The Information Commissioner s role

Transcription

1 Information Commissioner s response to the House of Commons Science and Technology Committee inquiry on The big data dilemma The Information Commissioner s role 1. The Information Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998 ( DPA ), the Freedom of Information Act 2000 ( FOIA ), the Environmental Information Regulations ( EIR ) and the Privacy and Electronic Communications Regulations 2003 ( PECR ). He also deals with complaints under the Re-use of Public Sector Information Regulations 2015 ( RPSI ) and the INSPIRE Regulations He is independent from government and upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner does this by providing guidance to individuals and organisations, solving problems where he can, and taking appropriate action where the law is broken. 3. The Commissioner welcomes the opportunity to respond to this consultation. We have been looking at issues to do with big data for the last two years, as we have a strong regulatory interest in the privacy and data protection risks that arise when big data analytics involve the processing of personal data. In July 2014 we published our discussion paper on Big data and data protection 1. We invited feedback on this, and in April 2015 we published a summary of that feedback, together with our response and our plans for future work 2. Our submission to this inquiry reflects our findings from that work and takes account of more recent developments. Our key points are as follows: Big data is the evolution of large scale analytics that have been used for many years, rather than a new concept. However, the new capabilities on scale, speed and the ability to combine data do represent a step change. This step change introduces new incentives and opportunities for organisations to use data and test boundaries, and therefore increases the risk to privacy. The benefits of big data should not simply be traded for privacy rights. Data protection principles still apply to big data - they challenge organisations to be innovative and they promote good 1 Information Commissioner s Office. Big data and data protection. ICO, July Available at: 2 Information Commissioner s Office. Summary of feedback on Big data and data protection and ICO response. ICO, April Available at:

2 practice. The benefits of big data will be best achieved through gaining public trust and a high level of data protection compliance is an important component of gaining this trust. Different big data scenarios will present different risks. Privacy Impact Assessments (PIAs) should be used as a tool to assess data protection risks, ensure use of personal data is proportionate and mitigate the risks identified. Government strategy should emphasize the benefits of carrying out PIAs. It should also recognise that data protection supports data quality. The HE curriculum for data scientists should include education in applying a risk-based approach to data protection. The school curriculum should raise young people s awareness of how data is used and their rights. An assurance scheme, such as the ICO s planned privacy seals programme, can raise standards of compliance, build trust and demonstrate good practice. It can be difficult for organisations to provide privacy information about big data but there are ways to do this effectively organisations will need to innovate. When obtaining meaningful consent is problematic organisations can also consider other conditions in the DPA to legitimise the processing. Further research on anonymisation techniques should be supported. There is scope for considering the introduction of a criminal offence of deliberate re-identification. The opportunities for big data, and the risks 4. We recognise the potential benefits of big data, not only in terms of the commercial opportunities for companies but also in offering timely and relevant products and services to consumers, in improving the delivery of public services and in supporting scientific and medical research. However, these benefits should not simply be traded with privacy rights. In our big data paper we identified a number of areas in which big data challenges the established principles of data protection and gives rise to privacy concerns.

3 Data protection and privacy risks 5. Fairness is a key principle in the Data Protection Act. The complexity of big data analytics, the use of algorithms to find correlations, and the increased ability to profile individuals and to make inferences about them, and use of those inferences to make decisions, can raise questions about the fairness of the processing. For personal data processing to be fair individuals must have relevant information. It can be challenging to explain to people, in clear and meaningful terms, how their data is being used. This is compounded by the fact that few people are willing to read detailed privacy notices. However, this important component of data protection should not be ignored. 6. A key characteristic of big data is the ability to bring together data of different types and use it for new purposes. In some cases this may challenge the principle that personal data collected for one purpose should not be used for a further, incompatible purpose. 7. Data protection requires that organisations process only the minimum data needed for a particular purpose. However, one of the driving forces behind big data is to collect as much data as possible, and may incentivise organisations to keep long runs of historical data. Organisations must still be able to justify this retention. 8. Big data analytics is fed by the increasing volume of data being produced. This comes not only from data that people generate through web searches, social media posts or making purchases, but also from data that may be collected without people being directly aware of it, for example from connected devices as part of the Internet of Things. Furthermore, although more and more personal information is published on social media this does not necessarily mean that it can be re-used for any purpose. This was illustrated by the example of the Samaritans Radar app 3, which alerted users to references in social media postings suggesting that people were at risk of depression or suicide. The Samaritans withdrew the app, as a result of privacy concerns. 9. The propensity of big data to push against the boundaries of data protection is not an abstract issue. In certain applications it means increased risks of discrimination through profiling, of intrusion into private life, and of people being subject to decisions on the basis of processing that is opaque to them. Different risks arise from different big data scenarios - use for research purposes, to learn about trends and broader patterns, presents different data protection 3 Orme, Jamie. Samaritans pull suicide watch Radar app over privacy concerns. Guardian online, 7 November Accessed 26 August 2015

