UK organisations dealing in big data have been issued with a list of data protection requirements by the Information Commissioner’s Office [ICO] that link closely to the Data Protection Act [DPA].
The ICO’s Big data and data protection paper sets out a series of guidelines for companies that are handling data and explains the ways in which it expects big data organisations to behave.
“When personal data is being used, organisations must ensure they are complying with their obligations under the Data Protection Act [DPA],” stated the report, making no illusions as to what it expects of companies.
One major area flagged up by the ICO is anonymisation of data, which can lead to data ceasing to be personal, if done correctly, and allows companies to research products and services whilst at the same time giving assurances that it’s not using data that identifies individuals.
“In a world of multiple data sources effective anonymisation can be challenging and organisations must carry out a robust risk assessment,” noted the ICO.
The ICO carried out its own research on big data between June 2013 and June 2014 and is particularly interested in the area as big data often involves personal data including social media, loyalty cards and sensors in clinical trials.
Another key area that the report covers is the repurposing of personal data, which is when organisations collect data for one reason then use for another or even pass it on to another company to use. The ICO stipulates that big data organisations must let individuals know when data is being used for different purposes in this instance.
Information security must be considered in relation to big data and organisations should treat the data using the same policies that are standard practice for the organisation in question. The ICO also added that the complex nature of big data analytics cannot be used as an excuse for failing to obtain consent.