Summary of feedback on Big data and data protection and ICO response



Similar documents
The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

Data Protection Act. Conducting privacy impact assessments code of practice

The U.K. Information Commissioner s Office Report on Big Data and Data Protection

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

8970/15 FMA/AFG/cb 1 DG G 3 C

The new EU Clinical Trials Regulation How NHS research and patients will benefit

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

Data protection. Data sharing code of practice

Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Response of the German Medical Association

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Information Governance Framework. June 2015

Nottinghamshire County Council. Data protection audit report

Memorandum of Understanding between the Financial Conduct Authority and the Bank of England, including the Prudential Regulation Authority

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits

9360/15 FMA/AFG/cb 1 DG G 3 C

Data Protection Policy June 2014

Guidance on data security breach management

Scotland s Commissioner for Children and Young People Records Management Policy

The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP

EUROPEAN COMMISSION HIGH LEVEL PROCESS OF REFLECTION ON PATIENT MOBILITY AND HEALTHCARE

INFORMATION GOVERNANCE STRATEGY NO.CG02

Data Protection Policy

On the edge Lexis PSL Restructuring & Insolvency

Guidance on political campaigning

Value of the EU Data Protection Reform against the Big Data challenges. Keynote address 5th European Data Protection Days Berlin, 4.5.

New EU Data Protection legislation comes into force today. What does this mean for your business?

A Changing Commission: How it affects you - Issue 1

technical factsheet 176

Data and Cyber Laws Up-date 9 July 2015

TUPE STEVEN FLYNN. Barrister. St John s Buildings. June 2015 St John s Buildings 1

Office of Fair Trading (OFT) Online Targeting of Advertising and Prices Market Study Response by the Internet Advertising Bureau

All Party Parliamentary Group (APPG) on Nuisance Calls inquiry into Nuisance Telephone Calls. Written evidence from BT.

Information Governance Management Framework

Information Sharing Policy

BCS, The Chartered Institute for IT Consultation Response to:

Big Data for Mutuals. Marc Dautlich 25 November 2013

Privacy in mobile apps

AER reference: 52454; D14/54321 ACCC_09/14_865

DELIVERING OUR STRATEGY

Establishing and Operating a Quality Management System Experiences of the EUROSAI Training Committee Seminar in Budapest

Improving quality through regular reviews:

The RFID agenda of the European Commission. Florent Frederix European Commission Directorate General Information Society and Media

Cloud (educational apps) software services and the Data Protection Act

International Privacy and Data Security Requirements. Benedict Stanberry, LLB LLM MRIN Director, Centre for Law Ethics and Risk in Telemedicine

European Commission Green Public Procurement (GPP) Training Toolkit - Module 1: Managing GPP Implementation. Joint procurement.

Public Consultation regarding Data Sharing and Governance Bill. Contribution of Office of the Data Protection Commissioner

Attitudes to Use of Social Networks in the Workplace and Protection of Personal Data

The European Qualifications Framework for Lifelong Learning (EQF)

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

NMBA Registered nurse standards for practice survey

Guidelines on Executive Order on Information and Consent Required in Case of Storing and Accessing Information in End-User Terminal Equipment

Report of the 2015 Big Data Survey. Prepared by United Nations Statistics Division

Auditing data protection a guide to ICO data protection audits

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

How To Use A Surveillance Camera Safely

Data Protection Act Guidance on the use of cloud computing

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

Lobbying: Sweet Smell of Success?

RECOMMENDATIONS COMMISSION

Governance. Information. Bulletin. Welcome to the nineteenth edition of the information governance bulletin

Information governance strategy

Article 29 Working Party Issues Opinion on Cloud Computing

Contents. Section/Paragraph Description Page Number

Application of Data Protection Concepts to Cloud Computing

The guidance will be developed over time in the light of practical experience.

