Big Data And Data Protection: Preparing For Tales Of The Unexpected

Data protection law - the bundle of statutory duties on those who handle personal data about individuals and the corresponding rights for the individuals concerned - sits plumb in the centre of data law, an increasingly broad and complex amalgam of contract law, intellectual property and regulation.

An important area of looming challenge for data protection lawyers at the moment is Big Data, the aggregation and analysis of datasets of great volume, variety and velocity for the purpose of competitive advantage1, where the business world is just at the start of a period of rapid adoption.

On 28 July 2014, the Information Commissioner's Office (ICO) published a paper on Big Data and Data Protection2. Unsurprisingly, the paper's main themes are that Big Data's complexity is no reason not to apply data protection law, and that that the Data Protection Act 1998 (DPA) is fundamentally fit for purpose when it comes to Big Data. In applying the DPA's principles to the issues that arise and providing some practical pointers on how to address them, the paper makes a timely contribution to Big Data management and governance but has fought shy on a number of the more challenging technical and legal issues.

Big Data - Data Protection issues

The report is specific around a number of Big Data use cases for personal data:

"If, for example, information that people have put on social media is going to be used to assess their health risks or their credit worthiness, or to market certain products to them, then unless they are informed of this and asked to give their consent, it is unlikely to be ... fair" (paragraph 69).

More generally, in focusing on how the DPA's principles of fairness (Principle 1), purpose limitation (Principle 3) and data minimisation (Principles 3 and 5) apply in the Big Data world, the report emphasises:

that specific and informed consent must be obtained before data collected for one purpose is analysed for a materially different purpose; that organisations must find the right point to explain the benefits of the analytics, present users with a meaningful choice, and then respect that choice; and just because Big Data analytics involves collecting as much data as possible ('N = all') does not mean that the DPA's data minimisation principles do not apply: "finding a correlation does not retrospectively justify obtaining the data in the first place. Organisations therefore need to be able to articulate at the outset why they need to...