By Dr Christina Lienen
The Information Commissioner’s Office (ICO) launched a toolkit this week aimed at organisations, including local authorities, who are considering implementing data analytics into the running of their operations and services. The idea behind the toolkit is to assist its users in recognising some of the central risks to the rights and freedoms of individuals that are created by the use of data analytics. In what follows, I summarise the basic functions and aims of the toolkit, and explain its potential relevance for local authorities’ data processing regimes.
What are data analytics? You may well ask. The ICO defines data analytics as “the use of software to automatically discover patterns in data sets (where those data sets contain personal data) and use them to make predictions, classifications, or risk scores.” This is commonly done through algorithms, including the use of AI, an advanced form of algorithm. Think the development of models for improved accuracy of local service information to support the Government’s tackling loneliness strategy.
If applied correctly, the potential benefits of data analytics can be significant in terms of efficiency, financial savings and effective enforcement in areas a divergent as early intervention in children and social care services on the one hand and identifying properties possibly paying incorrect amounts of business rates on the other.
How the toolkit works
The toolkit begins by asking its users questions to determine the legal regime they will be processing personal data under, offering a choice between general processing under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) and law enforcement processing under the DPA. Once the appropriate parts of the toolkit is determined on the basis of this initial differentiation, users are asked a series of questions around four themes which many of its users will already be at least vaguely familiar with: lawfulness of processing (including the importance of special category data), accountability and governance, the six data protection principles, and data subject rights.
Once completed, the toolkit produces a short report containing tailored advice and suggestions for data analytics projects. Users are at this stage also provided with links to additional guidance that may help them improve their data protection compliance.
The toolkit is anonymous, and the answers provided are not visible to, or retained by, the ICO.
Benefits and remaining risks
The toolkit directs its users’ minds to the type of questions they ought to be actively engaging with when designing a data processing project based on data analytics. As such, it will be helpful to both confident data protection officers who want to cross-check their systems against what the ICO thinks ought to be considered and those who are looking for assistance on how to start designing a data driven project from scratch.
As you may know, risk analysis & management and transparency are central to achieving and demonstrating GDPR and DPA compliance. Assessing risks in the context of processing activities forms part of an entity’s responsibility as data controller (Article 24 GDPR). As such, the launch of the toolkit is welcome because it facilitates a conscientious and educational engagement with the risks involved from a data protection point of view.
Of course, other potential risks arise, including data security, technological literacy, and the eradication of biases within algorithms. The lack of transparency and privacy are also often raised as concerns. All of these must be properly considered and addressed for data analytics to be lawful and ethical.
In summary, the toolkit may help local authorities to address transparency and privacy concerns and to take a proactive approach towards risk management. Though not, as the ICO itself cautions, “a pathway to absolute compliance with data protection law”, it is a helpful step towards it.