In May 2017, the Information and Privacy Commissioner of Ontario (“IPC”) published its Big Data Guidelines (the “Guidelines”). The Guidelines refer to “big data” in the context of managing “combined data sets of linked information about individuals” that is collected indirectly and used for a different purpose than that for which it was collected – activities that conflict with the most basic principles of privacy protection. The IPC’s fact sheet on big data explains that it “has the potential to provide governments with greater insights into the quality and effectiveness of services and programs such as healthcare, social services, public safety and transportation.” However, the IPC also cautions that big data’s collection and use of personal information may give rise to specific privacy and human rights concerns, such as the fact that discrete sets of personal information can be combined to create a larger picture that might amount to surveillance; the creation of permanent databases containing vast quantities of sensitive personal information that could be wrongfully targeted or accessed; poor quality data; use of discriminatory proxies; data set bias, which could lead to discriminatory or inadequate outcomes; and profiling, which could lead to individuals being improperly treated or harmed. The Guidelines point out that many of the information practices involved in big data do not comply with the privacy protections set out in Ontario’s public sector privacy laws (the Freedom of Information and Protection of Privacy Act and Municipal Freedom of Information and Protection of Privacy Act), which pre-date the technology used to conduct big data projects.
The highly technical Guidelines are aimed at government institutions subject to public-sector privacy laws and provide a set of best practices applicable at all stages of any big data project. Examples of best practices discussed in the Guidelines include having research ethics boards or similar bodies review and approve all big data projects, notifying the public about big data projects by publishing information about them on their websites, treating publicly available personal information as if it were non-public, de-identifying any personal information in linked data sets and taking steps to ensure that information used in data sets is representative of the target population and that it does not use variables (e.g. geography) as proxies for prohibited discrimination. As noted above, the Guidelines raise concerns about big data projects using predictive models to profile individuals and to predict or evaluate their attributes, thus generating a new element of personal information about that individual. People who are profiled may not be aware of it, even though profiling can result in significant decisions being made about them. Profiling can also lead to false predictions that can significantly harm individuals who may be denied services or benefits as a result.
In this regard, the Guidelines recommend that individuals whose personal information may be subject to profiling be notified appropriately and that consultations be conducted with the public and with civil society organizations to evaluate the effects of these projects in people’s lives and the community.