Crime-mapping and geo-spatial crime data: privacy and transparency

Information Governance Policy

Data Security and Extranet

Principles and Guidelines on Confidentiality Aspects of Data Integration Undertaken for Statistical or Related Research Purposes

Transcription:

Summary of feedback on Big data and data protection and ICO response Contents Introduction... 2 Question 1... 3 Impacts and benefits; privacy impact assessments (PIAs)... 3 New approaches to data protection... 3 Legitimate interests... 4 Public sector... 4 EU General Data Protection Regulation (EU GDPR)... 4 Anonymisation... 5 Access to personal data... 5 Question 2... 6 Question 3... 8 Privacy engineering... 8 Technical security... 9 Privacy Impact Assessments... 9 Personal data services... 9 Terms and conditions... 10 Limiting data collection... 10 Actions to raise awareness... 10 1

Introduction Our paper on Big data and data protection was published on 28 July 2014. It set out our understanding of the data protection issues raised by big data and contributed to the ongoing discussion of big data and privacy. The launch of the paper was widely reported across websites dealing with IT and information law. The House of Commons Science and Technology Committee quoted our paper in their report on Responsible use of data 1. It was well received at the 36 th International Conference of Data Protection and Privacy Commissioners and their Resolution on big data 2 reflected the approach we put forward in the paper. The paper included three questions on which we invited feedback. We originally gave a deadline of 12 September 2014 for this but, recognising that more time was needed because of the summer holidays, we extended it to 17 October. We received responses to the consultation from ten organisations. Four of these came from companies, two from trade associations, two from organisations dealing with information and privacy, one from the higher education sector and one from a media organisation. Most of the responses were detailed and lengthy, in some cases with references to other research and current projects. Some included paragraph-by-paragraph comments on our paper while others put forward more general arguments. This has provided us with a great deal of useful material, and we thank all those who gave their time in providing these responses. In this document we are not able to list all the points made by every respondent, but we have picked out and discussed what we consider to be the key themes. There appears to be a consensus that the general approach we put forward in the paper is on the right lines, but there are many suggestions about changes of emphasis and new points that could be added. We will make some revisions to the paper and re-issue it in the light of this feedback in summer 2015. 1 House of Commons. Science and Technology Committee Responsible use of data. HC245. The Stationery Office Ltd, November 2014 http://www.publications.parliament.uk/pa/cm201415/cmselect/cmsctech/245/245.pdf Accessed 6 February 2015 2 36 th International Conference of Data protection and Privacy Commissioners. Resolution on big data. Conference, October 2014. http://www.privacyconference2014.org/media/16427/resolution-big-data.pdf Accessed 6 February 2015 2

Responses to questions Question 1 Does this paper adequately reflect the data protection issues arising from big data or are there other relevant issues that are not covered here? If so, what are they? Impacts and benefits; privacy impact assessments (PIAs) A theme that emerged in a number of responses was the importance of assessing the impact of the analytics on individuals, and differentiating between levels of impact. For example, big data analytics may be used to offer a product to a consumer, but it was suggested that people would see this as less significant or sensitive than using it to make a decision about their application for life assurance. We d broadly agree with this point. The importance of making a proper assessment of the benefits of the processing in question, and explaining this to data subjects, was also stressed. Assessing impacts on and benefits to individuals is a key part of determining whether processing is fair. A central theme of our paper is the continuing relevance of the DPA principle of fairness. We are also pleased to note a number of respondents support our view of the role of PIAs. We discuss this further in relation to Question 3 below. New approaches to data protection In the paper, we consider the argument that big data requires a regulatory focus on how data is used, rather than on how it is collected. We argue that data protection principles are still relevant to big data analytics, and that it is still necessary to tell people about the processing through privacy notices. Most respondents agreed with our general position, although the difficulty of providing privacy information and of seeking consent in a big data context was recognised. One respondent argued that there should be equal focus on the use (or misuse) of data and that it is better to regulate at the point where the potential for harm is created. We recognise the challenges of providing privacy notices. Some respondents mentioned the need to develop new ways of delivering these and we will continue to look for innovative examples of how to do this in a big data context. 3

