Summary of feedback on Big data and data protection and ICO response

Transcription

1 Summary of feedback on Big data and data protection and ICO response Contents Introduction... 2 Question Impacts and benefits; privacy impact assessments (PIAs)... 3 New approaches to data protection... 3 Legitimate interests... 4 Public sector... 4 EU General Data Protection Regulation (EU GDPR)... 4 Anonymisation... 5 Access to personal data... 5 Question Question Privacy engineering... 8 Technical security... 9 Privacy Impact Assessments... 9 Personal data services... 9 Terms and conditions Limiting data collection Actions to raise awareness

2 Introduction Our paper on Big data and data protection was published on 28 July It set out our understanding of the data protection issues raised by big data and contributed to the ongoing discussion of big data and privacy. The launch of the paper was widely reported across websites dealing with IT and information law. The House of Commons Science and Technology Committee quoted our paper in their report on Responsible use of data 1. It was well received at the 36 th International Conference of Data Protection and Privacy Commissioners and their Resolution on big data 2 reflected the approach we put forward in the paper. The paper included three questions on which we invited feedback. We originally gave a deadline of 12 September 2014 for this but, recognising that more time was needed because of the summer holidays, we extended it to 17 October. We received responses to the consultation from ten organisations. Four of these came from companies, two from trade associations, two from organisations dealing with information and privacy, one from the higher education sector and one from a media organisation. Most of the responses were detailed and lengthy, in some cases with references to other research and current projects. Some included paragraph-by-paragraph comments on our paper while others put forward more general arguments. This has provided us with a great deal of useful material, and we thank all those who gave their time in providing these responses. In this document we are not able to list all the points made by every respondent, but we have picked out and discussed what we consider to be the key themes. There appears to be a consensus that the general approach we put forward in the paper is on the right lines, but there are many suggestions about changes of emphasis and new points that could be added. We will make some revisions to the paper and re-issue it in the light of this feedback in summer House of Commons. Science and Technology Committee Responsible use of data. HC245. The Stationery Office Ltd, November Accessed 6 February th International Conference of Data protection and Privacy Commissioners. Resolution on big data. Conference, October Accessed 6 February

3 Responses to questions Question 1 Does this paper adequately reflect the data protection issues arising from big data or are there other relevant issues that are not covered here? If so, what are they? Impacts and benefits; privacy impact assessments (PIAs) A theme that emerged in a number of responses was the importance of assessing the impact of the analytics on individuals, and differentiating between levels of impact. For example, big data analytics may be used to offer a product to a consumer, but it was suggested that people would see this as less significant or sensitive than using it to make a decision about their application for life assurance. We d broadly agree with this point. The importance of making a proper assessment of the benefits of the processing in question, and explaining this to data subjects, was also stressed. Assessing impacts on and benefits to individuals is a key part of determining whether processing is fair. A central theme of our paper is the continuing relevance of the DPA principle of fairness. We are also pleased to note a number of respondents support our view of the role of PIAs. We discuss this further in relation to Question 3 below. New approaches to data protection In the paper, we consider the argument that big data requires a regulatory focus on how data is used, rather than on how it is collected. We argue that data protection principles are still relevant to big data analytics, and that it is still necessary to tell people about the processing through privacy notices. Most respondents agreed with our general position, although the difficulty of providing privacy information and of seeking consent in a big data context was recognised. One respondent argued that there should be equal focus on the use (or misuse) of data and that it is better to regulate at the point where the potential for harm is created. We recognise the challenges of providing privacy notices. Some respondents mentioned the need to develop new ways of delivering these and we will continue to look for innovative examples of how to do this in a big data context. 3

