Out-Law News 4 min. read
29 Apr 2013, 3:47 pm
Financial services sector head John Salmon and the Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.
Much of the proposed EU financial regulatory reform agenda in some way or another seeks to answer one central question – what should be done to compel financial institutions, and the individuals who drive them, to take better decisions?
While lawmakers look to introduce regulation seeking to protect the economy against poor decisions, technology providers have considered the issue from another angle. From the technology perspective, the question to be asked is: how can data best be used to assist organisations take better decisions, reduce costs and encourage profitability?
Technology providers are increasingly telling financial institutions that big data analytics can fulfil this purpose and be used for everything from improving operational efficiencies through to informing client engagement and retention strategies. But financial institutions must, of course, be aware of the perimeters which restrict their use of personal data (that is, data which identifies or is capable of identifying individuals).
Recently the Article 29 Working Party, an EU data protection body, published an opinion which sought to clarify the concept of purpose limitation. In doing so, it addressed questions that every financial institution should ask when engaging in a big data analytics project. For what purposes may an organisation use data that it has collected? To what extent must an organisation make those purposes known to the persons who are the subjects of that data? When and in what circumstances can personal data be used in a big data analytics project?
In general, the Working Party made two points:
The Working Party went further in relation to big data analytics projects and suggested that all such projects fit broadly into two categories. In the first category are those projects which seek to analyse data in order to identify 'trends and correlations'. In the second are queries which lead to the formation of conclusions about individuals.
Projects in the second category are obviously the ones that are more likely to come under close scrutiny from regulators and courts.
Big data and 'trends and correlations'
In relation to the first category of big data analytics projects, the Working Party recommends that businesses take two steps. They must "[1] guarantee the confidentiality and security of the data, and [2] take all necessary technical and organisational measures to ensure functional separation."
Functional separation requires that data used for "statistical purposes or other research purposes" must not also be used to inform "measures or decisions that are taken with regard to the individual data subjects concerned". This would mean that employees commissioned to act on the output of a big data analytics project must have no knowledge of the identities of the persons whose data formed the basis of the insights gained.
The Working Party recognised that while functional separation may be best achieved through the anonymisation of data, full anonymisation is not always possible. Therefore, in order to avoid regulatory complications, a business which seeks to rely on anonymisation as a data protection law compliance measure must demonstrate both that it has effectively anonymised data and that it has considered and regularly revisited the risk of re-identification – the risk of data being matched with other data which causes it to become 'de-anonymised'.
The Working Party suggested that in order to mitigate the risk of re-identification, businesses should consider how effective their "data silo-ing" techniques are, both from a technical perspective and from an organisational one.
Big data and 'personal insights'
In relation to big data analytics projects which seek to "predict the personal preferences, behaviour and attitudes of individual customers", the Working Party stated that "opt-in consent would almost always be required."
It also suggested that further safeguards should be put in place. Data subjects should be given access to any personal profiles that have been created about them. They should also have access "to the logic of the decision-making (algorithm) that led to the development of their profile" and the "decisional criteria" used in creating their profile.
Many financial institutions may find the latter requirements troubling as the Working Party seems to be suggesting that businesses should reveal what, in many cases, will be a valuable asset – trade secrets which underpin big data analytics processes.
While the Working Party is understandably concerned about inaccurate and out-of-date inferences being drawn against individuals, its concerns should not be overstated, particularly in so far as they apply to the financial services sector.
Financial institutions make decisions about individuals every day, sometimes with a full picture, and some times without the data necessary to guarantee that an accurate consideration of an individual's personal circumstances has been made. While more sophisticated analysis techniques may open up the possibility for inferences which unfairly discriminate against individuals, they also open up the possibility of more informed decisions being made, which ultimately, could lead to better outcomes for both consumers and the wider economy.
It is hoped therefore that data protection regulators undertake more consultation work before moving too quickly to compel financial institutions to implement all of the Working Party's opinions.