Big Data has its origin in science, but it is now being used commercially to increase the information that organizations have about people. This information can uniquely identify individuals and reveal their likes, habits, propensities and wealth. The power of this information is so great that legislation on its use is having to become more and more restrictive. Before dismissing this as tiresome and unnecessary, consider that the misuse of personal data is immoral, illegal and can have a devastating effect on peoples’ lives. Let me offer just one example.
In the past few years, it has been revealed that a large number of UK charities, at one time as many as one hundred, adopted a ‘Reciprocate’ scheme, where they shared with other charities their list of donors, including their names, addresses, and donation histories. They sent these supplemented lists to ‘wealth management’ companies, who would investigate a donor’s income, property values, lifestyle, and even friendship circles, and return to the charity an estimate of each donors’ wealth and disposable income. This allowed charities to identify those donors who should be given high priority to be ‘targeted’, as well as those most likely to leave money in their wills (‘legacy profiling’). Some charities even employed people to visit donors in care homes to persuade them to change their wills.
Much of this activity came to light during the investigation that followed the suicide of one donor, Olive Cooke, who leapt into the Avon gorge. A report into her death concluded that she had become “distressed and overwhelmed” by the huge number of requests for donations she received from charities. Twenty-four out of the ninety-nine charities with her details on file had passed them on to others. In almost every case investigated, they had no active permission to do this, and assumed they could do so because she had not “proactively opted out” of data sharing.
The subsequent investigation by the British government and ICO revealed the extent of the abuse of this data. For example, during the period January 2012-July 2015, the British Heart Foundation was fined for distributing the details of 552,092 donors, via a ‘Reciprocate’ scheme, to forty other charities, and also for sending an estimated five million records to wealth management companies. The Royal Society for the Prevention of Cruelty to Animals (RSPCA) also shared between 100,000 and 800,000 records a year in a ‘reciprocate’ scheme, even including donors who had expressly opted out.
This is just one example of the abuse of Big Data, and it happened in an industry that is regulated jointly by the Charity Commission and the Institute of Fundraising, the latter publishing a Code of Practice that makes the charities’ excuse that they simply “didn’t know” difficult to maintain.
The EUs General Data Protection Regulation was adopted by all EU members in 2016. It enters into application in May 2018 and will enter into British law, Brexit notwithstanding. In Europe, this tightens up enormously the law on personal information.
How does all of this affect the IT professional? It likely means that any organization that handles such data will need to employ a Data Protection Officer, charged with retaining an expert knowledge of data protection law and practices and ensuring that the organization complies. This includes understanding the implications of the Re-use of Public Sector Information Regulations 2015 (RPSI), the Data Protection Act (the DPA), the Freedom of Information Act (FOIA), and many others. If they plan to use personal information in a website, they must comply with the Privacy and Electronic Communications Regulations (PECR). Database administrators have to report every breach of security that exposes personal information to the ICO, notify any affected customers, and record details in a breach log. If they don’t, then their organization will be fined. There will be plenty of willingness to comply, seeing that serious breaches will be fined up to 20,000,000 Euros. Yes, the European IT professional who is responsible for personal data will be becoming very used to having to work with a Data Protection Officer.
It is hard to predict whether the regulations on personal data in the States will be tightened up to anywhere near European levels. In the long-term, it is very likely. Personally, I hope so, because when this data is misused, as organizations seek to exploit it to maximize their income or exert influence over people, or breaches occur due to improper handling (see Ashley Madison), then real people’s lives are seriously affected.