Legitimate interests One respondent suggested that the paper focussed too much on consent as a condition, and that it is not always practical to obtain this in a big data context. They suggested that the paper did not sufficiently recognise the relevance of the legitimate interests condition for processing personal data. They argued that this condition can authorise new uses of the data, since it provides that personal data may be processed if it is necessary for the legitimate interests of the data controller (or a third party) unless there is unwarranted prejudice to the rights, freedoms and legitimate interest of the data subject. This condition puts an emphasis on organisational accountability rather than individual responsibility for giving consent. Our paper deals with consent at greater length than legitimate interests, partly because the former is an issue which is the subject of current debate in the context of big data. We did not mean to imply that consent is the only or the most important condition; any of the conditions listed in the Data Protection Act and the Data Protection Directive can legitimise the processing of personal data. The need to balance the legitimate interests of the data controller with the rights and freedoms of individuals is a key theme in our paper. We agree also that this is consistent with organisational accountability. Public sector One respondent noted that the paper was mainly focussed on private sector uses of big data, and commented that there are differences in the way that personal data is handled in public authorities, in that they often rely on conditions other than consent, and because of the potential role of the Senior Information Risk Owner (SIRO) in addressing data protection concerns. While the paper makes some reference to public sector uses of big data, we accept that it does not directly address the differences between that and the private sector. This reflects the research carried out for the paper and the examples available to us. We will consider developing the theme of big data in the public sector in the new version of the paper. EU General Data Protection Regulation (EU GDPR) Several respondents felt that we should have said more about the possible impact of the proposed EU GDPR and its implications for big data. 4

In the paper we tried to show how the proposed provisions reflect some of the data protection issues posed by big data. However, we did not try to give a detailed commentary on the EU GDPR, since we have previously published commentaries on the draft versions and also because the proposals have not yet been agreed by the EU. If the EU GDPR is passed, guidance will have to be issued on any provisions relating to profiling, but it is premature to analyse further at this stage. Anonymisation Some respondents mentioned the role of anonymisation and said that big data used for the analysis of general trends is often anonymised, so that it is no longer personal data. At the same time it was also pointed out that the knowledge gained from analysing anonymised data can be used to make decisions that impact upon individuals, and we agree that this is the case. Access to personal data The paper discusses ways of facilitating people s access to their own data. It was pointed out that website interactions automatically generate a large amount of data, and it is important to enable people to see the major items of personal data held about them, rather than necessarily all of this data. We agree that new ways of facilitating access to personal data should be a tool for transparency by enabling people to understand what data is held about them and how it is used. At the same time we must recognise that the subject access provisions of the DPA give data subjects a wideranging right to obtain their personal data. 5

Question 2 Should the ICO produce further guidance documents to help organisations that are doing big data analytics to meet data protection requirements? If so, what should they cover? Suggestions made in response to this question included the following: The ICO should encourage organisations to undertake a cost benefit analysis as part of big data projects. This would include estimating in advance how useful the datasets are likely to be and then measuring and reviewing this once they are being used. Some respondents wanted to see more practical, technical guidance, including guidance on particular technologies. At the same time it was recognised that this is not necessarily a job for the ICO alone, and that industry has a role to play, for example in developing standardised categories to inform people of how their data is being used. One respondent wanted to see further guidance on what the EU GDPR means for big data analytics, once the Regulation is agreed. One respondent wanted to see more guidance on encryption and deletion of records in the cloud. One respondent wanted to see examples of how an organisation could communicate possible future uses of data in a privacy notice. One respondent suggested that the paper should be reorganised and reissued to improve usability and readability. Another suggested that it should be split into smaller separate documents on specific topics, to make it easier to read. Our document on Big data and data protection was intended as a discussion paper, setting out our view of the data protection issues involved in big data. It was therefore a contribution to the growing debate, rather than a guidance document. We recognise that it was particularly long, and this was because we were trying to cover a large number of complex issues. As noted at the beginning, we will publish a new version of the paper in the summer, with some revisions based on the comments received. After 6

that, we envisage that any future work we do on big data is likely to be in the context of specific issues, as the need arises. We welcome the recognition that there is a role for business and other organisations doing big data analytics to develop standards and guidance, and we are happy to support this. We have started a review of our Privacy notices code of practice, and as part of this we will consider how the Code can reflect the issues discussed here about transparency in the context of big data. We expect that the review will be concluded by the end of June 2015. 7