4 risks compared to when profiles are generated and used in a targeted way on individuals. Compliance solutions can be proportionate and matched to these different risks. Data protection promotes good practice in managing data 10. The data protection principles in the DPA still apply in the context of big data, if personal data is being processed; big data is not game that is played by different rules. Rather than being a barrier to progress, the principles can enable good practice in managing data. Organisations should be clear about what they are trying to achieve, and make a realistic assessment of the benefits of the analytics and they should carry out a Privacy Impact Assessment (PIA) to identify and mitigate privacy risks. They should also seek innovative ways in which to deliver privacy notices to people when they are collecting and processing their personal data. 11. Whilst different risks and challenges are emerging that make anonymisation harder we still think that anonymisation can be an important tool in big data analytics; where data is being used to detect general trends and correlations, wherever possible and appropriate it should be anonymised so that it no longer constitutes personal data. They key is to ensure that anonymisation techniques are effectively risk assessed and only used in appropriate scenarios. Techniques such as penetration testing will be increasingly important to demonstrate the effectiveness of anonymisation. 12. In our big data paper we noted that some organisations were developing their own ethical approaches to big data, based on being as transparent as possible, taking account of the customer s point of view and building a relationship of trust with customers 4. Since then, there is more evidence of this trend, for example in the Information Accountability Foundation s big data ethical framework initiative 5 and in the work of the Cabinet Office on data science and ethics 6. We welcome this trend as it supports compliance with the data protection requirements of fairness and transparency. The forthcoming EU Data Protection Regulation 13. The forthcoming EU General Data Protection Regulation (EU GDPR) is still to be finalised 7, but the drafts under discussion contain 4 Eg Johnson, David and Henderson-Ross, Jeremy The new data values. Aimia, rch/english/whitepaperukdatavaluesfinal.pdf Accessed 26 August Cabinet Office. Open policy making toolkit. Cabinet Office, 20 March Accessed 26 August Negitionas on GDPR are currently at trilogue stage. The timetable proposes that agreement is reached by the end of There would then a two year implementation period.

5 provisions that seek to address some of the big data issues we have identified and to strengthen the rights of data subjects. These include stronger provisions on processing only the minimum data needed, requirements on clear privacy notices, and explicit requirements for data protection by design and default and for carrying out PIAs. 14. The Information Commissioner has supported the strengthening of data subjects rights whilst highlighting the overly prescriptive approach in certain aspects of the text and the need for the text to support a risk based approach. The Commissioner s latest views on the GDPR have been set out in a recent blog on the ICO website 8. Whether the Government has set out an appropriate and up-to-date path for the continued evolution of Big Data and the technologies required to support it; 15. Security of personal data is a key data protection principle, and we welcome the Government s support for research centres of excellence as part of the National Cyber Security Programme. We also welcome the development of secure research facilities, such as the Administrative Data Research Network that enables administrative data, which may in its original form identify individuals, to be used for analysis in a de-identified form by accredited researchers. 16. We would also stress the role of PIAs and the need to use them at an early stage in planning big data projects in order to mitigate privacy risks to individuals. This theme emerged strongly in the feedback we received on our big data paper. We have published a code of practice on conducting PIAs 9 and we are currently doing further work with selected industry sectors on the role of PIAs in big data, to assess how specific PIA guidance for big data can be developed. We have also published research illustrating how PIAs can be integrated with risk and project management methods already used by organisations (for example, the agile project methodology). It is important that PIAs are not seen as an afterthought to justify a controversial project but are used as a tool to assess risk from the start. This integrated approach counters the view that PIAs are additional bureaucracy or red tape. 17. There could be more explicit recognition by the Government that complying with data protection principles not only helps to protect privacy rights but also supports good practice in data management. 8 The EU Regulation approaching the home straight? ICO 26 August. Available at: 9 Information Commissioner s Office. Conducting privacy impact assessments code of practice. ICO, February 2014 Available at

