Last week’s “WannaCry” worldwide Ransomware attack was particularly targeted against international health organizations. Though the attack was thwarted not without a little good luck and less financial loss that might have been predicted, it unsurprisingly triggered responses from U.S. government agencies including the Department of Homeland Security (DHS) and, with specific reference to health care providers, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS). It also is no surprise that these government agencies took a carrot and stick approach – speaking about cooperation on one hand and enforcement (by OCR) on the other.
As studies show, data are now considered primary elements for generating “business” and to them a significant economic and social value is assigned.
Today, this phenomenon, commonly known as big data, has become a fundamental tool for a growing number of subjects who, due to the large quantities of data, can pursue an objective with subsequent and more or less foreseeable legal consequences.
Essentially, the protection described in this article is achievable through various ways, some ostensible, other real but it is universally acknowledged that whoever wants to achieve a goal must minimize the “regulatory” and “normative” impacts in favor of the maximization of the data processing effects on their activity (be aware: we are not only referring to the profits).
From the massive use of data and sophisticated analysis emerges one of the most “decisive” threats to the fundamental rights of individuals foreseen by article 8 of the Charter of Fundamental Rights of the European Union, that triggers the so-called bureaucratic overcharge phenomenon, tackled with standard formulas, software and applications that computerize ways of thinking which fall far short of banal and lead to results of questionable compliance.
As for any other topic with legal impacts, in order to understand the ramifications of the phenomenon and to better face it, we need to start with evaluating the following variables: the legitimacy of the acquisition of information, the congruence between the purposes for which the data were collected and those for which the data will be processed, the security measures applied to the information.
Furthermore, we must resist the temptation to start from the end: from the data anonymization.
According to various position papers, the anonymization, as it is only logic, is considered an “additional processing”, namely that in the presence of the big data, the anonymization is just a passage of a more complex process.
The analysis activity must allow to evaluate the consequences of the “merge” of databases of different sources. It must be considered that in the “reuse era”, the opportunity to gather large quantity of information of different sources has increased exponentially. In addition to that, individuals and public administrations that release “open-data”, have not the opportunity or the competences to anticipate the possible data exploitation in a business point of view.
Finally, let us not forget that the results of the activities on the big data can, in turn, create innovative services and as such they should be protected.
Therefore is the big data an unmanageable phenomenon?
No, as all phenomena the big data can be managed. The legislative framework in which they evolved is not methodologically ready to protect the individuals without “compromising the uses and the applications of the big data”. It is however possible to balance the bureaucratic hypertrophy with an approach that takes into consideration the necessary effectiveness of the processes.
Our previous experience tells us that, as of today, we resort to a “fictional” approach, we tried to demonstrate the security and the compliance of the processing, making the users feel “safe”, regardless from the effectiveness of this security. It is proven that when the data security mechanisms “crashed” or during a control check carried out by the Data Protection Authority, the “security” was largely compromised and the risk evaluations were out of focus, revealing a depressive and neglected outline of most of the basic data protection principles.
Viceversa, using a rational approach, pointed towards the privacy by design and following some precious instructions on best practices, we can reduce the risk. In particular, once the legal acquisition of information and relative consensus and the coherence with the specified purpose has been ascertained, we must find a way to reduce the risk of recognition of the individuals.
In this sense, an initial and repeated analysis of the context, events and changes that can affect it, can prevent abusive control phenomena as the reidentification of individuals, introducing for example higher levels of uncertainty for which certain records can be attributed to more than one person, at least 3 according to the principles of statistic deontology, or eliminating the requirements that cause the groups with similar characteristics to be atomistic or drowning the profile of the individual in a high number of others for which the characteristics of the analysis do not allow the isolation of a determined subject. This last activity can be carried out leaving intact the requirements that refer to a large number of people.
According what has been stated so far, it must be taken into consideration that these and other measures can allow the cohabitation of the big data with the current data protection frame but the methodical approach is by far more effective than other measures adopted thus far.