4 Legitimate interests One respondent suggested that the paper focussed too much on consent as a condition, and that it is not always practical to obtain this in a big data context. They suggested that the paper did not sufficiently recognise the relevance of the legitimate interests condition for processing personal data. They argued that this condition can authorise new uses of the data, since it provides that personal data may be processed if it is necessary for the legitimate interests of the data controller (or a third party) unless there is unwarranted prejudice to the rights, freedoms and legitimate interest of the data subject. This condition puts an emphasis on organisational accountability rather than individual responsibility for giving consent. Our paper deals with consent at greater length than legitimate interests, partly because the former is an issue which is the subject of current debate in the context of big data. We did not mean to imply that consent is the only or the most important condition; any of the conditions listed in the Data Protection Act and the Data Protection Directive can legitimise the processing of personal data. The need to balance the legitimate interests of the data controller with the rights and freedoms of individuals is a key theme in our paper. We agree also that this is consistent with organisational accountability. Public sector One respondent noted that the paper was mainly focussed on private sector uses of big data, and commented that there are differences in the way that personal data is handled in public authorities, in that they often rely on conditions other than consent, and because of the potential role of the Senior Information Risk Owner (SIRO) in addressing data protection concerns. While the paper makes some reference to public sector uses of big data, we accept that it does not directly address the differences between that and the private sector. This reflects the research carried out for the paper and the examples available to us. We will consider developing the theme of big data in the public sector in the new version of the paper. EU General Data Protection Regulation (EU GDPR) Several respondents felt that we should have said more about the possible impact of the proposed EU GDPR and its implications for big data. 4

5 In the paper we tried to show how the proposed provisions reflect some of the data protection issues posed by big data. However, we did not try to give a detailed commentary on the EU GDPR, since we have previously published commentaries on the draft versions and also because the proposals have not yet been agreed by the EU. If the EU GDPR is passed, guidance will have to be issued on any provisions relating to profiling, but it is premature to analyse further at this stage. Anonymisation Some respondents mentioned the role of anonymisation and said that big data used for the analysis of general trends is often anonymised, so that it is no longer personal data. At the same time it was also pointed out that the knowledge gained from analysing anonymised data can be used to make decisions that impact upon individuals, and we agree that this is the case. Access to personal data The paper discusses ways of facilitating people s access to their own data. It was pointed out that website interactions automatically generate a large amount of data, and it is important to enable people to see the major items of personal data held about them, rather than necessarily all of this data. We agree that new ways of facilitating access to personal data should be a tool for transparency by enabling people to understand what data is held about them and how it is used. At the same time we must recognise that the subject access provisions of the DPA give data subjects a wideranging right to obtain their personal data. 5

6 Question 2 Should the ICO produce further guidance documents to help organisations that are doing big data analytics to meet data protection requirements? If so, what should they cover? Suggestions made in response to this question included the following: The ICO should encourage organisations to undertake a cost benefit analysis as part of big data projects. This would include estimating in advance how useful the datasets are likely to be and then measuring and reviewing this once they are being used. Some respondents wanted to see more practical, technical guidance, including guidance on particular technologies. At the same time it was recognised that this is not necessarily a job for the ICO alone, and that industry has a role to play, for example in developing standardised categories to inform people of how their data is being used. One respondent wanted to see further guidance on what the EU GDPR means for big data analytics, once the Regulation is agreed. One respondent wanted to see more guidance on encryption and deletion of records in the cloud. One respondent wanted to see examples of how an organisation could communicate possible future uses of data in a privacy notice. One respondent suggested that the paper should be reorganised and reissued to improve usability and readability. Another suggested that it should be split into smaller separate documents on specific topics, to make it easier to read. Our document on Big data and data protection was intended as a discussion paper, setting out our view of the data protection issues involved in big data. It was therefore a contribution to the growing debate, rather than a guidance document. We recognise that it was particularly long, and this was because we were trying to cover a large number of complex issues. As noted at the beginning, we will publish a new version of the paper in the summer, with some revisions based on the comments received. After 6

