Privacy & Information Security Law Blog

The Centre for Information Policy Leadership (the “Centre”) this week issued “Data Protection Law and the Ethical Use of Analytics,” authored for the Centre by Paul Schwartz, Professor of Law, Berkeley Law School, University of California.  Marty Abrams shared this paper on November 30, 2010, at the European Data Protection and Privacy Conference in Brussels and plans to present the paper on December 1, 2010, at the Organization for Economic Cooperation and Development.

The paper examines the increasing role of analytics – the use of information to make decisions and to create new products and services – in 21st century organizations.  Analytics provides a way for organizations to draw on the great quantities of information in their control or available from third parties.  Leading authorities on the practice of analytics refer to the phenomenon as “the extensive use of data, statistical and quantitative analytics, explanatory and predictive models, and fact-based management to drive decisions and actions.”  According to the paper, analytics takes the information that entities have, or to which they can gain access, and converts the information into knowledge they can act on.

The paper argues that analytics should be considered in a manner that takes into account the risks that a specific use of analytics poses to privacy and the kind of responsible processes that should accompany such use.  It considers examples of analytics in action, including multichannel marketing, fraud prevention and data security, health care research and a variety of products for direct use by individuals.

The paper identifies four distinct stages of analytics: (1) collection, (2) integration and analysis, (3) decision-making and (4) review and revision.  It also proposes that responsible data processing should be tailored to the discrete stages in which analytics is used.  At the same time, the paper examines the complex questions that analytics raises for data protection law modeled on fair information practices and proposes a set of ethical guidelines for the use of analytics.

Organizations participating in this project included a cross-section of leading private sector companies that currently use analytics.  The paper’s ethical standards were developed through a series of interviews and a workshop involving experts from those organizations.  The Centre expects that this paper will form the basis for further discussions about applying data protection to advanced analytic processes.

For more information on the Centre’s projects, please visit the Centre’s website.