Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers

Similar documents
A Q&A with the Commissioner: Big Data and Privacy Health Research: Big Data, Health Research Yes! Personal Data No!

The U.K. Information Commissioner s Office Report on Big Data and Data Protection

Privacy & Big Data: Enable Big Data Analytics with Privacy by Design. Datenschutz-Vereinigung von Luxemburg Ronald Koorn DRAFT VERSION 8 March 2014

Article 29 Working Party Issues Opinion on Cloud Computing

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Summary of feedback on Big data and data protection and ICO response

Connected car, big data, big brother?

1. Understanding Big Data

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

Trusted Personal Data Management A User-Centric Approach

Dealing with data breaches in Europe and beyond

Helping to protect your business and your customers in the event of a data breach

The potential legal consequences of a personal data breach

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits

Thinking small about big data: Privacy considerations for the public sector Shaun Brown Partner, nnovation LLP

Comments of the EDPS in response to the public consultation on

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

ACEA PRINCIPLES OF DATA PROTECTION IN RELATION TO CONNECTED VEHICLES AND SERVICES

Privacy Committee. Privacy and Open Data Guideline. Guideline. Of South Australia. Version 1

Data Protection Act Guidance on the use of cloud computing

Last updated: 30 May Credit Suisse Privacy Policy

Online Ads: A new challenge for privacy? Jörg Polakiewicz*

ADVISORY GUIDELINES ON THE PERSONAL DATA PROTECTION ACT FOR SELECTED TOPICS ISSUED BY THE PERSONAL DATA PROTECTION COMMISSION ISSUED 24 SEPTEMBER 2013

Privacy and Electronic Communications Regulations

Please read this Policy carefully. Your continued use of our sites means that you understand and consent to the terms of this Policy.

Degrees of De-identification of Clinical Research Data

The Promise of Industrial Big Data

INFORMATION SECURITY MANAGEMENT POLICY

privacy and credit reporting policy.

Data Protection Act. Conducting privacy impact assessments code of practice

FRANCE. Chapter XX OVERVIEW

Privacy Impact Assessment: care.data

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

Smart Grid and Privacy An International View

St. Peter s C.E. Primary School Farnworth , Internet Security and Facsimile Policy

AlixPartners, LLP. General Data Protection Statement

Big Data + Smart City = Weak Privacy + Weak Security?

Research Data Management Plan (RDMP template)

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

Data Protection Act Bring your own device (BYOD)

Data Protection in Ireland

Medical Technologies and Data Protection Issues - QUESTIONNAIRE

Declaration of Internet Rights Preamble

Guidance on Personal Data Erasure and Anonymisation 1

PUBLIC CONSULTATION ISSUED BY THE PERSONAL DATA PROTECTION COMMISSION

Portable Devices and Removable Media Acceptable Use Policy v1.0

Privacy policy. 1. Collecting Information We may collect Personal Data about you from a number of sources, including the following:

DATA PROTECTION POLICY

European Commission initiatives on e- and mhealth

technical factsheet 176

PRIVACY POLICY NEXT BUSINESS ENERGY PTY LIMITED ABN

Mitigating and managing cyber risk: ten issues to consider

Information Management and Security Policy

A CHASE PAYMENTECH WHITEPAPER. Building customer loyalty in a multi-channel world Creating an optimised approach for e-tailers

Privacy and Cloud Computing for Australian Government Agencies

Lunch & Learn: Big Data Analytics

Data controllers and data processors: what the difference is and what the governance implications are

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

Big Data for Mutuals. Marc Dautlich 25 November 2013

BIG DATA AND THE INTERNET OF THINGS

The De-identification of Personally Identifiable Information

Ann Cavoukian, Ph.D.