6 In industry discussions of big data there is an increasing emphasis on information governance and data quality. Data protection principles map to many of the issues being considered as part of data quality, for example the provenance of the data, its sensitivity, the permissions that come with it and retention periods 10. We believe that getting data protection right can help big data organisations to improve data quality. Where gaps persist in the skills needed to take advantage of the opportunities, and be protected from the risks, and how these gaps can be filled. 18. Organisations deploying big data techniques need to think about the effect of their processing from the customer s or citizen s point of view, and consider the impact of the analytics and expectations about how their data is used. This means that data protection is not simply an issue for the compliance department. It is important that big data analysts and those responsible for data management are aware of data protection and privacy issues and are able to integrate these into their practice. This suggests a need to build awareness of these issues into graduate and post graduate level education in data science and information management. The aim is not to turn data scientists into data protection experts, but to help them to develop risk assessment skills so that they are able to identify privacy risks and mitigation measures. 19. To support this aim, we are planning a project looking at how to embed awareness of information rights, including data protection, into the HE curriculum. A tender for this project will be launched in the autumn of How public understanding of the opportunities, implications and the skills required can be improved, and informed consent secured Improving public understanding 20. We welcome the emphasis on privacy and security in the previous government s 2013 Information Economy Strategy and its aim of helping consumers to understand the value of their data, how privacy risks are managed and the benefits from permitting wider use. However, helping consumers to understand should not simply be translated into reassuring them that there s nothing to worry 10 See for example: Information lifecycle governance in a big data environment, IBM January Available at: Accessed 27 August 2015

7 about. It should be recognised that people can have legitimate concerns about the opacity and the impact of big data analytics. 21. The view that people, and in particular younger people, are not really concerned about how their data is used, because they appear to be free in sharing it, is too simplistic. There is evidence of common privacy concerns across demographics. People s attitudes also depend on how they perceive the sensitivity of different types of data and how much they trust the organisation concerned. The research published by Sciencewise in is a good overview of the public s concerns and how they differ depending on various circumstances. 22. Helping consumers to understand should also include informing the public of their rights as data subjects, including the right to request their own data, including the option of receiving their data in an open, portable format where appropriate, and the right to object to certain processing. This is part of helping people to become informed and confident digital citizens. It also means highlighting instances where big data is helping to make life easier for consumers, for example if analytics are used to make the process of applying for insurance easier. 23. Education plays an important role in this and in making people aware of how their data may be used in a big data context. To assist with this, we have produced a set of lesson plans for primary and secondary schools, dealing with data protection issues 12. In a similar vein, the irights initiative 13 promotes information rights for young people in the digital world. Privacy seals 24. A further way to improve public understanding is to provide a visible stamp of approval or kite mark, to show that particular instances of data processing demonstrate good practice in in data protection compliance. The ICO is actively working to introduce a privacy seals scheme 14, under which we would endorse scheme operators who would award an ICO privacy seal to organisations that meet the assessment criteria and can demonstrate that they are following the highest data protection standards. There has been considerable interest in this idea since we first proposed it, and the forthcoming GDPR is likely to include a provision to encourage the use of similar 11 Sciencewise. Public views on big data Available at: 12 Information Commissioner s Office. Resources for schools. Available at Farmer, Gemma. What you need to know about ICO privacy seals. ICO, 28 January

