The Harsh Reality Behind Big Data Misuse

Big Data has its origin in science, but it is now being used commercially to increase the information that organizations have about people. This information can uniquely identify individuals and reveal their likes, habits, propensities and wealth. The power of this information is so great that legislation on its use is having to become more and more restrictive. Before dismissing this as tiresome and unnecessary, consider that the misuse of personal data is immoral, illegal and can have a devastating effect on peoples’ lives. Let me offer just one example.

In the past few years, it has been revealed that a large number of UK charities, at one time as many as one hundred, adopted a ‘Reciprocate’ scheme, where they shared with other charities their list of donors, including their names, addresses, and donation histories. They sent these supplemented lists to ‘wealth management’ companies, who would investigate a donor’s income, property values, lifestyle, and even friendship circles, and return to the charity an estimate of each donors’ wealth and disposable income. This allowed charities to identify those donors who should be given high priority to be ‘targeted’, as well as those most likely to leave money in their wills (‘legacy profiling’). Some charities even employed people to visit donors in care homes to persuade them to change their wills.

Much of this activity came to light during the investigation that followed the suicide of one donor, Olive Cooke, who leapt into the Avon gorge. A report into her death concluded that she had become “distressed and overwhelmed” by the huge number of requests for donations she received from charities. Twenty-four out of the ninety-nine charities with her details on file had passed them on to others. In almost every case investigated, they had no active permission to do this, and assumed they could do so because she had not “proactively opted out” of data sharing.

The subsequent investigation by the British government and ICO revealed the extent of the abuse of this data. For example, during the period January 2012-July 2015, the British Heart Foundation was fined for distributing the details of 552,092 donors, via a ‘Reciprocate’ scheme, to forty other charities, and also for sending an estimated five million records to wealth management companies. The Royal Society for the Prevention of Cruelty to Animals (RSPCA) also shared between 100,000 and 800,000 records a year in a ‘reciprocate’ scheme, even including donors who had expressly opted out.

This is just one example of the abuse of Big Data, and it happened in an industry that is regulated jointly by the Charity Commission and the Institute of Fundraising, the latter publishing a Code of Practice that makes the charities’ excuse that they simply “didn’t know” difficult to maintain.

The EUs General Data Protection Regulation was adopted by all EU members in 2016. It enters into application in May 2018 and will enter into British law, Brexit notwithstanding. In Europe, this tightens up enormously the law on personal information.

How does all of this affect the IT professional? It likely means that any organization that handles such data will need to employ a Data Protection Officer, charged with retaining an expert knowledge of data protection law and practices and ensuring that the organization complies. This includes understanding the implications of the Re-use of Public Sector Information Regulations 2015 (RPSI), the Data Protection Act (the DPA), the Freedom of Information Act (FOIA), and many others. If they plan to use personal information in a website, they must comply with the Privacy and Electronic Communications Regulations (PECR). Database administrators have to report every breach of security that exposes personal information to the ICO, notify any affected customers, and record details in a breach log. If they don’t, then their organization will be fined. There will be plenty of willingness to comply, seeing that serious breaches will be fined up to 20,000,000 Euros. Yes, the European IT professional who is responsible for personal data will be becoming very used to having to work with a Data Protection Officer.

It is hard to predict whether the regulations on personal data in the States will be tightened up to anywhere near European levels. In the long-term, it is very likely. Personally, I hope so, because when this data is misused, as organizations seek to exploit it to maximize their income or exert influence over people, or breaches occur due to improper handling (see Ashley Madison), then real people’s lives are seriously affected.

Commentary Competition

Enjoyed the topic? Have a relevant anecdote? Disagree with the author? Leave your two cents on this post in the comments below, and our favourite response will win a $50 Amazon gift card. The competition closes two weeks from the date of publication, and the winner will be announced in the next Simple Talk newsletter.

  • 1641 views

  • Rate
    [Total: 7    Average: 5/5]
  • DQ Testing

    Thanks. Very interesting article.

  • Steve Hicks

    It saddens me to read stories like the one about Olive Cooke. These policy gaps are inevitable, but we can at least try to be agile in our response to them. It’s just too bad that people have to suffer (or worse) until somebody gives a hoot. As for the Data Protection Officer, this can mean more jobs, but it does add yet another level of complexity to our lives. Regulatory constraints may eventually go the way of the IRS tax code, making it quite a challenge to make heads or tails of it all. I of course ask this rhetorically…Is it too much to ask for people just to have common sense and do the right thing?

    • Kay J. Suarez

      The “complexity” you refer to is diligence—a practice that seems to have been long forgotten in our global race to innovation. More, more, more. Faster, faster, faster.

  • tomwoolf

    “It is hard to predict whether the regulations on personal data in the States will be tightened up to anywhere near European levels”?!?

    It’s very easy to predict that (even before the current administration) – NO, the United States will not tighten up data sharing rules anywhere near to the European level. We’ve always been years behind Europe when it comes to consumer protection (and that is what this will fall into). :-/

  • rogerthat

    Heartbreaking, but extremely convincing example.

    On a much less heavy note, have you noticed how much more junk mail you get that targets your current standing on your automobile loans and other finances? I recently paid off one of our vehicles and within 2 weeks received a dealer offer that had the current year of the same make and model.

    The cynic / developer part of my brain is quick to suggest these protective efforts will fail to stop the real criminals and make life difficult
    for the non-criminals as most “barn locking” laws do.

    If someone can think of a way that this law could generate lots of money (e.g., tire pressure sensors or chips in cards) I think this law would pass in the US. Until then, I don’t think it will gain much traction as the abuse of such data is generating large marketing opportunities.

  • Keith Rowley

    Big data is such a loose term, I wonder if what you are describing even counts as “big” data and isn’t simply a problem with “normal” routine data. “Big” data has even more problems for privacy as companies start to be able to identify people across computers just by their browsing habits or even worse by patterns in the way they type.