EU Policy on RFID & Privacy

Workforce Optimization

FISHER & PAYKEL PRIVACY POLICY

Somansa Data Security and Regulatory Compliance for Healthcare

Transcription:

Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers March 2013

How Target Knew a High School Girl Was Pregnant Before Her Parents Did just because you can, doesn t mean you should geo-location and linkages in store offers targeted offers to individuals: the lowest common denominator problem 3

4

Source: Harvard Business Review, October 2012

Business Process of Customer Data Analytics phases: data cleansing, discovery and application data transformation predictive modeling data mining data visualisation combining data from B2Cs, B2Bs and other sources above and below line media mix strategy, media sales and media planning media analytics 6

Contracting for customer data analytics typical contracts architecting protection of data risk assessment in-house versus outsourced analytics risk mitigation - what is good industry practice? risk allocation is allocation of risk relevant to privacy by design? 7

25757887_1 ppt 8 Source: UK ICO, Anonymisation Code of Practice, Nov 2012

Customer Data Analytics Business Model Shopper Shopper Transaction Data Loyalty Offers Public Data Source (e.g. Bureau of Statistics) Retailer A EDW Insights and visualisations Retailer B EDW Licensed Data Sets Raw Data Raw Data Transformed Data Analytics Provider DAP Transformed Data FMCG Fast Moving Consumer Goods DAP Data Analytics Platform EDW Enterprise Data Warehouse Product and Market Data Client Reports FMCG Provider

Customer Data Analytics Contract Architecture Loyalty Card Ts & Cs App Terms Shopper Retailer A Disclosure and Collection Statement Value Exchange Agreement Retailer B Analytics Services Agreement Analytics Services Agreement Data Licence Agreement Analytics Provider Confidentiality and Client agreement Client Agreement Licence Agreement and/or website terms FMCG Provider Public Data Source FMCG Fast Moving Consumer Goods 10

The Knotty Issues privacy, user consent and user expectations data minimisation, data retention and limited access (operational) safeguards the anonymisation problem DAS outsourcing as solution and as problem: making omelettes IP and CI in raw data, transformed data, transformational code, methodologies and scores, IP in source code patent peril liability for inferences 11

Getting personal.. Singapore: personal data means data about an individual who can be identified: (a) from that data; and (b) from that data and other information to which the organisation has or is likely to have access. EU proposed Art 4 def of data subject: an identified natural person or natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person EU proposed Recital 23: The principles of data protection should not apply to data rendered anonymous in a way that the data subject is no longer identifiable. 12

the anonymisation problem Source: US Office of Civil Rights (HHS.gov), HIPPA De-identification Guidance, Nov 2012 13

Source: Khaled El Emam, Privacy Analytics, Inc 14

UK ICO on limited access safeguards purpose limitation training, e.g. on security and data minimisation principles personnel background checks other arrangements for technical and organisational security e.g. staff confidentiality agreements; controls over other data brought into the environment limitation to particular project(s) restriction on disclosure prohibition on attempts at re-identification measures for destruction of any accidentally re-identified personal data encryption and key management penalties a pre-defined list of risk mitigations cannot be exhaustive. Data controllers must conduct their own risk assessment, e.g. using their organisation s normal data security risk assessment processes Source: UK ICO, Anonymisation Code of Practice, Nov 2012 15

Global business, local rules what are the current rules? PII/non-PII bi-polar regulation: is graduated privacy an academic aspiration or is it achievable today? regulatory analyses of anonymisation EC, UK, HIPPA, Australia and Singapore extrapolating from the anonymisation debate to operational arrangements and privacy by design where does the EC profiling debate fit in? 16

EC discussion draft and profiling Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person s performance at work, economic situation, location, health, personal preferences, reliability or behaviour. Subject to (1) contract at express request of data subject or where suitable measures have been taken to safeguard the data subject s legitimate interests; or (2) express authorisation of State law (which also lays down suitable measures to safeguard the data subject s legitimate interests); or (3) affirmative express informed consent. 17

Looking forward are there general principles in doing global big data business? what regulators might do sector specific rules? 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information