Privacy & Information Security Law Blog

On April 10, 2015, the UK Information Commissioner’s Office (“ICO”) published a summary of the feedback received from its July 28, 2014 report on Big Data and Data Protection (the “Report”). The ICO plans to revise its Report in light of the feedback received on three key questions and re-issue the Report in the summer of 2015. Below are key highlights set forth in the summary, entitled  Summary of feedback on Big Data and data protection and ICO response (“Summary of Feedback”).

Question 1: Does the paper adequately reflect the data protection issues arising from big data or are there other relevant issues that are not covered? If so, what are they?

• Assessing the impacts and benefits of big data analytics is important and plays a critical role in determining whether processing is fair. The impact on individuals depends on the sensitivity of the intended data use.
• There was agreement that big data requires a regulatory focus on the use, rather than collection, of data. Respondents expressed, however, that while applying data protection principles, such as providing notice or seeking consent, in the context of big data is challenging, it is still necessary. They also found that regulation should focus on data use and on potential harms.
• The Report focuses too much on consent as a condition to processing personal data and there is not enough recognition of the relevance of the “legitimate interests” condition for processing. According to the Summary of Feedback, the ICO did not mean to imply that consent is the only or the most important condition for processing.
• The Report lacks clarity on the distinction between public sector and private sector uses of big data.
• Anonymization is an important issue in connection with big data analysis, in part because decisions based on the analysis of anonymized data can impact individuals.

Question 2: Should the ICO produce further guidance documents to help organizations that are doing big data analytics to meet data protection requirements? If so, what should they cover?

In response to this question, the main items raised by respondents included:

• Cost benefit analysis in the context of big data
• Practical and technical guidance on particular technologies
• What the EU General Data Protection Regulation will mean for big data analytics
• Encryption and deletion of records in the cloud
• How to communicate future data uses in privacy notices

Question 3: Are additional practical measures and tools (in addition to anonymization, privacy impact assessments, privacy by design, privacy notices, data portability and privacy seals) needed to help protect data privacy in the context of big data analytics? If so, what are they?

• Privacy engineering to implement privacy by design
• Technical security measures to protect data
• The assessment of impact and benefits and privacy risk assessments

The ICO plans to hold a seminar on privacy and big data later in 2015.