7 that, we envisage that any future work we do on big data is likely to be in the context of specific issues, as the need arises. We welcome the recognition that there is a role for business and other organisations doing big data analytics to develop standards and guidance, and we are happy to support this. We have started a review of our Privacy notices code of practice, and as part of this we will consider how the Code can reflect the issues discussed here about transparency in the context of big data. We expect that the review will be concluded by the end of June

8 Question 3 This paper refers to a number of practical measures and tools that can help to protect data privacy in the context of big data analytics: anonymisation, privacy impact assessments, privacy by design, privacy notices, data portability and privacy seals. Are other practical measures and tools needed? If so, what are they? Respondents mentioned a number of measures and tools in response to this question: Privacy engineering One respondent pointed out that the paper mentions Privacy by Design but does not give practical advice on how to implement it. It was also argued that Privacy by Design is not just a legal question but an engineering one, and that the protection it gives is constrained by the technical architecture of the system. There is therefore a role for privacy engineering, which would involve bringing legal and policy people in an organisation together with technical experts to develop ethical approaches to designing systems. It was suggested that there is a role for the ICO in encouraging colleges and universities to build this into the curriculum, and also a role in providing technical guidance to, and working with, privacy engineers. We agree that Privacy by Design involves using a range of organisational and technical measures, and that although some useful work has been done, which we reference in the paper, there is a need for more work and practical examples. One example we are working on is researching privacy enhancing technologies. The ICO s in-house capacity for developing technical solutions is limited, but we are happy to work with external technical experts, as we have done, for example, with the UK Anonymisation Network 3. We will also consider how we can encourage the recognition of privacy and data protection issues in university IT and information management courses, which will often teach the techniques related to big data. 3 UK Anonymisation Network website Accessed 6 February

9 We are also active members of the newly formed Internet Privacy Engineering Network 4 (IPEN) and will continue to input into work on privacy by design solutions for big data at an international level. Technical security One respondent suggested that the measures and tools should include recognition of the role played by technical security measures in protecting personal data. We agree that people are concerned not only about whether organisations are using their data in unexpected ways, but also whether they are keeping it securely. We will continue to emphasise the need for adequate security of personal data in any future work on big data. Privacy Impact Assessments Some respondents mentioned PIAs as a tool in making the assessment of impacts and benefits, and as a way of highlighting less privacy-intrusive methods. It was emphasised that these should not be used simply to rubber stamp a previously agreed plan. We agree that PIAs are particularly important in the context of big data analytics. We will continue to promote our Privacy impact assessment code of practice which contains practical advice on how to do PIAs. One respondent argued for the importance of privacy risk assessments: they can enable responsible decisions about data use, they place the burden of privacy protection on the organisation and they allow for flexibility in the application of the data protection principles. We agree with these points and we think that the principles of a privacy risk assessment, as described, are very much in line with those of PIAs. We will liaise with key stakeholders to discuss the development of more specific PIA guidance on big data that uses the ICO PIA code as a framework. We would look to identify a sector, professional or industry body to take this work forward. This should also be supplemented by case studies. Personal data services One respondent suggested that we should say more about the role of personal data services (trusted third parties managing access to personal data on behalf of data subjects). We are aware of developments in this 4 IPEN website Accessed 6 February

10 area, although we consider that at the moment there is a need for more pilot projects and practical examples to show their potential. Terms and conditions It was suggested that there is scope for developing simplified terms and conditions, based on agreed categories of data usage. This supports the points we have made about the need for innovation in delivering privacy notices. Limiting data collection One respondent said that there should be more emphasis on limiting data collection to that which is actually needed, and that this would reduce the amount of information that needs to be analysed and make it easier for people to understand what information has been collected. Our paper addresses the issue of data minimisation and says that organisations need to be clear about what data they actually need for their purposes. Actions to raise awareness In order to raise awareness of the data protection risks, highlight case studies and best practice, and continue discussions about innovative privacy enhancing solutions we plan to hold a seminar on privacy and big data later in We will provide more details and ask for expressions of interest in due course. We intend this event to follow on from the planned sectoral work on PIAs. 10