In the face of what is probably significant demand, the ICO announced a few weeks ago that “big data is an issue, and there will be a big data publication shortly”. The ICO will be publishing guidance on the relationship between Data Protection and Big Data, the technique of reusing large data sets to get new information. I probably won’t be camping outside Wycliffe House with a sleeping bag in order to get the very first copy, but Kathryn Wynn, Data protection law specialist at the law firm Pinsett Masons, is very keen and has very clear ideas about exactly what kind of present this is going to turn out to be. But just like the time I thought I was going to get a new bike for Christmas and it turned out to be an office chair (true story), I fear that Wynn may be disappointed.
The most remarkable part of Outlaw’s article about her views comes right at the end, when she states: “What the guidance must not deliver is more questions than answers”. As she is a Data Protection law expert, I can only assume that Wynn is suffering from temporary amnesia. Getting concrete answers out of Wilmslow is one of Information Rights’ enduring parlour games. You get extra points if you can ever get the same answer twice. Ring the helpline, prove me wrong.
Over the years, I’ve come to realise that this isn’t a bad thing. The worst guidance the ICO produces is prescriptive. Too many people in the ICO have never worked anywhere else or haven’t worked out of Wilmslow in a long time, so it’s far better when they define a problem or an objective rather than suggest a detailed solution. The first PIA guidance was a stultifying mess because it laid out a laborious process without ever explain the point properly. The current code doesn’t tell the reader what to do, but clearly explains the objective. Other codes, like the Data Sharing Code and current CCTV Code which is one of the best things the ICO has ever done, follow a similar pattern. They don’t give answers, but they’re very clear on what the questions are.
Sometimes of the areas ICO covers are more technical, and so sometimes it is possible for them to take a proper stance. The technical guidance on cloud computing and BYOD advice is relatively specific and very good, as is the bracing Direct Marketing guidance. If there’s a problem with these documents, it’s that the audience don’t like the robust messages that they deliver (e.g. you have to have proper contracts with cloud providers, you have to have consent to send emails).
But to go back to Wynn’s demands on Big Data, I think they’re not only unrealistic, they’re also inappropriate. This is the key statement:
“Businesses need practical guidance that explains the steps they need to take to ensure they meet their obligations around transparency in a way that is not overly burdensome and risks stifling innovative new uses of personal data that can ultimately benefit consumers”
Wynn is right that there is a problem. Businesses (and the public sector, let’s not forget) want to analyse personal data that either they or their partners already have in a way that was not intended and which, crucially, they didn’t tell their customers about. There is no legal or contractual obligation that allows this recycling of data, and not a whiff of consent. But the fact that this problem exists does not translate into a requirement that “the ICO’s guidance must provide clarity to businesses on how to stay compliant when seeking to make use of personal data for different purposes than consumers were notified of when the data was originally collected”
I don’t think that the ICO should be facilitating new business model. I suspect Big Data is inherently privacy invasive and needs careful handling, but the ICO should be independent and neutral even if the proposition is benign. Scepticism wouldn’t be inappropriate. The main thrust of any guidance should be to uphold the DPA. Data Protection does not prevent the use of analytics or Big Data techniques, and I’m certain that some businesses and public sector bodies will successfully marry a Big Data approach with DP compliance. But it isn’t the ICO’s job to assist business to make money, any more than it is their job to support government policy or deliberately interpret the DPA to make it easier for political parties to send unwanted marketing (even though there is evidence of them doing all three). I think the ICO clearly set out to support the care.data programme; if they had kept NHS England and HSCIC at arms length and (literally) laid down the law, we probably wouldn’t be in the mess we are today.
The ICO’s job is to be a referee, not a cheerleader. They shouldn’t support the controller or the subject. They don’t even need to compromise or cut corners because the Data Protection principles are already flexible. They’re principles, remember, not rules. Data Controllers don’t need consent all of the time (admittedly, the private sector needs it more often than not). They don’t need to tell people how their data is used all of the time if they can find an exemption, or if they’re willing to say that doing so is ‘disproportionate’, and stand by that decision if challenged.
There is nothing burdensome for Data Controllers in telling the public clearly and simply what they’re doing. Using information in a fair, relevant and transparent way is simple. I think one of the problems with Big Data is that “innovative new uses of personal data” bleed all too easily into profiling and surveillance. But even if I am wrong, data controllers should not seek and must not be given a green light for anything. The ICO default mode should be amber.