UK watchdog warns firms on Big Data risks

News by Doug Drinkwater

UK watchdog The Information Commissioner's Office (ICO) has released a comprehensive report into big data which warns companies that their data analytics activities must adhere to existing data protecting laws.

The group today issued a 51-page report which covers how big data should be compliant with existing data protection laws, including the 1998 Data Protection Act, especially when dealing with personal information.

The report includes a brief description of big data and advises on the collection and repurposing of personal data, as well as how companies can ‘fair' and ‘transparent' in what details they retain. Furthermore, it looks at the benefits of big data security analytics and how this all meshes with the incoming EU General Data Protection Regulation, which could stipulate fines of up to five percent of global turnover for data breaches.

The watchdog admits that it's difficult to produce a ‘watertight' definition of big data and instead plumps for the one issued by research outfit Gartner that big data is “high volume, high-velocity and high-variety information assets  that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.”

The report – which was based on year-long research - notes that both the public and private sectors have been using big data analytics to collect data such as climate and weather information, and says that such schemes have often anonymised information so that the user is not identified.

However, the ICO says that loyalty card and social media campaigns are examples where personal information is used, and adds that in these cases firms must ensure that they are ‘fair' and ‘transparent' in the collection of this data, in particular in relation to data protection law.

It advises companies to consider whether it needs to collect and repurpose personal data, and asks if companies should carry out privacy impact assessments and data ‘minimisation'.

“Big data is not a game that is played by different rules,” reads the report on page four. “There is some flexibility inherent in the data protection principles. They should not be seen as a barrier to progress, but as the framework to promote privacy rights and as a stimulus to developing innovative approaches to informing and engaging the public.”

On page 27, the ICO looks at how security ties in with big data, detailing how much such data is often held across several servers or in the cloud. Citing an ENISA report which warned of the “uncontrolled” collection and usage, the watchdog said that this shouldn't be the case if abiding by existing data protection practices.

“If responsible organisations apply their normal risk management policies and procedures when they acquire new datasets or use existing one for big data analytics, then this should not be considered “uncontrolled”.

It added: “The ability of big data analytics to analyse very large volumes of data very quickly means that it can be used to analyse network traffic, transactions and log files that are too big to handle with other technologies in order to detect patterns and anomalies to rapidly identify security threats.

Steve Wood, the ICO's head of policy delivery, said in a prepared statement: “There is a buzz around big data and emerging evidence of its economic and social benefits. But we've seen a lot of organisations that are raising questions about how they can innovate to find these benefits and still comply with the law. Individuals too are showing they're concerned about how their data is being used and shared in big data type scenarios,” said Wood.

“What we're saying in this report is that many of the challenges of compliance can be overcome by being open about what you're doing.”

Bob Tarzey, consultant and director at Quocirca, told that he was ‘amazed' the ICO felt it had to make such a statement.

“Data is just data – just because you processed it using “big data” tools and get “big data” benefits matters not a jot, the regulations regarding personal data are in place and apply at all times to everyone.”

Neira Jones, an independent advisor and chairman of the global advisory board for the Centre for Strategic Cybercrime & Security Science, agreed  by adding that the report is an ‘excellent' explainer especially with many senior IT managers still scratching their heads over the definition.

“There is still a lot of misconception out there,” Jones told SC. “Big data is currently a major topic of discussion for all industry sectors and it is used in a variety of ways. It is certainly not a surprise that the ICO has produced such a report: it acknowledges that technology evolves rapidly and it needs to keep the pace.

“Only recently, it issued guidelines on anonymisation, and a couple of years back it issued cloud computing guidelines, so Big Data is a logical step. The report offers some very clear definitions for those who are still scratching their heads.”

Barrister and solicitor Stewart Room added that the report would be ‘welcomed' by many in the industry, which has previously debated how Big Data ties with existing data protection legislation.

“Many commentators argue that data protection law doesn't fit well with Big Data, but this doesn't wash with ICO. When looking at ICO's position, it's important to bear in mind that controllers of personal data frequently argue that the law doesn't suit new technologies or processing operations, so ICO has heard it all before. ICO won't readily buy the 'too hard' argument.”

He added: “It's important for data controllers to examine their data protection law obligations while their Big Data projects are still on the drawing board. If they don't, they will be taking legal risks.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews