ICO publish report on big data
Download the paper here.
The ICO acknowledges that it is difficult to give a “watertight definition” of big data but suggests that it is a shorthand way of describing the features of certain data and how that data is processed. The Gartner IT glossary defines it as: “high volume, high velocity, high variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making. Perhaps not the clearest definition, but the emphasis is on high volume – huge datasets, high velocity – fast processing of those datasets, and high variety – datasets comprising data from a wide variety of sources.
Many instances of big data analytics do not involve processing personal data at all. Some do, however, using personal data from sources such as social media or loyalty cards and big data can, of course, be used to fine-tune offers of products/services to individuals based on their preferences or lifestyle. Big data analytics can also involve automated processing and s12 Data Protection Act 1998 (DPA) entitles individuals not to have decisions taken about them which significantly affect them that rely solely on automated means. It follows that, where personal data is being used in big data analytics, processors must ensure compliance with the DPA.
Says Richard Lindsay, Director of Legal & Public Affairs, IPA: “The paper reminds readers that one of the key data protection requirements under the DPA is that the processing of personal data is fair. Organisations must be transparent when collecting data and explain to data subjects how they intend to use their data. Similarly, if intending to repurpose personal data, organisations must ensure that the data subject is made aware of any new purpose.
“There is nothing particularly new or surprising in the paper. It is, though, a useful reminder to organisations that carry out big data analytics that they need to consider whether the data they are processing includes personal data and, if it does, that they comply with the DPA.”
Last updated 26/09/2014