8 schemes. In the context of big data, we think privacy seals have an important role to play in improving transparency, building trust and promoting good practice. The first ICO endorsed schemes are likely to be operational in Securing informed consent 25. The issue of how to secure informed consent in the context of big data, (or indeed whether it is possible to do so), has been much discussed and it has been suggested that the concept of notice and consent does not work in relation to big data. We do not accept that view, but we do agree that it is more challenging to secure consent in big data, and we do point out that there are alternatives. 26. Providing information about the processing through a privacy notice is a requirement of data protection, and it is essential to obtaining consent. In the section above on the opportunities for big data and the risks we noted the difficulties that can arise in providing privacy notices for big data. To address these, we would firstly emphasise that the DPA requires data controllers to explain the purposes of the processing, rather than the detail of the analytics. Secondly, we consider that big data challenges organisations to seek innovative ways to deliver privacy information, for example by using graphics and videos, and by providing layered and just in time notices. Our guidance on Privacy in mobile apps 15 gives examples of these. We are also in the process of updating our code of practice on privacy notices and will consult on a new version in October Consent is one of the conditions which allow an organisation to process personal data. The consent must be freely given, specific and informed. If an organisation is collecting personal data to use in big data analytics, and it is relying on consent to legitimise this, then it has to make people aware of all the intended uses of the data, including, for example, whether it is going to share the data with other organisations. Similarly, if an organisation is acquiring data from elsewhere, it has to satisfy itself that the original consent covers that further use of the data. Given the complex and sometimes unforeseen uses of data in big data analytics, this can of course be problematic. Furthermore, freely given means that people can also withdraw their consent. Records of consent should held in open formats to enable consent to be easily understood and respected by different systems. As part of our work on nuisance calls we are exploring how standards can be developed to support 15 Information Commissioner s Office. Privacy in mobile apps. ICO, December

9 this 16. Open standards should also be developed to revoke consent across different systems. 28. Consent is not the only possible condition, and, given the difficulties with it, big data organisations should consider whether other conditions would be more appropriate. In particular, an alternative condition is that the processing is necessary for the legitimate interests of the organisation processing the data. The organisation may have a number of legitimate interests that may be relevant, such as profiling customers in order to target its marketing, preventing fraud or the misuse of services, or physical or IT security. However, in that case, the processing must be necessary for those legitimate interests; if there is another way to meet them which would not involve processing personal data, then the processing is not necessary. Furthermore, if the processing represents an unwarranted interference with people s rights, freedoms and their legitimate interests, then the condition does not apply. This means that the organisation must assess the impact of the processing on people s privacy and balance this against the interests it has identified. This condition therefore places the responsibility on the organisation to take account of all these factors and reach a balanced decision, rather than making the individual responsible for deciding whether to give their consent. Any further support needed from Government to facilitate R&D on Big Data, including to secure the required capital investment in Big Data research facilities and for their ongoing operation. 29. We consider that anonymisation is a key issue in big data analytics, and part of the research effort could usefully be directed to this. In many cases, big data analytics does not need to use data that identifies individuals, if the aim is to detect general trends and characteristics. If the data is anonymised so that individuals can no longer be identified from it, either alone or in combination with other data, then it is not personal data and is not covered by the DPA. Doing this removes an area of risk for the organisation, and it also means that they can assure people that data which identifies them is not being used. 30. However, this is a complex and indeed a controversial area. Some studies have suggested that anonymisation does not work, and that it is not possible to completely anonymise a dataset; however, other studies have challenged those findings. Although there are examples 16 Which nuisance calls taskforce on consent and lead generation. Which? Available at:

10 of inadequate anonymisation, this does not mean that it cannot be done effectively. 31. The UK Anonymisation Network 17, which was initiated by the ICO, provides an expert resource on anonymisation techniques for practitioners. There may be scope for more work on this, in order to develop techniques that can be applied by practitioners in different sectors and big data applications. 32. The development of big data increases the risk that individuals may be re-identified from apparently anonymised datasets. If an organisation or an individual does this, then in DPA terms they become the data controller for that data. They take on all the responsibilities of a data controller, including telling the individuals concerned that they are processing their personal data. If they process personal data without their knowledge, and there is a risk of harm to the individuals, then the Commissioner may take regulatory action, including the imposition of a civil monetary penalty of up to 500,000. However, we propose that there is merit in considering whether the introduction of a specific criminal offence would be more appropriate and provide a stronger deterrent for those who deliberately seek to re-identify individuals. Information Commissioner s Office, 3 September 2015 Version 1.0 (final) 17