Increasingly businesses are using very large data sets in order to better target advertising or marketing efforts, obtain general market or sector insights and spot trends. The term “big data” has no precise definition but it is generally held (in IT circles) to refer to very large data sets which require specific tools or methods to process.
There is also a wider meaning, which is the sense in which I am using the term, which refers to the use of large sets of data in non-traditional ways or for a purpose which is not the main reason for collecting the data.
To give an example from the accountancy profession the primary purpose of payroll data held by accountants (or their payroll subsidiaries or divisions) is to ensure the appropriate calculation and payment of tax and national insurance due for a given client and its workforce. However this data, when aggregated over a period for several clients, can also be used to reach conclusions about salary trends or for insight into hours worked or when the peak holiday or sickness periods arise. This information can be passed on to clients as part of an enhanced service or even potentially licensed to subscribers or third parties.
So, if this represents an opportunity for accountants, are there any regulatory issues? It will not surprise anyone to hear that there are potential issues with data protection regulation nor that this is a rapidly developing area and that many believe that regulators are not catching up or adapting to these developments particularly quickly.
As many will be aware the basic framework for data protection legislation in the UK is the Data Protection Act 1998, which implements a European data protection directive. European data protection law is shortly due to be updated but the basic framework will remain in place.
The most important rule in European data protection regulation (including under the UK Data Protection Act) is that consent from the data subject is required in order to process ‘personal data’. Personal data is data which refers to an identifiable individual. Personal data does not have to have a name attached – it is enough that an individual could be identified from the information.
Note that consent has to be obtained for the specific processing of the data which occurs.
Accountants are often using third party data which is delivered by clients and have not obtained the necessary consents themselves. If a firm wishes to subject this data to further analysis care needs to be taken to ensure that consents are in place as analysis for a different purpose other than that in mind when the data was collected could amount to unlawful ‘processing’ of personal data.
Using the payroll data example if a client business had a general consent in its employee handbook allowing the processing of data for the purposes of payroll, this would not necessarily allow the client (or its advisors) to process the data for other purposes.
There is a potential work-around for this issue. The European Commission Article 29 Working Party (which is a body which helps to interpret EU data protection law and recommend changes), has concluded that if ‘safeguards’ are put in place, it may be possible to process “big data” without further consents if the data subjects are not directly affected.
Essentially these safeguards require stripping the information of any personally identifiable traits (such that the data cease to be ‘personal data’) and ensuring that there are appropriate firewalls in place. The data must be processed in a ‘functionally separate’ way and confidentiality and security must be guaranteed.
There are also potential contractual, confidentiality and intellectual property issues. To the extent that the data supplied to an accountant is confidential the adviser will owe a duty of confidentiality to its client. Where effort has been made by the client to assemble data into a database, there will also be copyright and database rights attaching to the information, which will belong to the client. In most cases therefore consent will also be required from the client who supplied the data.
Any firms wishing to take advantage of the potential opportunities of ‘big data’ should:
• Check the consents which have been obtained for the data;
• Obtain the consent of the client to the processing of the data and aggregation of the client data with other data;
• If there is no specific consent from the data subject, ensure that the data analysis is carried out entirely separately from ‘standard’ processing and that personally identifiable information is removed;
• Put in place strict security and confidentiality safeguards.
Guy Wilmot is a partner in the Corporate & Commercial Team at Russell-Cooke