection Regulation” could tighten restrictions on the use of personal data in analytics. Those restrictions could include a “privacy by design” requirement along with “privacy impact assessments.” The goal is greater transparency about how personal data is being used and enhancing consumer rights without hampering big data innovation.
British regulators also stressed they do not accept the argument that data protection principles pose a threat to the growing use of big data analytics. Rather, their report argues that the two can coexist despite the inherent tension between privacy and big data.
“Big data is not a game that is played by different rules,” the report concluded. “There is some flexibility inherent in the data protection principles. They should not be seen as a barrier to progress, but as the framework to promote privacy rights and as a stimulus to developing innovative approaches to informing and engaging the public.”
Finally, the report endorses consumers’ right to see personal data companies are analyzing. That means big data firms must provide reusable formats for accessing data.