js_Managing Risk

The ICO gets it on Risk

If there is one message that comes out from the ICO’s latest consultation paper Big Data and Data Protection, it is that risk management is a fundamental part of effective data protection.  It is a theme that emerged from its report on Anonymisation and is a result of its principles-based approach to data protection.  This light touch has come under fire from other parts of the EU where a more prescriptive approach is favoured.

The use of large collections of personal data for research, advertising and decision making is becoming increasingly common.  For example, social networking services gather and keep large volumes of transactional data that is aggregated and sold on to advertising networks.  Although effectively anonymised and therefore no longer considered personal data, it is may be possible to de-anonymise personal data by combining it with other personal data from public sources.  In its report, the ICO suggests a pragmatic approach where the risk of de-anonymisation is assessed so that a judgement can be made which balanced the benefits and the risks.  Risks to whom?  The immediate impulse of organisations will be to consider the organisational risks such as loss of reputation, official sanctions such as fines or the risk of being sued by aggrieved individuals.

The report places a great deal of emphasis on emphasis on tools.  For example, impact assessments have been promoted by the ICO for some time now.  The idea is a good one and could be a useful technique as part of risk assessment – particularly from the perspective of risks to the individual.

Privacy seals were also suggested – again a great idea in principle, but who will manage this.  This could be along the lines of Truste in the United States.  Or perhaps it could be some form of co-regulation as in the advertising industry in the UK, where the government oversees industry self-regulatory regime.  Bodies such as the Advertising Standards Authority and the Internet Advertising Bureau are already active in the area and provide interesting models for consideration in the coming year when the ICO plans to consider this more carefully.

The main criticism of the report is it gives that if only there were more tools, data protection would be sorted.  I do not think the ICO believes that itself and tools can only be part of the answer.  For instance, targeted guidance to organisations that collect and use ‘big data’ could refer to tools such as privacy by design or data minimisation as part of the array of responses available for information management.

Far better, is the ICO’s focus on principles of risk management, which it refers to throughout the report.  Information risk management is a part of information governance and it is encouraging to see that the ICO understands that use of tools and application of risk management principles should fit within an overall information strategy.

It strikes me that the principles based approach is the best guarantee that innovations arising from analysis of big data are not smothered by over-regulation and prescriptive use of a limited tool-box of techniques to address specific aspects of data protection.  Risk can be an effective means of evaluating different approaches and providing a basis for decision-making in the context of an overall strategy.

The ICO report Big Data and Data Protection was published on 4th August 2014.  The ICO seeks comments by 12 September 2014.

About the author

David Haynes

David Haynes

David is a Director of Aspire². His interests lie in metadata, information taxonomies and information governance. He is an experienced PRINCE2 practitioner. David leads courses on his specialist areas and is author of ‘Metadata for Information Management and Retrieval’. Currently he is researching on the regulation of information at City University, London.