Earlier this year, the Information Commissioner’s Office (ICO) described the combination of big data, artificial intelligence and machine learning as ‘big data analytics’. The ICO also marked this trio as distinct from traditional data processing. But what distinctions are concerning the ICO?
The report from March 2017 ‘Big data, artificial intelligence, machine learning and data protection’ sets out guidance and recommendations to address the privacy concerns of this type of data processing. There are apparently nine data protection principles threatened by the use of artificial intelligence to process big data.
1. Big data analytics must be fair
The requirement for data processing to be fair means that the effects on data subjects must be limited and unobtrusive. For example, in 2015 a female doctor wasn’t allowed entry to a female gym changing room as the automatic security system had assumed that she was male (being called ‘Dr’). It’s this sort of processing which unfairly discriminates against data subjects.
“assessing fairness also involves looking at the effects of the processing on individuals, and their expectations as to how their data will be used”
The complex nature of processing might also impact the transparency requirement of the Data Protection Act (DPA) – a fair processing notice is recommended. Making consumers aware of how and when their data might be collected for processing will help build trust between businesses and consumers.
2. Permission to process
Big data inherently comes paired with consent issues – the General Data Protection Regulation (GDPR) will require “unambiguous” consent. The consent must be given in a “clear affirmative action”. This is no small feat when taking into consideration how many subjects might be involved and how the complex processing might be explained to them.
Graduated consent could provide an innovative solution here. Allowing subjects to opt-in when the data is collected throughout the relationship between service provider and consumer overcomes the binary nature of ‘opt-in or not at all’ forms. At the exact point when an app wants to share information with a third party, the user can be given a ‘just in time’ notification to gain their consent. This targeted consent will likely be better informed too.
3. Purpose limitation
Data protection principles require that any further processing (which is not directly consented to) must not be incompatible with the original purpose. Big data analytics often leads to the finding of unexpected correlations – this may in turn lead to data being used for new purposes.
4. Holding onto data
The concept of data minimisation underpins data protection legislation. However, when artificial intelligence is applied to data, the scope of analysis is usually much greater – why analyse a sample of a data set when you could easily analyse it all?
“in a study of businesses in the UK, France and Germany, 72% said they had gathered data they did not subsequently use”
When data sets are large, incorrect data might be passed over or dismissed. Secondly, big data might not represent a general population – all of the data set doesn’t mean that certain groups might have been originally excluded or underrepresented. Finally, hidden biases might be applied from big data analysis results. Applying results on individuals in order to profile them might lead to inaccurate assumptions about them.
6. Individual rights: data accessibility
The benefits of big data pose data protection implications yet again – its volume, variety and complexity. The DPA requires that individuals should be allowed to access their personal data. However, there is one positive outcome noted here: if organisations make the move to big data, they might undertake the process of bringing together disparate data stores. This could make it easier to locate data on an individual in the event of a subject access request.
7. Security measures and risks
Whilst positioning big data analytics as a useful tool for analysing security risks, the ICO contrasts this by highlighting its drawbacks. Large data sets and the nature of big data processing can throw up specific information security threats.
The GDPR contains several additional provisions promoting accountability. The context of big data processing (in that it can be experimental, without defined hypothesis or business need) might cause problems when complying with these provisions. For example, organisations of over 250 employees must maintain records of data processing activities. Additionally, erroneous algorithmic decisions based on biased profiling throw up accountability issues.
9. Controllers and processors
If artificial intelligence is analysing the data – who is processing it? This question isn’t as rhetorical as it appears to be – the issue lies in establishing if a third party provider of artificial intelligence is the processor or controller.
“in a forthcoming article on the transfer of data from the Royal Free London NHS Foundation Trust to Google DeepMind, Julia Powles argues that, despite assertions to the contrary, DeepMind is actually a joint data controller as opposed to a data processor”
If the analytics provider has the power to decide what data to collect and how to apply analytical techniques on behalf of another, it is likely to be the data controller as well as the processor.
Like this post? Subscribe to our weekly newsletter here to be updated with all news privacy, Cognitiv+ and more.