Question 3 This paper refers to a number of practical measures and tools that can help to protect data privacy in the context of big data analytics: anonymisation, privacy impact assessments, privacy by design, privacy notices, data portability and privacy seals. Are other practical measures and tools needed? If so, what are they? Respondents mentioned a number of measures and tools in response to this question: Privacy engineering One respondent pointed out that the paper mentions Privacy by Design but does not give practical advice on how to implement it. It was also argued that Privacy by Design is not just a legal question but an engineering one, and that the protection it gives is constrained by the technical architecture of the system. There is therefore a role for privacy engineering, which would involve bringing legal and policy people in an organisation together with technical experts to develop ethical approaches to designing systems. It was suggested that there is a role for the ICO in encouraging colleges and universities to build this into the curriculum, and also a role in providing technical guidance to, and working with, privacy engineers. We agree that Privacy by Design involves using a range of organisational and technical measures, and that although some useful work has been done, which we reference in the paper, there is a need for more work and practical examples. One example we are working on is researching privacy enhancing technologies. The ICO s in-house capacity for developing technical solutions is limited, but we are happy to work with external technical experts, as we have done, for example, with the UK Anonymisation Network 3. We will also consider how we can encourage the recognition of privacy and data protection issues in university IT and information management courses, which will often teach the techniques related to big data. 3 UK Anonymisation Network website http://ukanon.net/ Accessed 6 February 2015 8

We are also active members of the newly formed Internet Privacy Engineering Network 4 (IPEN) and will continue to input into work on privacy by design solutions for big data at an international level. Technical security One respondent suggested that the measures and tools should include recognition of the role played by technical security measures in protecting personal data. We agree that people are concerned not only about whether organisations are using their data in unexpected ways, but also whether they are keeping it securely. We will continue to emphasise the need for adequate security of personal data in any future work on big data. Privacy Impact Assessments Some respondents mentioned PIAs as a tool in making the assessment of impacts and benefits, and as a way of highlighting less privacy-intrusive methods. It was emphasised that these should not be used simply to rubber stamp a previously agreed plan. We agree that PIAs are particularly important in the context of big data analytics. We will continue to promote our Privacy impact assessment code of practice which contains practical advice on how to do PIAs. One respondent argued for the importance of privacy risk assessments: they can enable responsible decisions about data use, they place the burden of privacy protection on the organisation and they allow for flexibility in the application of the data protection principles. We agree with these points and we think that the principles of a privacy risk assessment, as described, are very much in line with those of PIAs. We will liaise with key stakeholders to discuss the development of more specific PIA guidance on big data that uses the ICO PIA code as a framework. We would look to identify a sector, professional or industry body to take this work forward. This should also be supplemented by case studies. Personal data services One respondent suggested that we should say more about the role of personal data services (trusted third parties managing access to personal data on behalf of data subjects). We are aware of developments in this 4 IPEN website https://secure.edps.europa.eu/edpsweb/edps/edps/ipen Accessed 6 February 2014 9

area, although we consider that at the moment there is a need for more pilot projects and practical examples to show their potential. Terms and conditions It was suggested that there is scope for developing simplified terms and conditions, based on agreed categories of data usage. This supports the points we have made about the need for innovation in delivering privacy notices. Limiting data collection One respondent said that there should be more emphasis on limiting data collection to that which is actually needed, and that this would reduce the amount of information that needs to be analysed and make it easier for people to understand what information has been collected. Our paper addresses the issue of data minimisation and says that organisations need to be clear about what data they actually need for their purposes. Actions to raise awareness In order to raise awareness of the data protection risks, highlight case studies and best practice, and continue discussions about innovative privacy enhancing solutions we plan to hold a seminar on privacy and big data later in 2015. We will provide more details and ask for expressions of interest in due course. We intend this event to follow on from the planned sectoral work on PIAs. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information